Loading ...

Play interactive tourEdit tour

Analysis Report 0HvIGwMmBV

Overview

General Information

Sample Name:0HvIGwMmBV (renamed file extension from none to exe)
Analysis ID:376928
MD5:ecbc4b40dcfec4ed1b2647b217da0441
SHA1:e08eb07c69d8fc8e75927597767288a21d6ed7f6
SHA256:878d5137e0c9a072c83c596b4e80f2aa52a8580ef214e5ba0d59daa5036a92f8
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w10x64
  • 0HvIGwMmBV.exe (PID: 2208 cmdline: 'C:\Users\user\Desktop\0HvIGwMmBV.exe' MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
    • 0HvIGwMmBV.exe (PID: 2200 cmdline: C:\Users\user\Desktop\0HvIGwMmBV.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
  • servicerpc.exe (PID: 2308 cmdline: C:\Windows\SysWOW64\servicerpc.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
    • servicerpc.exe (PID: 5340 cmdline: C:\Windows\SysWOW64\servicerpc.exe MD5: ECBC4B40DCFEC4ED1B2647B217DA0441)
  • svchost.exe (PID: 5276 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6088 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6080 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4972 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6024 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2100 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6008 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5976 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5496 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 2000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
0HvIGwMmBV.exeJoeSecurity_EmotetYara detected EmotetJoe Security
    0HvIGwMmBV.exeEmotetEmotet Payloadkevoreilly
    • 0x16f0:$snippet1: FF 15 F8 C1 40 00 83 C4 0C 68 40 00 00 F0 6A 18
    • 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 40 00 85 C0

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
              Click to see the 3 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.0.0HvIGwMmBV.exe.e80000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                0.0.0HvIGwMmBV.exe.e80000.0.unpackEmotetEmotet Payloadkevoreilly
                • 0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18
                • 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
                2.2.servicerpc.exe.e80000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  2.2.servicerpc.exe.e80000.0.unpackEmotetEmotet Payloadkevoreilly
                  • 0x16f0:$snippet1: FF 15 F8 C1 E8 00 83 C4 0C 68 40 00 00 F0 6A 18
                  • 0x1732:$snippet2: 6A 13 68 01 00 01 00 FF 15 C4 C0 E8 00 85 C0
                  3.2.servicerpc.exe.e80000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    Click to see the 11 entries

                    Sigma Overview

                    No Sigma rule has matched

                    Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Antivirus / Scanner detection for submitted sampleShow sources
                    Source: 0HvIGwMmBV.exeAvira: detected
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: 0HvIGwMmBV.exeVirustotal: Detection: 83%Perma Link
                    Source: 0HvIGwMmBV.exeReversingLabs: Detection: 96%
                    Machine Learning detection for sampleShow sources
                    Source: 0HvIGwMmBV.exeJoe Sandbox ML: detected
                    Source: 0HvIGwMmBV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0HvIGwMmBV.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: global trafficTCP traffic: 192.168.2.3:49720 -> 193.169.54.12:8080
                    Source: global trafficTCP traffic: 192.168.2.3:49729 -> 173.230.145.224:8080
                    Source: Joe Sandbox ViewIP Address: 193.169.54.12 193.169.54.12
                    Source: Joe Sandbox ViewIP Address: 173.230.145.224 173.230.145.224
                    Source: Joe Sandbox ViewIP Address: 173.230.145.224 173.230.145.224
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: 55 ff 81 f4 3c 3e db 1c c7 ff 05 5a a4 b7 5b 07 2e 23 72 5c d4 c8 58 ec 10 36 28 11 ae 73 c1 bb 42 39 6a 0a 82 93 bd cc c1 28 e0 a7 96 e0 9f 76 ba 44 a1 c0 f0 73 87 32 d2 ba c9 da 8f 42 d9 77 a2 c6 5f c0 0b a0 17 c2 90 96 3f 20 06 b5 09 84 3a 8d 03 78 29 48 64 51 0f dd ef a4 ce 32 7f 10 f9 ac 6e fc a2 85 7e 64 b6 1e a6 35 e2 64 c6 7e 7e c1 8b 97 83 89 2f 35 3c af 8e 40 d1 a8 55 fe 68 d2 6d 14 f4 a6 21 99 c7 a3 8d 9d f1 2b e7 59 fe 32 13 6d de 56 d5 a9 7e 73 ff 2d 6a 16 77 90 4e 93 0b 8a de 85 32 19 f0 84 fb fe a3 ed 8e 05 b7 77 6a 81 6b 60 59 30 4e 89 ee 96 19 99 83 00 6a a5 ac d5 cb e8 1d 82 c1 ae d2 30 61 d7 b8 82 6f 43 c1 d6 33 6e 47 9f 3a 93 ad a8 5a df 17 21 79 b4 a7 69 c5 7f b4 80 61 1c 88 fa 3a df 3c 67 f9 26 8d 83 43 e3 bb 00 02 48 f0 86 07 e7 3e c0 d6 d4 35 c0 00 28 c3 f2 7c 70 38 f2 d1 95 c2 32 cc 4c 67 f7 a3 57 7d c6 03 7d 7b 71 03 5c 15 be d6 ab 07 da d5 ed 9a 41 07 d3 8c 28 21 3b 6a 1a f7 4c 58 7b 0a 87 b3 0e 28 54 38 6a 06 93 ef db 32 e2 25 ff b4 5c ee c5 27 99 39 c7 0a c7 60 2b 24 a4 9e ce 7c 19 f6 30 5f 74 6d 94 3c 98 05 e9 be 78 5e bd c8 51 03 b8 c0 a6 6c 54 aa b0 83 c6 f9 77 ee f7 10 40 e3 f8 6e 63 07 e4 3f c0 71 b4 4d 73 e0 e5 c8 db 2c 66 b7 af 00 6e 88 40 8d 68 0b 71 a4 a8 4b 12 ea f3 6a 5e 8b 1f 21 ec f8 54 e0 28 9a dc 3f 54 81 e6 b6 e2 26 9d 96 31 a1 70 dd 1a 23 6f Data Ascii: U<>Z[.#r\X6(sB9j(vDs2Bw_? :x)HdQ2n~d5d~~/5<@Uhm!+Y2mV~s-jwN2wjk`Y0Nj0aoC3nG:Z!yia:<g&CH>5(|p82LgW}}{q\A(!;jLX{(T8j2%\'9`+$|0_tm<x^QlTw@nc?qMs,fn@hqKj^!T(?T&1p#o
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 79.172.249.82
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.169.54.12
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.169.54.12
                    Source: unknownTCP traffic detected without corresponding DNS query: 193.169.54.12
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.230.145.224
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.230.145.224
                    Source: unknownTCP traffic detected without corresponding DNS query: 173.230.145.224
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 79.172.249.82:443Content-Length: 436Connection: Keep-AliveCache-Control: no-cacheData Raw: 55 ff 81 f4 3c 3e db 1c c7 ff 05 5a a4 b7 5b 07 2e 23 72 5c d4 c8 58 ec 10 36 28 11 ae 73 c1 bb 42 39 6a 0a 82 93 bd cc c1 28 e0 a7 96 e0 9f 76 ba 44 a1 c0 f0 73 87 32 d2 ba c9 da 8f 42 d9 77 a2 c6 5f c0 0b a0 17 c2 90 96 3f 20 06 b5 09 84 3a 8d 03 78 29 48 64 51 0f dd ef a4 ce 32 7f 10 f9 ac 6e fc a2 85 7e 64 b6 1e a6 35 e2 64 c6 7e 7e c1 8b 97 83 89 2f 35 3c af 8e 40 d1 a8 55 fe 68 d2 6d 14 f4 a6 21 99 c7 a3 8d 9d f1 2b e7 59 fe 32 13 6d de 56 d5 a9 7e 73 ff 2d 6a 16 77 90 4e 93 0b 8a de 85 32 19 f0 84 fb fe a3 ed 8e 05 b7 77 6a 81 6b 60 59 30 4e 89 ee 96 19 99 83 00 6a a5 ac d5 cb e8 1d 82 c1 ae d2 30 61 d7 b8 82 6f 43 c1 d6 33 6e 47 9f 3a 93 ad a8 5a df 17 21 79 b4 a7 69 c5 7f b4 80 61 1c 88 fa 3a df 3c 67 f9 26 8d 83 43 e3 bb 00 02 48 f0 86 07 e7 3e c0 d6 d4 35 c0 00 28 c3 f2 7c 70 38 f2 d1 95 c2 32 cc 4c 67 f7 a3 57 7d c6 03 7d 7b 71 03 5c 15 be d6 ab 07 da d5 ed 9a 41 07 d3 8c 28 21 3b 6a 1a f7 4c 58 7b 0a 87 b3 0e 28 54 38 6a 06 93 ef db 32 e2 25 ff b4 5c ee c5 27 99 39 c7 0a c7 60 2b 24 a4 9e ce 7c 19 f6 30 5f 74 6d 94 3c 98 05 e9 be 78 5e bd c8 51 03 b8 c0 a6 6c 54 aa b0 83 c6 f9 77 ee f7 10 40 e3 f8 6e 63 07 e4 3f c0 71 b4 4d 73 e0 e5 c8 db 2c 66 b7 af 00 6e 88 40 8d 68 0b 71 a4 a8 4b 12 ea f3 6a 5e 8b 1f 21 ec f8 54 e0 28 9a dc 3f 54 81 e6 b6 e2 26 9d 96 31 a1 70 dd 1a 23 6f Data Ascii: U<>Z[.#r\X6(sB9j(vDs2Bw_? :x)HdQ2n~d5d~~/5<@Uhm!+Y2mV~s-jwN2wjk`Y0Nj0aoC3nG:Z!yia:<g&CH>5(|p82LgW}}{q\A(!;jLX{(T8j2%\'9`+$|0_tm<x^QlTw@nc?qMs,fn@hqKj^!T(?T&1p#o
                    Source: svchost.exe, 00000006.00000002.466420456.0000022919412000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: svchost.exe, 00000006.00000002.466420456.0000022919412000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                    Source: svchost.exe, 00000006.00000002.466420456.0000022919412000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                    Source: svchost.exe, 00000006.00000002.466783419.0000022919600000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: svchost.exe, 0000000B.00000002.308399355.000001BC42213000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                    Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                    Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                    Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                    Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                    Source: svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                    Source: svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                    Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                    Source: svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                    Source: svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                    Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                    Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                    Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                    Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                    Source: svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                    Source: svchost.exe, 0000000B.00000002.308441069.000001BC42258000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 0000000B.00000002.308441069.000001BC42258000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000003.308117767.000001BC4225C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                    Source: svchost.exe, 0000000B.00000003.308097971.000001BC42260000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                    Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                    Source: svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                    Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                    Source: svchost.exe, 0000000B.00000002.308423829.000001BC4223E000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                    Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                    Source: svchost.exe, 0000000B.00000003.308132894.000001BC4223D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                    Source: svchost.exe, 0000000B.00000003.286359870.000001BC42232000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                    Source: svchost.exe, 0000000B.00000002.308420615.000001BC4223B000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                    Source: svchost.exe, 0000000B.00000002.308434753.000001BC4224F000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708

                    E-Banking Fraud:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 0HvIGwMmBV.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.203264019.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.195788006.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.202503920.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE

                    System Summary:

                    barindex
                    Malicious sample detected (through community Yara rule)Show sources
                    Source: 0HvIGwMmBV.exe, type: SAMPLEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet Payload Author: kevoreilly
                    Source: C:\Windows\SysWOW64\servicerpc.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeFile deleted: C:\Windows\SysWOW64\servicerpc.exe:Zone.IdentifierJump to behavior
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E877F0
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E86E70
                    Source: 0HvIGwMmBV.exe, 00000001.00000002.204503759.0000000002DB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 0HvIGwMmBV.exe
                    Source: 0HvIGwMmBV.exe, 00000001.00000002.204538418.0000000002E00000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 0HvIGwMmBV.exe
                    Source: 0HvIGwMmBV.exe, 00000001.00000002.204538418.0000000002E00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 0HvIGwMmBV.exe
                    Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                    Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                    Source: 0HvIGwMmBV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                    Source: 0HvIGwMmBV.exe, type: SAMPLEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
                    Source: classification engineClassification label: mal92.troj.evad.winEXE@17/8@0/5
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E82110 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\packages\ActiveSync\LocalState\DiagOutputDir\UnistackCritical.etlJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2000:120:WilError_01
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeMutant created: \Sessions\1\BaseNamedObjects\MA9E4E299
                    Source: C:\Windows\SysWOW64\servicerpc.exeMutant created: \BaseNamedObjects\MEA7BD142
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M55A96C51
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I55A96C51
                    Source: C:\Windows\SysWOW64\servicerpc.exeMutant created: \BaseNamedObjects\Global\I55A96C51
                    Source: 0HvIGwMmBV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: 0HvIGwMmBV.exeVirustotal: Detection: 83%
                    Source: 0HvIGwMmBV.exeReversingLabs: Detection: 96%
                    Source: unknownProcess created: C:\Users\user\Desktop\0HvIGwMmBV.exe 'C:\Users\user\Desktop\0HvIGwMmBV.exe'
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeProcess created: C:\Users\user\Desktop\0HvIGwMmBV.exe C:\Users\user\Desktop\0HvIGwMmBV.exe
                    Source: unknownProcess created: C:\Windows\SysWOW64\servicerpc.exe C:\Windows\SysWOW64\servicerpc.exe
                    Source: C:\Windows\SysWOW64\servicerpc.exeProcess created: C:\Windows\SysWOW64\servicerpc.exe C:\Windows\SysWOW64\servicerpc.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k unistacksvcgroup
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                    Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                    Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeProcess created: C:\Users\user\Desktop\0HvIGwMmBV.exe C:\Users\user\Desktop\0HvIGwMmBV.exe
                    Source: C:\Windows\SysWOW64\servicerpc.exeProcess created: C:\Windows\SysWOW64\servicerpc.exe C:\Windows\SysWOW64\servicerpc.exe
                    Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                    Source: 0HvIGwMmBV.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E81F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,

                    Persistence and Installation Behavior:

                    barindex
                    Drops executables to the windows directory (C:\Windows) and starts themShow sources
                    Source: C:\Windows\SysWOW64\servicerpc.exeExecutable created and started: C:\Windows\SysWOW64\servicerpc.exe
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exePE file moved: C:\Windows\SysWOW64\servicerpc.exeJump to behavior

                    Hooking and other Techniques for Hiding and Protection:

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeFile opened: C:\Windows\SysWOW64\servicerpc.exe:Zone.Identifier read attributes | delete
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Found evasive API chain (may stop execution after checking mutex)Show sources
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeAPI coverage: 6.5 %
                    Source: C:\Windows\System32\svchost.exe TID: 5980Thread sleep time: -30000s >= -30000s
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeFile Volume queried: C:\ FullSizeInformation
                    Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                    Source: svchost.exe, 00000006.00000002.466618432.0000022919460000.00000004.00000001.sdmpBinary or memory string: @Hyper-V RAW
                    Source: svchost.exe, 00000006.00000002.464116673.0000022913C2A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                    Source: svchost.exe, 00000007.00000002.464168532.000001EA9A802000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                    Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                    Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                    Source: svchost.exe, 00000007.00000002.464217145.000001EA9A829000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.464440169.0000026F17040000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.464094285.0000022A2D22A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: svchost.exe, 00000008.00000002.464743444.0000026F176B0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                    Source: C:\Windows\SysWOW64\servicerpc.exeProcess information queried: ProcessInformation
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E81F40 VirtualAlloc,memcpy,memcpy,LoadLibraryA,GetProcAddress,VirtualFree,
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E81BE0 mov eax, dword ptr fs:[00000030h]
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E89EE0 EntryPoint,GetProcessHeap,RtlAllocateHeap,memset,GetProcessHeap,RtlFreeHeap,ExitProcess,
                    Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmpBinary or memory string: Program Manager
                    Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                    Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmpBinary or memory string: Progman
                    Source: svchost.exe, 00000009.00000002.464715555.000001CE21F90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\SysWOW64\servicerpc.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\Desktop\0HvIGwMmBV.exeCode function: 0_2_00E88D50 RtlGetVersion,GetNativeSystemInfo,
                    Source: C:\Windows\SysWOW64\servicerpc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Lowering of HIPS / PFW / Operating System Security Settings:

                    barindex
                    Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                    Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                    Source: svchost.exe, 0000000D.00000002.464104258.000001836263D000.00000004.00000001.sdmpBinary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: svchost.exe, 0000000D.00000002.464169165.0000018362702000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                    Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected EmotetShow sources
                    Source: Yara matchFile source: 0HvIGwMmBV.exe, type: SAMPLE
                    Source: Yara matchFile source: 00000001.00000002.204042221.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.197161113.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000000.196655416.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.463934168.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.203686958.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000000.203264019.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.195788006.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000000.202503920.0000000000E81000.00000020.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.0.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.0.servicerpc.exe.e80000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.0HvIGwMmBV.exe.e80000.0.unpack, type: UNPACKEDPE

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation1DLL Side-Loading1Process Injection2Masquerading121OS Credential DumpingSecurity Software Discovery51Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsNative API11Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection2NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptHidden Files and Directories1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.commonDLL Side-Loading1Cached Domain CredentialsSystem Information Discovery24VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi