Loading ...

Play interactive tourEdit tour

Analysis Report HousecallLauncher64-new.exe

Overview

General Information

Sample Name:HousecallLauncher64-new.exe
Analysis ID:250437
MD5:135e977e0355a958da5e63111a659233
SHA1:42b50b8391172cab171a26ecf798015a2a9d8a3c
SHA256:fc02c4ed513e50d1d46cec284fbd76c7b8ee1313036ad91e9cee7d15a7d85a80

Most interesting Screenshot:

Detection

HawkEye Nanocore Remcos Tinynuke / Nukebot Ako AveMaria Clop Ransomware Coinhive CryLock DualShot Gandcrab GhostRat Gocoder Hermes Jigsaw LilithRAT Meterpreter Nemty Netwalker Njrat PXJ Ransomware PayDay Poisonivy Ryuk Tron ComRAT Xmrig
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected HawkEye Rat
Detected Nanocore Rat
Detected Remcos RAT
Detected Tinynuke / Nukebot malware
Found ransom note / readme
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Yara detected Ako ransomware
Yara detected AntiVM_3
Yara detected AveMaria stealer
Yara detected Clop Ransomware
Yara detected Coinhive miner
Yara detected CryLock ransomware
Yara detected DualShot Ransomware
Yara detected Gandcrab
Yara detected Generic Dropper
Yara detected GhostRat
Yara detected Gocoder ransomware
Yara detected Hermes Ransomware
Yara detected Jigsaw
Yara detected LilithRAT
Yara detected Meterpreter
Yara detected Nemty Ransomware
Yara detected Netwalker ransomware
Yara detected Njrat
Yara detected PXJ Ransomware
Yara detected PayDay ransomware
Yara detected Poisonivy
Yara detected Ransomware_Generic
Yara detected Ryuk ransomware
Yara detected TinyNuke
Yara detected Tron Ransomware
Yara detected Turla ComRAT XORKey
Yara detected Xmrig cryptocurrency miner
Contains functionality to hide user accounts
Deletes shadow drive data (may be related to ransomware)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
May drop file containing decryption instructions (likely related to ransomware)
May modify the system service descriptor table (often done to hook functions)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes many files with high entropy
Yara detected Keylogger Generic
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates driver files
Detected potential crypto function
Drops PE files
Drops certificate files (DER)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • HousecallLauncher64-new.exe (PID: 5404 cmdline: 'C:\Users\user\Desktop\HousecallLauncher64-new.exe' MD5: 135E977E0355A958DA5E63111A659233)
    • Setup.exe (PID: 5476 cmdline: .\setup.exe MD5: CDAF9D30395E44F4982BCCB30522AA87)
      • hcpackage64.exe.tmp (PID: 5560 cmdline: exe.exe -y MD5: 0EF33F745D44191DB9B70E60CE367E48)
        • conhost.exe (PID: 5724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • patch64.exe (PID: 6124 cmdline: 'C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exe' 'C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\AU_Data\AU_Temp\5476_5508' MD5: 417839E1069117C38EC2FC6B4840D685)
        • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • housecall.bin (PID: 4060 cmdline: 'housecall.bin' A9D6B0EA B9792B8D MD5: 777F462771CE664DF2BAB08A038BB762)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\HouseCall\smv64.dllJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    C:\Users\user\AppData\Local\Temp\HouseCall\pattern\icrc$oth.119SUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x3d7d92:$xo1: \xB2\xFF\x90\xFF\x85\xFF\x96\xFF\x93\xFF\x93\xFF\x9E\xFF\xD0\xFF\xCA\xFF\xD1\xFF\xCF\xFF
    • 0x3e2f4a:$xo1: \xB2\xFF\x90\xFF\x85\xFF\x96\xFF\x93\xFF\x93\xFF\x9E\xFF\xD0\xFF\xCA\xFF\xD1\xFF\xCF\xFF
    • 0x3e3089:$xo1: \xB2\xFF\x90\xFF\x85\xFF\x96\xFF\x93\xFF\x93\xFF\x9E\xFF\xD0\xFF\xCA\xFF\xD1\xFF\xCF\xFF
    • 0x5a4098:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    • 0x688eae:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    • 0x691732:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    • 0x769771:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\AU_Data\AU_Temp\5476_5508\3\1208090624\icrc$oth.119SUSP_XORed_MozillaDetects suspicious XORed keyword - Mozilla/5.0Florian Roth
    • 0x3d7d92:$xo1: \xB2\xFF\x90\xFF\x85\xFF\x96\xFF\x93\xFF\x93\xFF\x9E\xFF\xD0\xFF\xCA\xFF\xD1\xFF\xCF\xFF
    • 0x3e2f4a:$xo1: \xB2\xFF\x90\xFF\x85\xFF\x96\xFF\x93\xFF\x93\xFF\x9E\xFF\xD0\xFF\xCA\xFF\xD1\xFF\xCF\xFF
    • 0x3e3089:$xo1: \xB2\xFF\x90\xFF\x85\xFF\x96\xFF\x93\xFF\x93\xFF\x9E\xFF\xD0\xFF\xCA\xFF\xD1\xFF\xCF\xFF
    • 0x5a4098:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    • 0x688eae:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    • 0x691732:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF
    • 0x769771:$xo1: \xB2\x90\x85\x96\x93\x93\x9E\xD0\xCA\xD1\xCF

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpPowerShdllDetects hack tool PowerShdllFlorian Roth
    • 0x308f4:$x2: \PowerShdll.dll
    • 0x30a4c:$x2: \PowerShdll.dll
    00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpJoeSecurity_Ransomware_GenericYara detected Ransomware_GenericJoe Security
      00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpJoeSecurity_XmrigYara detected Xmrig cryptocurrency minerJoe Security
        00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpJoeSecurity_MeterpreterYara detected MeterpreterJoe Security
          00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpHam_backdoorunknownCylance Spear Team
          • 0x3059d:$a: 8D 14 3E 8B 7D FC 8A 0C 11 32 0C 38 40 8B 7D 10 88 0A 8B 4D 08 3B C3
          Click to see the 159 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.housecall.bin.180000000.2.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://infecteds.zapto.org/Avira URL Cloud: Label: phishing
            Multi AV Scanner detection for domain / URLShow sources
            Source: http://www.niudoudou.com/web/download/GVirustotal: Detection: 13%Perma Link
            Yara detected AveMaria stealerShow sources
            Source: Yara matchFile source: 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 5476, type: MEMORY
            Yara detected NjratShow sources
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 5476, type: MEMORY
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: -----BEGIN PUBLIC KEY----- MIGE

            Bitcoin Miner:

            barindex
            Yara detected Coinhive minerShow sources
            Source: Yara matchFile source: 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1131048085.000001D024DD7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 5476, type: MEMORY
            Yara detected Xmrig cryptocurrency minerShow sources
            Source: Yara matchFile source: 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1139530741.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1138052051.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1132608438.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1136341803.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1123533263.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1140898945.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1141823476.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1134506035.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1131048085.000001D024DD7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1135239145.000001D024EA7000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 5476, type: MEMORY
            Found strings related to Crypto-MiningShow sources
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: /-a cryptonight -o stratum+tcp://%s -u %s -p %s -
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: /pool.minexmr.com:5555)> %TEMP%\pools.txt
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: monerohash.com:3333
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: /-a cryptonight -o stratum+tcp://%s -u %s -p %s -
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: URL of mining serverE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: /-a cryptonight -o stratum+tcp://%s -u %s -p %s -
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: xmr-stak-cpuE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: &/NSCPUCNMINER64.EXEb
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: MINE.MONEROPOOL.COM
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: MONERO.CRYPTO-POOL.FR
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: / src="https://coinhive.com/lib/coinhive.min.js">G
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: XMR.PROHASH.NET
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: &/NSCPUCNMINER64.EXEb
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: pool.minexmr.com:443
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: Usage: xmrig [OPTIONS]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: %sautorun.infD
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: Autorun.inf,cmE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.infF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [autorun]F
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.infG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]G
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: AUTORUN.INFG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: \AUTORUN.INFE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [autorun]E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: %c:\autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.infL
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: \autorun.infE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.infE2OPEN
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: AutoRun.infE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: AUTORUN.INFE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]E"cmdF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: %c:\AUTORUN.INFE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AUTORUN]E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: c:\autorun.infE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: \aUtORUN.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: \aUtORUN.infG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /%c:\autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /%c:\autorun.inf%c:\RECYCLER%c:\RECYCLER\autE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: \autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: AUTORUN.INF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: Autorun.infG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AUTORUN]G
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [Autorun]E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: Autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: \AUTORUN.INF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: :\autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: :\autorun.infEbAutoRunEbshell\1E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /:\autorun.inf
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /:\autorun.infopenAutoRun
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AUTORUN]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AUTORUN]ECOPEN=ECICON=EcACTION=E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [autorun]D
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: AUTORUN.INF\taskmgr.exeE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /.exeautorun.infw[autorun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /.exeautorun.infw[autorun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: Autorun.infg
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.infE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: /[autorun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: AutoRun.infG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: %c:\autorun.infG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [autorun]G
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: &\All Users\Application Data\autorun.infg
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AUTORUN]D
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: ATTRIB +H +S %%A:\AUTORUN.INF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: :\autorun.infE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: :\RECYCLER\:\autorun.infE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]F
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: .[AutoRun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: %s\AUTORUN.INFF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: c:\autorun.infG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [autorun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: [AutoRun]
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpBinary or memory string: autorun.infD
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: :\autorun.infD
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: AutoRun.infD
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: AUTORUN.INFF
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: [AUTORUN]F
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: :\AUTORUN.INF
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: :\autorun.infG
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpBinary or memory string: %sautorun.inf
            Source: Setup.exe, 00000002.00000003.1131048085.000001D024DD7000.00000004.00000001.sdmpBinary or memory string: /d C:\%s.exe%d.%d.%d.%d%sautorun.infrecycle.
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpBinary or memory string: :\AUTORUN.INFD
            Source: C:\Users\user\Desktop\HousecallLauncher64-new.exeCode function: 0_2_00007FF6F0C5DDCC FindFirstFileA,FindFirstFileW,0_2_00007FF6F0C5DDCC
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpCode function: 3_2_0040729B __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,3_2_0040729B
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 10_2_0000000140020100 FindFirstFileA,FindNextFileA,FindClose,10_2_0000000140020100
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 10_2_000000014002F980 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,10_2_000000014002F980
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 10_2_000000014003ED90 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,10_2_000000014003ED90
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 12_2_744A0130 FindFirstFileA,GetDriveTypeA,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FindClose,GetLastError,FindClose,12_2_744A0130
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpFile opened: C:\Users\user\AppData\Local\Temp\HouseCall\HouseCallX_x64\patterns\Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpFile opened: C:\Users\user\AppData\Local\Temp\HouseCall\pattern\HCPolicy.ptnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpFile opened: C:\Users\user\AppData\Local\Temp\HouseCall\pattern\HCFrs.ptnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpFile opened: C:\Users\user\AppData\Local\Temp\HouseCall\HouseCallX_x64\patterns\tml00001.ptnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpFile opened: C:\Users\user\AppData\Local\Temp\HouseCall\pattern\crcz.ptnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\HCBackup\hcpackage64.exe.tmpFile opened: C:\Users\user\AppData\Local\Temp\HouseCall\pattern\ar.ptnJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then or byte ptr [rax-01h], 00000008h10_2_0000000140042440
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then lea rbx, qword ptr [rsp+70h]10_2_00000001400497A0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov ecx, dword ptr [rdi]10_2_0000000140048890
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then xor eax, eax10_2_000000014002ABB0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movsxd rax, rcx10_2_0000000140038070
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_00000001400650B8
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov rcx, qword ptr [rbp+08h]10_2_00000001400070E0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005D0EB
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_00000001400650F7
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_0000000140063190
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov eax, r14d10_2_0000000140044298
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_00000001400612D0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov rax, qword ptr [r8-38h]10_2_0000000140006320
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then lea rdx, qword ptr [rsp+00000208h]10_2_000000014000A370
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add r15d, 01h10_2_0000000140043390
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then cmp qword ptr [rbx+20h], 10h10_2_0000000140006410
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx eax, byte ptr [r8+01h]10_2_000000014004F4A3
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx r8d, byte ptr [rcx]10_2_00000001400364E0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx edx, byte ptr [rbx]10_2_0000000140016540
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov al, bpl10_2_00000001400455B8
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov rax, rdi10_2_000000014006B610
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx ecx, byte ptr [rsi]10_2_000000014006764E
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then mov rcx, qword ptr [rax]10_2_00000001400277F0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rcx, 01h10_2_0000000140058820
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rsi, 01h10_2_000000014003B990
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005DA60
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005DA60
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx ecx, byte ptr [r10]10_2_000000014006DA80
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then test rbx, rbx10_2_000000014000BAB0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx ecx, byte ptr [rdx]10_2_000000014002EAC0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then movzx eax, byte ptr [rdx]10_2_000000014000BBF0
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005CBFA
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005CC32
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005CD09
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005BD30
            Source: C:\Users\user\AppData\Local\Temp\7zSC150BAF0\AU\patch64.exeCode function: 4x nop then add rax, 01h10_2_000000014005EE80
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then mov r8, qword ptr [rbx+000003C8h]12_2_7442A5F0
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then mov r8, qword ptr [rbx+000003C8h]12_2_7442A745
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then mov ecx, dword ptr [rbx+58h]12_2_744217A0
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then prefetchNTA byte ptr [rdi+rdx-0Fh]12_2_74447270
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then movzx eax, word ptr [rcx-04h]12_2_74447270
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then mov edx, dword ptr [r9]12_2_74447270
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then movzx eax, byte ptr [rbx]12_2_74432274
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then movsxd r8, rdx12_2_7442B290
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then prefetchNTA byte ptr [rdx+0Eh]12_2_7442B290
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then movzx eax, byte ptr [r8]12_2_7442F873
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then mov r8, qword ptr [rbx+000003C8h]12_2_7442A80C
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then test ebx, ebx12_2_7442EAC0
            Source: C:\Users\user\AppData\Local\Temp\HouseCall\housecall.binCode function: 4x nop then movzx r8d, byte ptr [r9]12_2_7442BB50

            Networking:

            barindex
            Yara detected MeterpreterShow sources
            Source: Yara matchFile source: 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1139530741.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1138052051.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1132608438.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1136341803.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1123533263.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1140898945.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1141823476.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.1134506035.000001D025186000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: Setup.exe PID: 5476, type: MEMORY
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: //www.yahoo.comyD equals www.yahoo.com (Yahoo)
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: WWW.FACEBOOK.COM equals www.facebook.com (Facebook)
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: www.linkedin.comDbMD*.tmpDrDWS*.tmpDbPM*.tmpD2;**;D2:FZ:Dr__WSAFDI equals www.linkedin.com (Linkedin)
            Source: unknownDNS traffic detected: queries for: go.trendmicro.com
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://%S/%S.EXEE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://%S/.SYSTb
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://112345678901234567899.COM/XXMS
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://12345678901234567899.COM/XXMS
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://183.57.37.181/333/E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://192.168.1.71
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://193.104.27.98/2KRN.BIN
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://200.73.174.180/DOWNLOADER_ACTIVEX.ASP
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://213.21.215.186
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://6E2B4.SWHMZQ.COM/622/EsC:
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://85.12.43.75/GO/?CMPE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://91DD.INFO:1188/F
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://A.ZZ7.IN/COUNT.ASPE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://AA.9234.NET/PROCESSID.TXTE
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: HTTP://AA.INTO4.INFO/022
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://AAAWEBSEARCH.COM/?GV=6661656585
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://ALIGEO.CO.ZA/ADMIN/ST.PHP
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://ANTIGATE.COMG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://API.E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://BREENTEN.BIZD
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://CHECK.PATHTOME.COM/F
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://CINEMA.URLSERVICE.CN/PCGAME/E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://COUNT.LLADS.CN/NEW/VERSS.ASP
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://COUNTERSLOCAL.COM/GETFILE.PHP?E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://D3.PHPE3.PHPE3.PHPE3.PHPE3.PHPDc
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://DATA.WITHPOP.COM/DB/%S_WITHPOP.INI
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://DATA.WITHPOP.COM/DB/%S_WITHPOP.INIyD
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://DATA.WITHPOP.COM/DC/BL.INI
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://DLOAD.IPBILL.COM/DEL/CMB_E2open
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://DOWN1.DOWNGR.COM/UP.EXEF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://DOWNLOAD.CPUDLN.COM/11/ADG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://DOWNLOAD.ENERGYFACTOR.COM/DOWNLOADER_ACTIVEX.ASP
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://DRIVAWEE.JINO.RU/L222223.EXET
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://E3.PHPE3.EXE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://E5B2C.SWHMZQ.COM/622/E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://FREELIFE4EVER.COMD
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://GO.DRIVECL
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://GO.WINANTIVIRUS.CF&
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://GOOGLE.COMEcROGUE/%
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://IETAB.CO.KR/?ID=%S
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://IETAB.CO.KR/?ID=%SE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://JSG-UP.WS/HYDRA/DRIVER.PHPF
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://MAPLESTORY.NEXON.COME
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://MSN.COMD
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: HTTP://OBUPDATE.ORBITDOWNLOADER.COM/UPDATE/IL.PHP
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://OZONUNG.BIZ
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://QUN.QQ.COM/CGI/SVD
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://SEARCH.MSN.E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://SEX-EVERYDAY.COM
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://STAT.WAMME.CN/C8C/GL/CNZZ6
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://STAT.WAMME.CN/C8C/GL/CNZZG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://TROONETY.BIZD
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://TX.XX7.IN/G
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://VOTREENTON.BIZD
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.1
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.61RR.COM/DOWN/G
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.BAIDU.COM/G
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.BATANGIN.COM/BATANGINSETUP.EXE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.D
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.D9
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.EYECHARTSOFTWARE.COM
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.FLOODAD.COM/WEB/DOWNLOAD/
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.FS43.COM:777/MYUNBOUNDMB.UIB
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.FS43.COM:777/MYUNBOUNDMB.UIBT
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.GETIP.YOYO.PLG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.GOOGLE.E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.GRATISWEB.COM/YOUTOBA02/LISTAAUT.JPG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.GUPIAO1.INFO/INDEXE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.HA345.COME
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.HOARAFUSHIONLF
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.IETAB.CO.KR/SETTING.DAT
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.ILAM-MIND-MAKERS.COM/INDEX.PHP?TEXT=
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.INTERNET-OPTIMIZER.COM/CONF/ROGUEE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.JESUSER.CN/PLUG/DOSELECT.ASP?CMD=D
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.MOONLIGHT.COM
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.NIUDOUDOU.COM/WEB/DOWNLOAD/
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.NIUDOUDOU.COM/WEB/DOWNLOAD/E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.RONINSOFT.COM
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.SEARCH
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.YEANQIN.COM/UL.HTM
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://YOUNG-EROTIC.COME
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTP://ZURRUSCO.COMD
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: HTTP://yD3.JPGyD
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTPS://STORAGE.F
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTPS://T.ME/TH3DARKLYE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: HTTPS://WWW.WORLDOFWARCRAFT.COM/LOGIN/LOGIND
            Source: housecall.bin, 0000000C.00000002.2466383957.00000201C6180000.00000002.00000001.sdmpString found in binary or memory: http://%s.com
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/%d/checkin.php?cid=%d&ai
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/%d/in/html%d.html?cid=%dF(
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/Gsd/SERVER/SD/10.dll
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/Gsd/SERVER/SD/10.dllG
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/Gsd/SERVER/Up/%d.exe
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/Gsd/SERVER/Up/%d.exeG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/block.phpG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/buy2.php?affid
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/check/checkin.php?cid=%d&aid=%d&time=E
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/index.php?E
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/ini/aeskey.ini
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/ini/aeskey.iniG
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/ini/packet.ini
            Source: Setup.exe, 00000002.00000003.1142605218.000001D025186000.00000004.00000001.sdmpString found in binary or memory: http://%s/ini/packet.iniG
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/kx.php
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/spm/s_alive.php?id=%s
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s/spm/s_report.php?task=%u&id=%sE
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: http://%s/system/sync.py/cget?botid=%sE
            Source: Setup.exe, 00000002.00000003.1133232402.000001D024E17000.00000004.00000001.sdmpString found in binary or memory: http://%s:%d%s0%u%u/%c%c%c%c%c.asp?E
            Source: Setup.exe, 00000002.00000003.1121926288.000001D024D36000.00000004.00000001.sdmpString found in binary or memory: http://%s:%d/%s.jsp?%c%c=%s&%c%c%c=%sE
            Source: