Loading ...

Play interactive tourEdit tour

Windows Analysis Report RpcNs4.exe

Overview

General Information

Sample Name:RpcNs4.exe
Analysis ID:492876
MD5:1ed37c4a225bbd35716cf241e14541a8
SHA1:51caf718c3d85847e9f9246b291149a0a7afb698
SHA256:8b504e796986fbae7d1bea49c95dfad222758cca5cada56472f40a0bde41e485
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • RpcNs4.exe (PID: 5968 cmdline: 'C:\Users\user\Desktop\RpcNs4.exe' MD5: 1ED37C4A225BBD35716CF241E14541A8)
    • networkitemfactory.exe (PID: 900 cmdline: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe MD5: 1ED37C4A225BBD35716CF241E14541A8)
  • svchost.exe (PID: 4840 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4228 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5992 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2852 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5984 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1752 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5780 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2252 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["190.191.171.72:80", "5.189.168.53:8080", "162.241.41.111:7080", "190.85.46.52:7080", "37.205.9.252:7080", "172.96.190.154:8080", "120.51.34.254:80", "181.95.133.104:80", "139.59.61.215:443", "157.7.164.178:8081", "41.185.29.128:8080", "86.57.216.23:80", "185.80.172.199:80", "54.38.143.245:8080", "41.212.89.128:80", "223.17.215.76:80", "37.187.100.220:7080", "167.71.227.113:8080", "8.4.9.137:8080", "113.160.248.110:80", "220.147.247.145:80", "60.125.114.64:443", "182.227.240.189:443", "45.177.120.37:8080", "103.229.73.17:8080", "117.247.235.44:80", "115.78.11.155:80", "79.133.6.236:8080", "139.59.12.63:8080", "91.83.93.103:443", "186.20.52.237:80", "185.208.226.142:8080", "115.79.195.246:80", "116.202.10.123:8080", "162.144.42.60:8080", "185.142.236.163:443", "172.105.78.244:8080", "37.46.129.215:8080", "157.245.138.101:7080", "182.253.83.234:7080", "143.95.101.72:8080", "187.189.66.200:8080", "103.48.68.173:80", "200.116.93.61:80", "223.135.30.189:80", "36.91.44.183:80", "198.57.203.63:8080", "203.153.216.178:7080", "46.32.229.152:8080", "51.38.201.19:7080", "103.93.220.182:80", "103.133.66.57:443", "202.166.170.43:80", "95.216.205.155:8080", "77.74.78.80:443", "78.114.175.216:80", "189.150.209.206:80", "113.156.82.32:80", "58.27.215.3:8080", "192.241.220.183:8080", "185.86.148.68:443", "74.208.173.91:8080", "126.126.139.26:443", "88.247.58.26:80", "49.243.9.118:80", "2.144.244.204:80", "138.201.45.2:8080", "91.75.75.46:80", "119.92.77.17:80", "202.153.220.157:80", "46.105.131.68:8080", "178.33.167.120:8080", "190.192.39.136:80", "115.176.16.221:80", "179.5.118.12:80", "190.190.15.20:80", "113.161.148.81:80", "14.241.182.160:80", "192.163.221.191:8080", "128.106.187.110:80", "190.194.12.132:80", "75.127.14.170:8080", "195.201.56.70:8080", "118.243.83.70:80", "50.116.78.109:8080", "192.210.217.94:8080", "103.80.51.61:8080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RpcNs4.exe.5e279e.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.RpcNs4.exe.20b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                4.2.networkitemfactory.exe.51279e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  2.2.RpcNs4.exe.5e052e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    4.2.networkitemfactory.exe.20b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.RpcNs4.exe.20b0000.3.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["190.191.171.72:80", "5.189.168.53:8080", "162.241.41.111:7080", "190.85.46.52:7080", "37.205.9.252:7080", "172.96.190.154:8080", "120.51.34.254:80", "181.95.133.104:80", "139.59.61.215:443", "157.7.164.178:8081", "41.185.29.128:8080", "86.57.216.23:80", "185.80.172.199:80", "54.38.143.245:8080", "41.212.89.128:80", "223.17.215.76:80", "37.187.100.220:7080", "167.71.227.113:8080", "8.4.9.137:8080", "113.160.248.110:80", "220.147.247.145:80", "60.125.114.64:443", "182.227.240.189:443", "45.177.120.37:8080", "103.229.73.17:8080", "117.247.235.44:80", "115.78.11.155:80", "79.133.6.236:8080", "139.59.12.63:8080", "91.83.93.103:443", "186.20.52.237:80", "185.208.226.142:8080", "115.79.195.246:80", "116.202.10.123:8080", "162.144.42.60:8080", "185.142.236.163:443", "172.105.78.244:8080", "37.46.129.215:8080", "157.245.138.101:7080", "182.253.83.234:7080", "143.95.101.72:8080", "187.189.66.200:8080", "103.48.68.173:80", "200.116.93.61:80", "223.135.30.189:80", "36.91.44.183:80", "198.57.203.63:8080", "203.153.216.178:7080", "46.32.229.152:8080", "51.38.201.19:7080", "103.93.220.182:80", "103.133.66.57:443", "202.166.170.43:80", "95.216.205.155:8080", "77.74.78.80:443", "78.114.175.216:80", "189.150.209.206:80", "113.156.82.32:80", "58.27.215.3:8080", "192.241.220.183:8080", "185.86.148.68:443", "74.208.173.91:8080", "126.126.139.26:443", "88.247.58.26:80", "49.243.9.118:80", "2.144.244.204:80", "138.201.45.2:8080", "91.75.75.46:80", "119.92.77.17:80", "202.153.220.157:80", "46.105.131.68:8080", "178.33.167.120:8080", "190.192.39.136:80", "115.176.16.221:80", "179.5.118.12:80", "190.190.15.20:80", "113.161.148.81:80", "14.241.182.160:80", "192.163.221.191:8080", "128.106.187.110:80", "190.194.12.132:80", "75.127.14.170:8080", "195.201.56.70:8080", "118.243.83.70:80", "50.116.78.109:8080", "192.210.217.94:8080", "103.80.51.61:8080"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: RpcNs4.exeVirustotal: Detection: 78%Perma Link
                      Source: RpcNs4.exeMetadefender: Detection: 73%Perma Link
                      Source: RpcNs4.exeReversingLabs: Detection: 89%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: RpcNs4.exeAvira: detected
                      Machine Learning detection for sampleShow sources
                      Source: RpcNs4.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B2240 CryptEncrypt,memcpy,CryptGetHashParam,CryptDuplicateHash,CryptDestroyHash,CryptExportKey,4_2_020B2240
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B2580 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,GetProcessHeap,RtlAllocateHeap,4_2_020B2580
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B1F60 memcpy,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,4_2_020B1F60
                      Source: RpcNs4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3890 _snwprintf,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,2_2_020B3890
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3890 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,4_2_020B3890

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 190.191.171.72:80
                      Source: Malware configuration extractorIPs: 5.189.168.53:8080
                      Source: Malware configuration extractorIPs: 162.241.41.111:7080
                      Source: Malware configuration extractorIPs: 190.85.46.52:7080
                      Source: Malware configuration extractorIPs: 37.205.9.252:7080
                      Source: Malware configuration extractorIPs: 172.96.190.154:8080
                      Source: Malware configuration extractorIPs: 120.51.34.254:80
                      Source: Malware configuration extractorIPs: 181.95.133.104:80
                      Source: Malware configuration extractorIPs: 139.59.61.215:443
                      Source: Malware configuration extractorIPs: 157.7.164.178:8081
                      Source: Malware configuration extractorIPs: 41.185.29.128:8080
                      Source: Malware configuration extractorIPs: 86.57.216.23:80
                      Source: Malware configuration extractorIPs: 185.80.172.199:80
                      Source: Malware configuration extractorIPs: 54.38.143.245:8080
                      Source: Malware configuration extractorIPs: 41.212.89.128:80
                      Source: Malware configuration extractorIPs: 223.17.215.76:80
                      Source: Malware configuration extractorIPs: 37.187.100.220:7080
                      Source: Malware configuration extractorIPs: 167.71.227.113:8080
                      Source: Malware configuration extractorIPs: 8.4.9.137:8080
                      Source: Malware configuration extractorIPs: 113.160.248.110:80
                      Source: Malware configuration extractorIPs: 220.147.247.145:80
                      Source: Malware configuration extractorIPs: 60.125.114.64:443
                      Source: Malware configuration extractorIPs: 182.227.240.189:443
                      Source: Malware configuration extractorIPs: 45.177.120.37:8080
                      Source: Malware configuration extractorIPs: 103.229.73.17:8080
                      Source: Malware configuration extractorIPs: 117.247.235.44:80
                      Source: Malware configuration extractorIPs: 115.78.11.155:80
                      Source: Malware configuration extractorIPs: 79.133.6.236:8080
                      Source: Malware configuration extractorIPs: 139.59.12.63:8080
                      Source: Malware configuration extractorIPs: 91.83.93.103:443
                      Source: Malware configuration extractorIPs: 186.20.52.237:80
                      Source: Malware configuration extractorIPs: 185.208.226.142:8080
                      Source: Malware configuration extractorIPs: 115.79.195.246:80
                      Source: Malware configuration extractorIPs: 116.202.10.123:8080
                      Source: Malware configuration extractorIPs: 162.144.42.60:8080
                      Source: Malware configuration extractorIPs: 185.142.236.163:443
                      Source: Malware configuration extractorIPs: 172.105.78.244:8080
                      Source: Malware configuration extractorIPs: 37.46.129.215:8080
                      Source: Malware configuration extractorIPs: 157.245.138.101:7080
                      Source: Malware configuration extractorIPs: 182.253.83.234:7080
                      Source: Malware configuration extractorIPs: 143.95.101.72:8080
                      Source: Malware configuration extractorIPs: 187.189.66.200:8080
                      Source: Malware configuration extractorIPs: 103.48.68.173:80
                      Source: Malware configuration extractorIPs: 200.116.93.61:80
                      Source: Malware configuration extractorIPs: 223.135.30.189:80
                      Source: Malware configuration extractorIPs: 36.91.44.183:80
                      Source: Malware configuration extractorIPs: 198.57.203.63:8080
                      Source: Malware configuration extractorIPs: 203.153.216.178:7080
                      Source: Malware configuration extractorIPs: 46.32.229.152:8080
                      Source: Malware configuration extractorIPs: 51.38.201.19:7080
                      Source: Malware configuration extractorIPs: 103.93.220.182:80
                      Source: Malware configuration extractorIPs: 103.133.66.57:443
                      Source: Malware configuration extractorIPs: 202.166.170.43:80
                      Source: Malware configuration extractorIPs: 95.216.205.155:8080
                      Source: Malware configuration extractorIPs: 77.74.78.80:443
                      Source: Malware configuration extractorIPs: 78.114.175.216:80
                      Source: Malware configuration extractorIPs: 189.150.209.206:80
                      Source: Malware configuration extractorIPs: 113.156.82.32:80
                      Source: Malware configuration extractorIPs: 58.27.215.3:8080
                      Source: Malware configuration extractorIPs: 192.241.220.183:8080
                      Source: Malware configuration extractorIPs: 185.86.148.68:443
                      Source: Malware configuration extractorIPs: 74.208.173.91:8080
                      Source: Malware configuration extractorIPs: 126.126.139.26:443
                      Source: Malware configuration extractorIPs: 88.247.58.26:80
                      Source: Malware configuration extractorIPs: 49.243.9.118:80
                      Source: Malware configuration extractorIPs: 2.144.244.204:80
                      Source: Malware configuration extractorIPs: 138.201.45.2:8080
                      Source: Malware configuration extractorIPs: 91.75.75.46:80
                      Source: Malware configuration extractorIPs: 119.92.77.17:80
                      Source: Malware configuration extractorIPs: 202.153.220.157:80
                      Source: Malware configuration extractorIPs: 46.105.131.68:8080
                      Source: Malware configuration extractorIPs: 178.33.167.120:8080
                      Source: Malware configuration extractorIPs: 190.192.39.136:80
                      Source: Malware configuration extractorIPs: 115.176.16.221:80
                      Source: Malware configuration extractorIPs: 179.5.118.12:80
                      Source: Malware configuration extractorIPs: 190.190.15.20:80
                      Source: Malware configuration extractorIPs: 113.161.148.81:80
                      Source: Malware configuration extractorIPs: 14.241.182.160:80
                      Source: Malware configuration extractorIPs: 192.163.221.191:8080
                      Source: Malware configuration extractorIPs: 128.106.187.110:80
                      Source: Malware configuration extractorIPs: 190.194.12.132:80
                      Source: Malware configuration extractorIPs: 75.127.14.170:8080
                      Source: Malware configuration extractorIPs: 195.201.56.70:8080
                      Source: Malware configuration extractorIPs: 118.243.83.70:80
                      Source: Malware configuration extractorIPs: 50.116.78.109:8080
                      Source: Malware configuration extractorIPs: 192.210.217.94:8080
                      Source: Malware configuration extractorIPs: 103.80.51.61:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 190.191.171.72:80
                      Source: Joe Sandbox ViewASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: global trafficTCP traffic: 192.168.2.5:49745 -> 5.189.168.53:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49751 -> 162.241.41.111:7080
                      Source: global trafficTCP traffic: 192.168.2.5:49785 -> 190.85.46.52:7080
                      Source: global trafficTCP traffic: 192.168.2.5:49790 -> 37.205.9.252:7080
                      Source: unknownNetwork traffic detected: IP country count 36
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.191.171.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.191.171.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.191.171.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.189.168.53
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.189.168.53
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.189.168.53
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.241.41.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.241.41.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.241.41.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.85.46.52
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.85.46.52
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.85.46.52
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.205.9.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.205.9.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.205.9.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.96.190.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.96.190.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.96.190.154
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/2
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/5
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/c/IfhZZOLYmyGUpB2z7/y67uuC8o/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/p
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.191.171.72/e7oyvJu0ryVUBL/0INT0lnzMU2/MpBFVePNcAJo4Omc/IfhZZOLYmyGUpB2z7/y67uuC8o/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/f
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/m32
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://37.205.9.252:7080/RFYvVKd2K/sy7dp7xsNv9/Rrh3Sh9wg/SwbGDOylYnDUpHudO/ri7bprIvQeGD/Bd2yo6ti2p6c
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/#
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/3
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/i
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/m
                      Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309396699.000001BD7A862000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310115050.000001BD7A839000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.20b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.20b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.257541494.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B2580 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,GetProcessHeap,RtlAllocateHeap,4_2_020B2580
                      Source: RpcNs4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile deleted: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile created: C:\Windows\SysWOW64\rasphone\Jump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00403B792_2_00403B79
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004160CC2_2_004160CC
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004091632_2_00409163
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004169192_2_00416919
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041B92F2_2_0041B92F
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041A1362_2_0041A136
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004079A12_2_004079A1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041EAA32_2_0041EAA3
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00412B632_2_00412B63
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00420B082_2_00420B08
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00415BD82_2_00415BD8
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041AC132_2_0041AC13
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041D4392_2_0041D439
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004164E42_2_004164E4
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00416D4E2_2_00416D4E
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041A6A12_2_0041A6A1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3B502_2_020B3B50
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B78302_2_020B7830
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3E702_2_020B3E70
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B1C102_2_020B1C10
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3C902_2_020B3C90
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B64F02_2_020B64F0
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00403B794_2_00403B79
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004160CC4_2_004160CC
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004091634_2_00409163
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004169194_2_00416919
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041B92F4_2_0041B92F
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041A1364_2_0041A136
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004079A14_2_004079A1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041EAA34_2_0041EAA3
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00412B634_2_00412B63
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00420B084_2_00420B08
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00415BD84_2_00415BD8
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041AC134_2_0041AC13
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041D4394_2_0041D439
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004164E44_2_004164E4
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00416D4E4_2_00416D4E
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041A6A14_2_0041A6A1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3B504_2_020B3B50
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B78304_2_020B7830
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3E704_2_020B3E70
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B1C104_2_020B1C10
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3C904_2_020B3C90
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B64F04_2_020B64F0
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: String function: 00406830 appears 42 times
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: String function: 00406EE5 appears 34 times
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: String function: 00406830 appears 42 times
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: String function: 00406EE5 appears 34 times
                      Source: RpcNs4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                      Source: RpcNs4.exeVirustotal: Detection: 78%
                      Source: RpcNs4.exeMetadefender: Detection: 73%
                      Source: RpcNs4.exeReversingLabs: Detection: 89%
                      Source: RpcNs4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\RpcNs4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\RpcNs4.exe 'C:\Users\user\Desktop\RpcNs4.exe'
                      Source: C:\Users\user\Desktop\RpcNs4.exeProcess created: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RpcNs4.exeProcess created: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe C:\Windows\SysWOW64\rasphone\networkitemfactory.exeJump to behavior
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@16/5@0/88
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: CloseServiceHandle,OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,2_2_020B8830
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B4BF0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32NextW,Process32FirstW,CloseHandle,FindCloseChangeNotification,4_2_020B4BF0
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4636:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00406875 push ecx; ret 2_2_00406888
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0040F141 push ecx; ret 2_2_0040F154
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5E10 push ecx; mov dword ptr [esp], 00004C6Fh2_2_020B5E11
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5EC0 push ecx; mov dword ptr [esp], 000098C7h2_2_020B5EC1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5F00 push ecx; mov dword ptr [esp], 0000B789h2_2_020B5F01
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5F50 push ecx; mov dword ptr [esp], 0000285Dh2_2_020B5F51
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5C40 push ecx; mov dword ptr [esp], 00008691h2_2_020B5C41
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5C70 push ecx; mov dword ptr [esp], 0000B66Ah2_2_020B5C71
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5CB0 push ecx; mov dword ptr [esp], 000001F6h2_2_020B5CB1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5CF0 push ecx; mov dword ptr [esp], 00003EEDh2_2_020B5CF1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5D30 push ecx; mov dword ptr [esp], 0000E6FEh2_2_020B5D31
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5D80 push ecx; mov dword ptr [esp], 00001B06h2_2_020B5D81
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5DA0 push ecx; mov dword ptr [esp], 000086AAh2_2_020B5DA1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00406875 push ecx; ret 4_2_00406888
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0040F141 push ecx; ret 4_2_0040F154
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5E10 push ecx; mov dword ptr [esp], 00004C6Fh4_2_020B5E11
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5EC0 push ecx; mov dword ptr [esp], 000098C7h4_2_020B5EC1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5F00 push ecx; mov dword ptr [esp], 0000B789h4_2_020B5F01
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5F50 push ecx; mov dword ptr [esp], 0000285Dh4_2_020B5F51
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5C40 push ecx; mov dword ptr [esp], 00008691h4_2_020B5C41
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5C70 push ecx; mov dword ptr [esp], 0000B66Ah4_2_020B5C71
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5CB0 push ecx; mov dword ptr [esp], 000001F6h4_2_020B5CB1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5CF0 push ecx; mov dword ptr [esp], 00003EEDh4_2_020B5CF1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5D30 push ecx; mov dword ptr [esp], 0000E6FEh4_2_020B5D31
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5D80 push ecx; mov dword ptr [esp], 00001B06h4_2_020B5D81
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5DA0 push ecx; mov dword ptr [esp], 000086AAh4_2_020B5DA1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00401880 _malloc,LoadLibraryA,GetProcAddress,2_2_00401880

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Users\user\Desktop\RpcNs4.exeExecutable created and started: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exePE file moved: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile opened: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00403B79 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,2_2_00403B79

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\Desktop\RpcNs4.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_2-21718
                      Source: C:\Windows\System32\svchost.exe TID: 3132Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeAPI coverage: 8.5 %
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3890 _snwprintf,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,2_2_020B3890
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3890 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,4_2_020B3890
                      Source: C:\Users\user\Desktop\RpcNs4.exeAPI call chain: ExitProcess graph end nodegraph_2-21450
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeAPI call chain: ExitProcess graph end nodegraph_4-22365
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeAPI call chain: ExitProcess graph end nodegraph_4-21915
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.517847536.000001A008A29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000007.00000002.517367438.0000021F46802000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 00000007.00000002.517433093.0000021F46828000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.517881294.0000023333664000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.517673418.0000024160029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll