Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RpcNs4.exe

Overview

General Information

Sample Name:RpcNs4.exe
Analysis ID:492876
MD5:1ed37c4a225bbd35716cf241e14541a8
SHA1:51caf718c3d85847e9f9246b291149a0a7afb698
SHA256:8b504e796986fbae7d1bea49c95dfad222758cca5cada56472f40a0bde41e485
Infos:

Most interesting Screenshot:

Detection

Emotet
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
AV process strings found (often used to terminate AV products)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Tries to load missing DLLs
Contains functionality to read the PEB
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Queries disk information (often used to detect virtual machines)
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • RpcNs4.exe (PID: 5968 cmdline: 'C:\Users\user\Desktop\RpcNs4.exe' MD5: 1ED37C4A225BBD35716CF241E14541A8)
    • networkitemfactory.exe (PID: 900 cmdline: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe MD5: 1ED37C4A225BBD35716CF241E14541A8)
  • svchost.exe (PID: 4840 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3228 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4228 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5992 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2852 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5984 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 1752 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 5780 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 2252 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 4636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 328 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1560 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["190.191.171.72:80", "5.189.168.53:8080", "162.241.41.111:7080", "190.85.46.52:7080", "37.205.9.252:7080", "172.96.190.154:8080", "120.51.34.254:80", "181.95.133.104:80", "139.59.61.215:443", "157.7.164.178:8081", "41.185.29.128:8080", "86.57.216.23:80", "185.80.172.199:80", "54.38.143.245:8080", "41.212.89.128:80", "223.17.215.76:80", "37.187.100.220:7080", "167.71.227.113:8080", "8.4.9.137:8080", "113.160.248.110:80", "220.147.247.145:80", "60.125.114.64:443", "182.227.240.189:443", "45.177.120.37:8080", "103.229.73.17:8080", "117.247.235.44:80", "115.78.11.155:80", "79.133.6.236:8080", "139.59.12.63:8080", "91.83.93.103:443", "186.20.52.237:80", "185.208.226.142:8080", "115.79.195.246:80", "116.202.10.123:8080", "162.144.42.60:8080", "185.142.236.163:443", "172.105.78.244:8080", "37.46.129.215:8080", "157.245.138.101:7080", "182.253.83.234:7080", "143.95.101.72:8080", "187.189.66.200:8080", "103.48.68.173:80", "200.116.93.61:80", "223.135.30.189:80", "36.91.44.183:80", "198.57.203.63:8080", "203.153.216.178:7080", "46.32.229.152:8080", "51.38.201.19:7080", "103.93.220.182:80", "103.133.66.57:443", "202.166.170.43:80", "95.216.205.155:8080", "77.74.78.80:443", "78.114.175.216:80", "189.150.209.206:80", "113.156.82.32:80", "58.27.215.3:8080", "192.241.220.183:8080", "185.86.148.68:443", "74.208.173.91:8080", "126.126.139.26:443", "88.247.58.26:80", "49.243.9.118:80", "2.144.244.204:80", "138.201.45.2:8080", "91.75.75.46:80", "119.92.77.17:80", "202.153.220.157:80", "46.105.131.68:8080", "178.33.167.120:8080", "190.192.39.136:80", "115.176.16.221:80", "179.5.118.12:80", "190.190.15.20:80", "113.161.148.81:80", "14.241.182.160:80", "192.163.221.191:8080", "128.106.187.110:80", "190.194.12.132:80", "75.127.14.170:8080", "195.201.56.70:8080", "118.243.83.70:80", "50.116.78.109:8080", "192.210.217.94:8080", "103.80.51.61:8080"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.RpcNs4.exe.5e279e.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              2.2.RpcNs4.exe.20b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                4.2.networkitemfactory.exe.51279e.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  2.2.RpcNs4.exe.5e052e.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    4.2.networkitemfactory.exe.20b0000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 5 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.2.RpcNs4.exe.20b0000.3.unpackMalware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["190.191.171.72:80", "5.189.168.53:8080", "162.241.41.111:7080", "190.85.46.52:7080", "37.205.9.252:7080", "172.96.190.154:8080", "120.51.34.254:80", "181.95.133.104:80", "139.59.61.215:443", "157.7.164.178:8081", "41.185.29.128:8080", "86.57.216.23:80", "185.80.172.199:80", "54.38.143.245:8080", "41.212.89.128:80", "223.17.215.76:80", "37.187.100.220:7080", "167.71.227.113:8080", "8.4.9.137:8080", "113.160.248.110:80", "220.147.247.145:80", "60.125.114.64:443", "182.227.240.189:443", "45.177.120.37:8080", "103.229.73.17:8080", "117.247.235.44:80", "115.78.11.155:80", "79.133.6.236:8080", "139.59.12.63:8080", "91.83.93.103:443", "186.20.52.237:80", "185.208.226.142:8080", "115.79.195.246:80", "116.202.10.123:8080", "162.144.42.60:8080", "185.142.236.163:443", "172.105.78.244:8080", "37.46.129.215:8080", "157.245.138.101:7080", "182.253.83.234:7080", "143.95.101.72:8080", "187.189.66.200:8080", "103.48.68.173:80", "200.116.93.61:80", "223.135.30.189:80", "36.91.44.183:80", "198.57.203.63:8080", "203.153.216.178:7080", "46.32.229.152:8080", "51.38.201.19:7080", "103.93.220.182:80", "103.133.66.57:443", "202.166.170.43:80", "95.216.205.155:8080", "77.74.78.80:443", "78.114.175.216:80", "189.150.209.206:80", "113.156.82.32:80", "58.27.215.3:8080", "192.241.220.183:8080", "185.86.148.68:443", "74.208.173.91:8080", "126.126.139.26:443", "88.247.58.26:80", "49.243.9.118:80", "2.144.244.204:80", "138.201.45.2:8080", "91.75.75.46:80", "119.92.77.17:80", "202.153.220.157:80", "46.105.131.68:8080", "178.33.167.120:8080", "190.192.39.136:80", "115.176.16.221:80", "179.5.118.12:80", "190.190.15.20:80", "113.161.148.81:80", "14.241.182.160:80", "192.163.221.191:8080", "128.106.187.110:80", "190.194.12.132:80", "75.127.14.170:8080", "195.201.56.70:8080", "118.243.83.70:80", "50.116.78.109:8080", "192.210.217.94:8080", "103.80.51.61:8080"]}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: RpcNs4.exeVirustotal: Detection: 78%Perma Link
                      Source: RpcNs4.exeMetadefender: Detection: 73%Perma Link
                      Source: RpcNs4.exeReversingLabs: Detection: 89%
                      Antivirus / Scanner detection for submitted sampleShow sources
                      Source: RpcNs4.exeAvira: detected
                      Machine Learning detection for sampleShow sources
                      Source: RpcNs4.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B2240 CryptEncrypt,memcpy,CryptGetHashParam,CryptDuplicateHash,CryptDestroyHash,CryptExportKey,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B2580 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,GetProcessHeap,RtlAllocateHeap,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B1F60 memcpy,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,
                      Source: RpcNs4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3890 _snwprintf,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3890 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,

                      Networking:

                      barindex
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 190.191.171.72:80
                      Source: Malware configuration extractorIPs: 5.189.168.53:8080
                      Source: Malware configuration extractorIPs: 162.241.41.111:7080
                      Source: Malware configuration extractorIPs: 190.85.46.52:7080
                      Source: Malware configuration extractorIPs: 37.205.9.252:7080
                      Source: Malware configuration extractorIPs: 172.96.190.154:8080
                      Source: Malware configuration extractorIPs: 120.51.34.254:80
                      Source: Malware configuration extractorIPs: 181.95.133.104:80
                      Source: Malware configuration extractorIPs: 139.59.61.215:443
                      Source: Malware configuration extractorIPs: 157.7.164.178:8081
                      Source: Malware configuration extractorIPs: 41.185.29.128:8080
                      Source: Malware configuration extractorIPs: 86.57.216.23:80
                      Source: Malware configuration extractorIPs: 185.80.172.199:80
                      Source: Malware configuration extractorIPs: 54.38.143.245:8080
                      Source: Malware configuration extractorIPs: 41.212.89.128:80
                      Source: Malware configuration extractorIPs: 223.17.215.76:80
                      Source: Malware configuration extractorIPs: 37.187.100.220:7080
                      Source: Malware configuration extractorIPs: 167.71.227.113:8080
                      Source: Malware configuration extractorIPs: 8.4.9.137:8080
                      Source: Malware configuration extractorIPs: 113.160.248.110:80
                      Source: Malware configuration extractorIPs: 220.147.247.145:80
                      Source: Malware configuration extractorIPs: 60.125.114.64:443
                      Source: Malware configuration extractorIPs: 182.227.240.189:443
                      Source: Malware configuration extractorIPs: 45.177.120.37:8080
                      Source: Malware configuration extractorIPs: 103.229.73.17:8080
                      Source: Malware configuration extractorIPs: 117.247.235.44:80
                      Source: Malware configuration extractorIPs: 115.78.11.155:80
                      Source: Malware configuration extractorIPs: 79.133.6.236:8080
                      Source: Malware configuration extractorIPs: 139.59.12.63:8080
                      Source: Malware configuration extractorIPs: 91.83.93.103:443
                      Source: Malware configuration extractorIPs: 186.20.52.237:80
                      Source: Malware configuration extractorIPs: 185.208.226.142:8080
                      Source: Malware configuration extractorIPs: 115.79.195.246:80
                      Source: Malware configuration extractorIPs: 116.202.10.123:8080
                      Source: Malware configuration extractorIPs: 162.144.42.60:8080
                      Source: Malware configuration extractorIPs: 185.142.236.163:443
                      Source: Malware configuration extractorIPs: 172.105.78.244:8080
                      Source: Malware configuration extractorIPs: 37.46.129.215:8080
                      Source: Malware configuration extractorIPs: 157.245.138.101:7080
                      Source: Malware configuration extractorIPs: 182.253.83.234:7080
                      Source: Malware configuration extractorIPs: 143.95.101.72:8080
                      Source: Malware configuration extractorIPs: 187.189.66.200:8080
                      Source: Malware configuration extractorIPs: 103.48.68.173:80
                      Source: Malware configuration extractorIPs: 200.116.93.61:80
                      Source: Malware configuration extractorIPs: 223.135.30.189:80
                      Source: Malware configuration extractorIPs: 36.91.44.183:80
                      Source: Malware configuration extractorIPs: 198.57.203.63:8080
                      Source: Malware configuration extractorIPs: 203.153.216.178:7080
                      Source: Malware configuration extractorIPs: 46.32.229.152:8080
                      Source: Malware configuration extractorIPs: 51.38.201.19:7080
                      Source: Malware configuration extractorIPs: 103.93.220.182:80
                      Source: Malware configuration extractorIPs: 103.133.66.57:443
                      Source: Malware configuration extractorIPs: 202.166.170.43:80
                      Source: Malware configuration extractorIPs: 95.216.205.155:8080
                      Source: Malware configuration extractorIPs: 77.74.78.80:443
                      Source: Malware configuration extractorIPs: 78.114.175.216:80
                      Source: Malware configuration extractorIPs: 189.150.209.206:80
                      Source: Malware configuration extractorIPs: 113.156.82.32:80
                      Source: Malware configuration extractorIPs: 58.27.215.3:8080
                      Source: Malware configuration extractorIPs: 192.241.220.183:8080
                      Source: Malware configuration extractorIPs: 185.86.148.68:443
                      Source: Malware configuration extractorIPs: 74.208.173.91:8080
                      Source: Malware configuration extractorIPs: 126.126.139.26:443
                      Source: Malware configuration extractorIPs: 88.247.58.26:80
                      Source: Malware configuration extractorIPs: 49.243.9.118:80
                      Source: Malware configuration extractorIPs: 2.144.244.204:80
                      Source: Malware configuration extractorIPs: 138.201.45.2:8080
                      Source: Malware configuration extractorIPs: 91.75.75.46:80
                      Source: Malware configuration extractorIPs: 119.92.77.17:80
                      Source: Malware configuration extractorIPs: 202.153.220.157:80
                      Source: Malware configuration extractorIPs: 46.105.131.68:8080
                      Source: Malware configuration extractorIPs: 178.33.167.120:8080
                      Source: Malware configuration extractorIPs: 190.192.39.136:80
                      Source: Malware configuration extractorIPs: 115.176.16.221:80
                      Source: Malware configuration extractorIPs: 179.5.118.12:80
                      Source: Malware configuration extractorIPs: 190.190.15.20:80
                      Source: Malware configuration extractorIPs: 113.161.148.81:80
                      Source: Malware configuration extractorIPs: 14.241.182.160:80
                      Source: Malware configuration extractorIPs: 192.163.221.191:8080
                      Source: Malware configuration extractorIPs: 128.106.187.110:80
                      Source: Malware configuration extractorIPs: 190.194.12.132:80
                      Source: Malware configuration extractorIPs: 75.127.14.170:8080
                      Source: Malware configuration extractorIPs: 195.201.56.70:8080
                      Source: Malware configuration extractorIPs: 118.243.83.70:80
                      Source: Malware configuration extractorIPs: 50.116.78.109:8080
                      Source: Malware configuration extractorIPs: 192.210.217.94:8080
                      Source: Malware configuration extractorIPs: 103.80.51.61:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49736 -> 190.191.171.72:80
                      Source: Joe Sandbox ViewASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
                      Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                      Source: global trafficTCP traffic: 192.168.2.5:49745 -> 5.189.168.53:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49751 -> 162.241.41.111:7080
                      Source: global trafficTCP traffic: 192.168.2.5:49785 -> 190.85.46.52:7080
                      Source: global trafficTCP traffic: 192.168.2.5:49790 -> 37.205.9.252:7080
                      Source: unknownNetwork traffic detected: IP country count 36
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.191.171.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.191.171.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.191.171.72
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.189.168.53
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.189.168.53
                      Source: unknownTCP traffic detected without corresponding DNS query: 5.189.168.53
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.241.41.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.241.41.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 162.241.41.111
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.85.46.52
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.85.46.52
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.85.46.52
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.205.9.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.205.9.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 37.205.9.252
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.96.190.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.96.190.154
                      Source: unknownTCP traffic detected without corresponding DNS query: 172.96.190.154
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/2
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/5
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/c/IfhZZOLYmyGUpB2z7/y67uuC8o/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/p
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.191.171.72/e7oyvJu0ryVUBL/0INT0lnzMU2/MpBFVePNcAJo4Omc/IfhZZOLYmyGUpB2z7/y67uuC8o/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/f
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://190.85.46.52:7080/1CMBtWf1oEz5/m32
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://37.205.9.252:7080/RFYvVKd2K/sy7dp7xsNv9/Rrh3Sh9wg/SwbGDOylYnDUpHudO/ri7bprIvQeGD/Bd2yo6ti2p6c
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/#
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/3
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/i
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpString found in binary or memory: http://5.189.168.53:8080/o3fBhuuz/m
                      Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
                      Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                      Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                      Source: svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                      Source: svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309396699.000001BD7A862000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                      Source: svchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                      Source: svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                      Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                      Source: svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                      Source: svchost.exe, 0000000A.00000002.310115050.000001BD7A839000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                      Source: svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.20b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.20b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.257541494.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B2580 CryptCreateHash,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptGenKey,GetProcessHeap,RtlAllocateHeap,
                      Source: RpcNs4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile deleted: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe:Zone.IdentifierJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile created: C:\Windows\SysWOW64\rasphone\Jump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00403B79
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004160CC
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00409163
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00416919
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041B92F
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041A136
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004079A1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041EAA3
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00412B63
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00420B08
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00415BD8
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041AC13
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041D439
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_004164E4
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00416D4E
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041A6A1
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3B50
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B7830
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3E70
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B1C10
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3C90
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B64F0
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00403B79
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004160CC
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00409163
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00416919
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041B92F
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041A136
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004079A1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041EAA3
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00412B63
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00420B08
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00415BD8
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041AC13
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041D439
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_004164E4
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00416D4E
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0041A6A1
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3B50
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B7830
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3E70
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B1C10
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3C90
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B64F0
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: String function: 00406830 appears 42 times
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: String function: 00406EE5 appears 34 times
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: String function: 00406830 appears 42 times
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: String function: 00406EE5 appears 34 times
                      Source: RpcNs4.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                      Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dll
                      Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dll
                      Source: RpcNs4.exeVirustotal: Detection: 78%
                      Source: RpcNs4.exeMetadefender: Detection: 73%
                      Source: RpcNs4.exeReversingLabs: Detection: 89%
                      Source: RpcNs4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\RpcNs4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: unknownProcess created: C:\Users\user\Desktop\RpcNs4.exe 'C:\Users\user\Desktop\RpcNs4.exe'
                      Source: C:\Users\user\Desktop\RpcNs4.exeProcess created: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                      Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\RpcNs4.exeProcess created: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
                      Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                      Source: C:\Users\user\Desktop\RpcNs4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
                      Source: classification engineClassification label: mal96.troj.evad.winEXE@16/5@0/88
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: CloseServiceHandle,OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B4BF0 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32NextW,Process32FirstW,CloseHandle,FindCloseChangeNotification,
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4636:120:WilError_01
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00406875 push ecx; ret
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0040F141 push ecx; ret
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5E10 push ecx; mov dword ptr [esp], 00004C6Fh
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5EC0 push ecx; mov dword ptr [esp], 000098C7h
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5F00 push ecx; mov dword ptr [esp], 0000B789h
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5F50 push ecx; mov dword ptr [esp], 0000285Dh
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5C40 push ecx; mov dword ptr [esp], 00008691h
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5C70 push ecx; mov dword ptr [esp], 0000B66Ah
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5CB0 push ecx; mov dword ptr [esp], 000001F6h
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5CF0 push ecx; mov dword ptr [esp], 00003EEDh
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5D30 push ecx; mov dword ptr [esp], 0000E6FEh
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5D80 push ecx; mov dword ptr [esp], 00001B06h
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B5DA0 push ecx; mov dword ptr [esp], 000086AAh
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00406875 push ecx; ret
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0040F141 push ecx; ret
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5E10 push ecx; mov dword ptr [esp], 00004C6Fh
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5EC0 push ecx; mov dword ptr [esp], 000098C7h
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5F00 push ecx; mov dword ptr [esp], 0000B789h
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5F50 push ecx; mov dword ptr [esp], 0000285Dh
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5C40 push ecx; mov dword ptr [esp], 00008691h
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5C70 push ecx; mov dword ptr [esp], 0000B66Ah
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5CB0 push ecx; mov dword ptr [esp], 000001F6h
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5CF0 push ecx; mov dword ptr [esp], 00003EEDh
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5D30 push ecx; mov dword ptr [esp], 0000E6FEh
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5D80 push ecx; mov dword ptr [esp], 00001B06h
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5DA0 push ecx; mov dword ptr [esp], 000086AAh
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00401880 _malloc,LoadLibraryA,GetProcAddress,

                      Persistence and Installation Behavior:

                      barindex
                      Drops executables to the windows directory (C:\Windows) and starts themShow sources
                      Source: C:\Users\user\Desktop\RpcNs4.exeExecutable created and started: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
                      Source: C:\Users\user\Desktop\RpcNs4.exePE file moved: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile opened: C:\Windows\SysWOW64\rasphone\networkitemfactory.exe:Zone.Identifier read attributes | delete
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00403B79 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

                      Malware Analysis System Evasion:

                      barindex
                      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
                      Source: C:\Users\user\Desktop\RpcNs4.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
                      Source: C:\Windows\System32\svchost.exe TID: 3132Thread sleep time: -30000s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                      Source: C:\Users\user\Desktop\RpcNs4.exeAPI coverage: 8.5 %
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3890 _snwprintf,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3890 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,FindClose,
                      Source: C:\Users\user\Desktop\RpcNs4.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeAPI call chain: ExitProcess graph end node
                      Source: C:\Users\user\Desktop\RpcNs4.exeFile Volume queried: C:\ FullSizeInformation
                      Source: svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpBinary or memory string: "@Hyper-V RAW
                      Source: networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmp, svchost.exe, 00000005.00000002.517847536.000001A008A29000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: svchost.exe, 00000007.00000002.517367438.0000021F46802000.00000004.00000001.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcDsSvcfhsvcWPDBusEnumsvsvcwlansvcEmbeddedModeirmonSensorServicevmicvssNgcSvcsysmainDevQueryBrokerStorSvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionNcbServiceNetmanDeviceAssociationServiceTabletInputServicePcaSvcIPxlatCfgSvcCscServiceUmRdpService
                      Source: svchost.exe, 00000007.00000002.517433093.0000021F46828000.00000004.00000001.sdmp, svchost.exe, 00000008.00000002.517881294.0000023333664000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.517673418.0000024160029000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00406A89 _memset,IsDebuggerPresent,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0040E3C3 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00401880 _malloc,LoadLibraryA,GetProcAddress,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0040408A GetProcessHeap,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B3E70 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_020B4D60 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B3E70 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B4D60 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_02091030 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00406769 SetUnhandledExceptionFilter,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0040679A SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_00406769 SetUnhandledExceptionFilter,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_0040679A SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                      Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
                      Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
                      Source: networkitemfactory.exe, 00000004.00000002.518757751.0000000000C80000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: EnumSystemLocalesW,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: GetLocaleInfoW,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: GetLocaleInfoW,_GetPrimaryLen,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_TranslateName,_GetLocaleNameFromLangCountry,_GetLocaleNameFromLanguage,_GetLocaleNameFromDefault,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _GetPrimaryLen,EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: EnumSystemLocalesW,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: GetLocaleInfoW,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_memmove,_memmove,_memmove,_free,_free,_free,_free,_free,_free,_free,_free,_free,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_0041201C cpuid
                      Source: C:\Users\user\Desktop\RpcNs4.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Users\user\Desktop\RpcNs4.exeCode function: 2_2_00406001 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
                      Source: C:\Windows\SysWOW64\rasphone\networkitemfactory.exeCode function: 4_2_020B5300 GetNativeSystemInfo,GetNativeSystemInfo,RtlGetVersion,

                      Lowering of HIPS / PFW / Operating System Security Settings:

                      barindex
                      Changes security center settings (notifications, updates, antivirus, firewall)Show sources
                      Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cvalJump to behavior
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
                      Source: svchost.exe, 0000000C.00000002.517735542.0000018992E3D000.00000004.00000001.sdmpBinary or memory string: (@V%ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: svchost.exe, 0000000C.00000002.517898237.0000018992F02000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.20b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.20b0000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51279e.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51052e.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.networkitemfactory.exe.51052e.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.2.RpcNs4.exe.5e279e.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000002.00000002.257541494.00000000020B1000.00000020.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation1Windows Service1Windows Service1Masquerading121OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API11DLL Side-Loading1Process Injection2Disable or Modify Tools1LSASS MemorySecurity Software Discovery61Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Application Shimming1DLL Side-Loading1Virtualization/Sandbox Evasion2Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Application Shimming1Process Injection2NTDSProcess Discovery3Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonHidden Files and Directories1Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery45Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492876 Sample: RpcNs4.exe Startdate: 29/09/2021 Architecture: WINDOWS Score: 96 25 202.153.220.157 WIDEBAND-AS-APAussieBroadbandAU Australia 2->25 27 58.27.215.3 WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK Pakistan 2->27 29 79 other IPs or domains 2->29 39 Found malware configuration 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 3 other signatures 2->45 8 RpcNs4.exe 6 2->8         started        11 svchost.exe 2->11         started        13 svchost.exe 9 1 2->13         started        16 8 other processes 2->16 signatures3 process4 dnsIp5 47 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 8->47 49 Drops executables to the windows directory (C:\Windows) and starts them 8->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->51 18 networkitemfactory.exe 16 8->18         started        53 Changes security center settings (notifications, updates, antivirus, firewall) 11->53 21 MpCmdRun.exe 1 11->21         started        37 127.0.0.1 unknown unknown 13->37 signatures6 process7 dnsIp8 31 162.241.41.111, 7080 UNIFIEDLAYER-AS-1US United States 18->31 33 190.85.46.52, 7080 TelmexColombiaSACO Colombia 18->33 35 4 other IPs or domains 18->35 23 conhost.exe 21->23         started        process9

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      RpcNs4.exe78%VirustotalBrowse
                      RpcNs4.exe74%MetadefenderBrowse
                      RpcNs4.exe89%ReversingLabsWin32.Trojan.Emotet
                      RpcNs4.exe100%AviraTR/AD.Emotet.dbl
                      RpcNs4.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      2.2.RpcNs4.exe.20b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.networkitemfactory.exe.400000.0.unpack100%AviraHEUR/AGEN.1138861Download File
                      2.2.RpcNs4.exe.5e279e.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.2.RpcNs4.exe.400000.0.unpack100%AviraHEUR/AGEN.1138861Download File
                      4.2.networkitemfactory.exe.51052e.2.unpack100%AviraHEUR/AGEN.1142428Download File
                      2.2.RpcNs4.exe.5e052e.2.unpack100%AviraHEUR/AGEN.1142428Download File
                      4.0.networkitemfactory.exe.400000.0.unpack100%AviraHEUR/AGEN.1138861Download File
                      4.2.networkitemfactory.exe.51279e.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      4.2.networkitemfactory.exe.20b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                      2.0.RpcNs4.exe.400000.0.unpack100%AviraHEUR/AGEN.1138861Download File

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://5.189.168.53:8080/o3fBhuuz/0%Avira URL Cloudsafe
                      http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/20%Avira URL Cloudsafe
                      http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/p0%Avira URL Cloudsafe
                      http://190.191.171.72/e7oyvJu0ryVUBL/0INT0lnzMU2/MpBFVePNcAJo4Omc/IfhZZOLYmyGUpB2z7/y67uuC8o/0%Avira URL Cloudsafe
                      http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/c/IfhZZOLYmyGUpB2z7/y67uuC8o/0%Avira URL Cloudsafe
                      http://5.189.168.53:8080/o3fBhuuz/m0%Avira URL Cloudsafe
                      http://5.189.168.53:8080/o3fBhuuz/i0%Avira URL Cloudsafe
                      http://190.85.46.52:7080/1CMBtWf1oEz5/0%Avira URL Cloudsafe
                      http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/0%Avira URL Cloudsafe
                      http://190.85.46.52:7080/1CMBtWf1oEz5/f0%Avira URL Cloudsafe
                      http://crl.ver)0%Avira URL Cloudsafe
                      http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/50%Avira URL Cloudsafe
                      https://%s.xboxlive.com0%URL Reputationsafe
                      http://5.189.168.53:8080/o3fBhuuz/30%Avira URL Cloudsafe
                      https://dynamic.t0%URL Reputationsafe
                      http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/0%Avira URL Cloudsafe
                      http://190.85.46.52:7080/1CMBtWf1oEz5/m320%Avira URL Cloudsafe
                      http://5.189.168.53:8080/o3fBhuuz/#0%Avira URL Cloudsafe
                      http://37.205.9.252:7080/RFYvVKd2K/sy7dp7xsNv9/Rrh3Sh9wg/SwbGDOylYnDUpHudO/ri7bprIvQeGD/Bd2yo6ti2p6c0%Avira URL Cloudsafe
                      https://%s.dnet.xboxlive.com0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://5.189.168.53:8080/o3fBhuuz/networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpfalse
                        		high
                        https://dev.virtualearth.net/REST/v1/Routes/Drivingsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                          		high
                          https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashxsvchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpfalse
                            		high
                            https://t0.tiles.ditu.live.com/tiles/gensvchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmpfalse
                              		high
                              https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                		high
                                http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/2networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmpfalse
                                  		high
                                  http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/pnetworkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://190.191.171.72/e7oyvJu0ryVUBL/0INT0lnzMU2/MpBFVePNcAJo4Omc/IfhZZOLYmyGUpB2z7/y67uuC8o/networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://dev.ditu.live.com/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                    		high
                                    https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpfalse
                                      		high
                                      https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpfalse
                                        		high
                                        https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 0000000A.00000002.310130711.000001BD7A842000.00000004.00000001.sdmpfalse
                                          		high
                                          http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/c/IfhZZOLYmyGUpB2z7/y67uuC8o/networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://5.189.168.53:8080/o3fBhuuz/mnetworkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://5.189.168.53:8080/o3fBhuuz/inetworkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://appexmapsappupdate.blob.core.windows.netsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                            		high
                                            http://190.85.46.52:7080/1CMBtWf1oEz5/networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.bingmapsportal.comsvchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmpfalse
                                              		high
                                              https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpfalse
                                                		high
                                                https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashxsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://190.85.46.52:7080/1CMBtWf1oEz5/fnetworkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://dev.virtualearth.net/REST/v1/Traffic/Incidents/svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.309474542.000001BD7A845000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://crl.ver)svchost.exe, 00000005.00000002.519834016.000001A00E260000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		low
                                                          https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://172.96.190.154:8080/yTJ2v9/Gv4Y0SVYAXfP/7otgMR8dm3c0Q43/5networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000002.310050189.000001BD7A813000.00000004.00000001.sdmp, svchost.exe, 0000000A.00000002.310124326.000001BD7A83D000.00000004.00000001.sdmpfalse
                                                              		high
                                                              https://%s.xboxlive.comsvchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		low
                                                              https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://dev.virtualearth.net/mapcontrol/logging.ashxsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 0000000A.00000003.287622580.000001BD7A830000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://5.189.168.53:8080/o3fBhuuz/3networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://dynamic.tsvchost.exe, 0000000A.00000003.309396699.000001BD7A862000.00000004.00000001.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        http://162.241.41.111:7080/LYQRy6c93vecgvHJfH5/EZsl1rJ8QXw/bisGJm2RzFKv/0FbacJYj1q62Xn/networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://190.85.46.52:7080/1CMBtWf1oEz5/m32networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          https://t0.ssl.ak.tiles.virtualearth.net/tiles/gensvchost.exe, 0000000A.00000002.310115050.000001BD7A839000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://5.189.168.53:8080/o3fBhuuz/#networkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://37.205.9.252:7080/RFYvVKd2K/sy7dp7xsNv9/Rrh3Sh9wg/SwbGDOylYnDUpHudO/ri7bprIvQeGD/Bd2yo6ti2p6cnetworkitemfactory.exe, 00000004.00000002.519541263.000000000259D000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://activity.windows.comsvchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://dev.ditu.live.com/REST/v1/Locationssvchost.exe, 0000000A.00000003.309406967.000001BD7A85F000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  https://%s.dnet.xboxlive.comsvchost.exe, 00000008.00000002.517751023.0000023333643000.00000004.00000001.sdmpfalse
                                                                                  • URL Reputation: safe
                                                                                  		low
                                                                                  https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 0000000A.00000003.309425425.000001BD7A849000.00000004.00000001.sdmpfalse
                                                                                    		high

                                                                                    Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    126.126.139.26
                                                                                    		unknownJapan17676GIGAINFRASoftbankBBCorpJPtrue
                                                                                    192.210.217.94
                                                                                    		unknownUnited States
                                                                                    		36352AS-COLOCROSSINGUStrue
                                                                                    223.17.215.76
                                                                                    		unknownHong Kong
                                                                                    		18116HGC-AS-APHGCGlobalCommunicationsLimitedHKtrue
                                                                                    185.208.226.142
                                                                                    		unknownHungary
                                                                                    		43359TARHELYHUtrue
                                                                                    14.241.182.160
                                                                                    		unknownViet Nam
                                                                                    		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                    75.127.14.170
                                                                                    		unknownUnited States
                                                                                    		36352AS-COLOCROSSINGUStrue
                                                                                    172.96.190.154
                                                                                    		unknownCanada
                                                                                    		59253LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSGtrue
                                                                                    78.114.175.216
                                                                                    		unknownFrance
                                                                                    		8228CEGETEL-ASFRtrue
                                                                                    51.38.201.19
                                                                                    		unknownFrance
                                                                                    		16276OVHFRtrue
                                                                                    200.116.93.61
                                                                                    		unknownColombia
                                                                                    		13489EPMTelecomunicacionesSAESPCOtrue
                                                                                    115.78.11.155
                                                                                    		unknownViet Nam
                                                                                    		7552VIETEL-AS-APViettelGroupVNtrue
                                                                                    203.153.216.178
                                                                                    		unknownIndonesia
                                                                                    		45291SURF-IDPTSurfindoNetworkIDtrue
                                                                                    190.191.171.72
                                                                                    		unknownArgentina
                                                                                    		10481TelecomArgentinaSAARtrue
                                                                                    220.147.247.145
                                                                                    		unknownJapan2510INFOWEBFUJITSULIMITEDJPtrue
                                                                                    143.95.101.72
                                                                                    		unknownUnited States
                                                                                    		62729ASMALLORANGE1UStrue
                                                                                    5.189.168.53
                                                                                    		unknownGermany
                                                                                    		51167CONTABODEtrue
                                                                                    113.156.82.32
                                                                                    		unknownJapan2516KDDIKDDICORPORATIONJPtrue
                                                                                    103.229.73.17
                                                                                    		unknownIndonesia
                                                                                    		55660MWN-AS-IDPTMasterWebNetworkIDtrue
                                                                                    182.227.240.189
                                                                                    		unknownKorea Republic of
                                                                                    		17858POWERVIS-AS-KRLGPOWERCOMMKRtrue
                                                                                    178.33.167.120
                                                                                    		unknownFrance
                                                                                    		16276OVHFRtrue
                                                                                    162.144.42.60
                                                                                    		unknownUnited States
                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                    190.190.15.20
                                                                                    		unknownArgentina
                                                                                    		10481TelecomArgentinaSAARtrue
                                                                                    95.216.205.155
                                                                                    		unknownGermany
                                                                                    		24940HETZNER-ASDEtrue
                                                                                    37.187.100.220
                                                                                    		unknownFrance
                                                                                    		16276OVHFRtrue
                                                                                    41.212.89.128
                                                                                    		unknownKenya
                                                                                    		15399WANANCHI-KEtrue
                                                                                    190.85.46.52
                                                                                    		unknownColombia
                                                                                    		14080TelmexColombiaSACOtrue
                                                                                    120.51.34.254
                                                                                    		unknownJapan2519VECTANTARTERIANetworksCorporationJPtrue
                                                                                    187.189.66.200
                                                                                    		unknownMexico
                                                                                    		22884TOTALPLAYTELECOMUNICACIONESSADECVMXtrue
                                                                                    88.247.58.26
                                                                                    		unknownTurkey
                                                                                    		9121TTNETTRtrue
                                                                                    103.93.220.182
                                                                                    		unknownPhilippines
                                                                                    		17639CONVERGE-ASConvergeICTSolutionsIncPHtrue
                                                                                    181.95.133.104
                                                                                    		unknownArgentina
                                                                                    		7303TelecomArgentinaSAARtrue
                                                                                    117.247.235.44
                                                                                    		unknownIndia
                                                                                    		9829BSNL-NIBNationalInternetBackboneINtrue
                                                                                    138.201.45.2
                                                                                    		unknownGermany
                                                                                    		24940HETZNER-ASDEtrue
                                                                                    37.205.9.252
                                                                                    		unknownCzech Republic
                                                                                    		24971MASTER-ASCzechRepublicwwwmasterczCZtrue
                                                                                    190.194.12.132
                                                                                    		unknownArgentina
                                                                                    		10481TelecomArgentinaSAARtrue
                                                                                    186.20.52.237
                                                                                    		unknownChile
                                                                                    		6535TelmexServiciosEmpresarialesSACLtrue
                                                                                    118.243.83.70
                                                                                    		unknownJapan4685ASAHI-NETAsahiNetJPtrue
                                                                                    103.80.51.61
                                                                                    		unknownThailand
                                                                                    		136023PTE-AS-APPTEGroupCoLtdTHtrue
                                                                                    103.48.68.173
                                                                                    		unknownIndia
                                                                                    		17754EXCELL-ASExcellmediaINtrue
                                                                                    185.86.148.68
                                                                                    		unknownLatvia
                                                                                    		52173MAKONIXLVtrue
                                                                                    103.133.66.57
                                                                                    		unknownIndia
                                                                                    		138520LNSPL-AS-APLaluNetworkSolutionsPrivateLimitedINtrue
                                                                                    157.245.138.101
                                                                                    		unknownUnited States
                                                                                    		14061DIGITALOCEAN-ASNUStrue
                                                                                    119.92.77.17
                                                                                    		unknownPhilippines
                                                                                    		9299IPG-AS-APPhilippineLongDistanceTelephoneCompanyPHtrue
                                                                                    46.105.131.68
                                                                                    		unknownFrance
                                                                                    		16276OVHFRtrue
                                                                                    172.105.78.244
                                                                                    		unknownUnited States
                                                                                    		63949LINODE-APLinodeLLCUStrue
                                                                                    37.46.129.215
                                                                                    		unknownRussian Federation
                                                                                    		29182THEFIRST-ASRUtrue
                                                                                    192.163.221.191
                                                                                    		unknownUnited States
                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                    162.241.41.111
                                                                                    		unknownUnited States
                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                    190.192.39.136
                                                                                    		unknownArgentina
                                                                                    		10481TelecomArgentinaSAARtrue
                                                                                    45.177.120.37
                                                                                    		unknownBrazil
                                                                                    		268987NETLIMITTELECOMBRtrue
                                                                                    202.166.170.43
                                                                                    		unknownPakistan
                                                                                    		55501CONNECTEL-PK141-143MaulanaShaukatAliRoadPKtrue
                                                                                    86.57.216.23
                                                                                    		unknownBelarus
                                                                                    		6697BELPAK-ASBELPAKBYtrue
                                                                                    113.161.148.81
                                                                                    		unknownViet Nam
                                                                                    		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                    157.7.164.178
                                                                                    		unknownJapan7506INTERQGMOInternetIncJPtrue
                                                                                    116.202.10.123
                                                                                    		unknownGermany
                                                                                    		24940HETZNER-ASDEtrue
                                                                                    192.241.220.183
                                                                                    		unknownUnited States
                                                                                    		14061DIGITALOCEAN-ASNUStrue
                                                                                    115.176.16.221
                                                                                    		unknownJapan2510INFOWEBFUJITSULIMITEDJPtrue
                                                                                    198.57.203.63
                                                                                    		unknownUnited States
                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                    46.32.229.152
                                                                                    		unknownUnited Kingdom
                                                                                    		20738GD-EMEA-DC-LD5GBtrue
                                                                                    167.71.227.113
                                                                                    		unknownUnited States
                                                                                    		14061DIGITALOCEAN-ASNUStrue
                                                                                    54.38.143.245
                                                                                    		unknownFrance
                                                                                    		16276OVHFRtrue
                                                                                    77.74.78.80
                                                                                    		unknownRussian Federation
                                                                                    		31261GARS-ASMoscowRussiaRUtrue
                                                                                    49.243.9.118
                                                                                    		unknownJapan10013FBDCFreeBitCoLtdJPtrue
                                                                                    8.4.9.137
                                                                                    		unknownUnited States
                                                                                    		3356LEVEL3UStrue
                                                                                    60.125.114.64
                                                                                    		unknownJapan17676GIGAINFRASoftbankBBCorpJPtrue
                                                                                    113.160.248.110
                                                                                    		unknownViet Nam
                                                                                    		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                    79.133.6.236
                                                                                    		unknownFinland
                                                                                    		3238ALCOMFItrue
                                                                                    189.150.209.206
                                                                                    		unknownMexico
                                                                                    		8151UninetSAdeCVMXtrue
                                                                                    58.27.215.3
                                                                                    		unknownPakistan
                                                                                    		38264WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPKtrue
                                                                                    185.80.172.199
                                                                                    		unknownAzerbaijan
                                                                                    		39232UNINETAZtrue
                                                                                    74.208.173.91
                                                                                    		unknownUnited States
                                                                                    		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                                                    41.185.29.128
                                                                                    		unknownSouth Africa
                                                                                    		36943GridhostZAtrue
                                                                                    223.135.30.189
                                                                                    		unknownJapan2527SO-NETSo-netEntertainmentCorporationJPtrue
                                                                                    139.59.61.215
                                                                                    		unknownSingapore
                                                                                    		14061DIGITALOCEAN-ASNUStrue
                                                                                    91.75.75.46
                                                                                    		unknownUnited Arab Emirates
                                                                                    		15802DU-AS1AEtrue
                                                                                    50.116.78.109
                                                                                    		unknownUnited States
                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                    128.106.187.110
                                                                                    		unknownSingapore
                                                                                    		9506SINGTEL-FIBRESingtelFibreBroadbandSGtrue
                                                                                    202.153.220.157
                                                                                    		unknownAustralia
                                                                                    		4764WIDEBAND-AS-APAussieBroadbandAUtrue
                                                                                    139.59.12.63
                                                                                    		unknownSingapore
                                                                                    		14061DIGITALOCEAN-ASNUStrue
                                                                                    115.79.195.246
                                                                                    		unknownViet Nam
                                                                                    		7552VIETEL-AS-APViettelGroupVNtrue
                                                                                    185.142.236.163
                                                                                    		unknownNetherlands
                                                                                    		174COGENT-174UStrue
                                                                                    2.144.244.204
                                                                                    		unknownIran (ISLAMIC Republic Of)
                                                                                    		44244IRANCELL-ASIRtrue
                                                                                    182.253.83.234
                                                                                    		unknownIndonesia
                                                                                    		17451BIZNET-AS-APBIZNETNETWORKSIDtrue
                                                                                    179.5.118.12
                                                                                    		unknownEl Salvador
                                                                                    		14754TelguaGTtrue
                                                                                    91.83.93.103
                                                                                    		unknownHungary
                                                                                    		12301INVITECHHUtrue
                                                                                    195.201.56.70
                                                                                    		unknownGermany
                                                                                    		24940HETZNER-ASDEtrue
                                                                                    36.91.44.183
                                                                                    		unknownIndonesia
                                                                                    		17974TELKOMNET-AS2-APPTTelekomunikasiIndonesiaIDtrue

                                                                                    Private

                                                                                    IP
                                                                                    127.0.0.1

                                                                                    General Information

                                                                                    Joe Sandbox Version:33.0.0 White Diamond
                                                                                    Analysis ID:492876
                                                                                    Start date:29.09.2021
                                                                                    Start time:04:13:11
                                                                                    Joe Sandbox Product:CloudBasic
                                                                                    Overall analysis duration:0h 8m 27s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:light
                                                                                    Sample file name:RpcNs4.exe
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                    Number of analysed new started processes analysed:25
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • HDC enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Detection:MAL
                                                                                    Classification:mal96.troj.evad.winEXE@16/5@0/88
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HDC Information:
                                                                                    • Successful, ratio: 72.1% (good quality ratio 69%)
                                                                                    • Quality average: 82.8%
                                                                                    • Quality standard deviation: 26.7%
                                                                                    HCA Information:
                                                                                    • Successful, ratio: 86%
                                                                                    • Number of executed functions: 0
                                                                                    • Number of non-executed functions: 0
                                                                                    Cookbook Comments:
                                                                                    • Adjust boot time
                                                                                    • Enable AMSI
                                                                                    • Found application associated with file extension: .exe
                                                                                    Warnings:
                                                                                    Show All
                                                                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 23.211.6.115, 23.211.4.86, 20.82.210.154, 40.112.88.60, 80.67.82.211, 80.67.82.235, 23.203.80.193, 51.124.78.146, 20.50.102.62
                                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, arc.msn.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    04:14:16API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                    04:15:32API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                    126.126.139.26sample1.docGet hashmaliciousBrowse
                                                                                      MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                                                                        192.210.217.94sample1.docGet hashmaliciousBrowse
                                                                                          MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                                                                            223.17.215.76sample1.docGet hashmaliciousBrowse
                                                                                              MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                                                                                185.208.226.142sample1.docGet hashmaliciousBrowse
                                                                                                  MV9tCJw8Xr.exeGet hashmaliciousBrowse

                                                                                                    Domains

                                                                                                    No context

                                                                                                    ASN

                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                    GIGAINFRASoftbankBBCorpJParmGet hashmaliciousBrowse
                                                                                                    • 133.121.255.44
                                                                                                    Le85313EpPGet hashmaliciousBrowse
                                                                                                    • 126.240.223.57
                                                                                                    46gV91KJhQGet hashmaliciousBrowse
                                                                                                    • 220.38.228.196
                                                                                                    x86Get hashmaliciousBrowse
                                                                                                    • 218.133.108.199
                                                                                                    armGet hashmaliciousBrowse
                                                                                                    • 126.32.30.5
                                                                                                    RaVPWTArgGGet hashmaliciousBrowse
                                                                                                    • 218.178.205.12
                                                                                                    b2wx6oZNsCGet hashmaliciousBrowse
                                                                                                    • 219.212.202.78
                                                                                                    mirkatclpb.x86Get hashmaliciousBrowse
                                                                                                    • 126.174.103.192
                                                                                                    mirkatclpb.armGet hashmaliciousBrowse
                                                                                                    • 221.87.174.160
                                                                                                    ho4yrUrdk1Get hashmaliciousBrowse
                                                                                                    • 221.77.141.3
                                                                                                    qJvDfzBXbsGet hashmaliciousBrowse
                                                                                                    • 126.11.242.65
                                                                                                    uTfW1dzdIkGet hashmaliciousBrowse
                                                                                                    • 60.107.73.68
                                                                                                    G3kV1FpdsSGet hashmaliciousBrowse
                                                                                                    • 220.61.174.7
                                                                                                    Sht1aYGDIXGet hashmaliciousBrowse
                                                                                                    • 126.184.36.243
                                                                                                    8u6nZbyMxlGet hashmaliciousBrowse
                                                                                                    • 126.210.43.40
                                                                                                    TfaQUm3e4YGet hashmaliciousBrowse
                                                                                                    • 220.47.221.201
                                                                                                    sora.arm7Get hashmaliciousBrowse
                                                                                                    • 126.27.223.210
                                                                                                    L3Gl0GugHoGet hashmaliciousBrowse
                                                                                                    • 219.213.5.22
                                                                                                    Q7rLYKgThtGet hashmaliciousBrowse
                                                                                                    • 126.175.55.215
                                                                                                    F0ZMmHZif5Get hashmaliciousBrowse
                                                                                                    • 220.34.5.157
                                                                                                    AS-COLOCROSSINGUSSuppression .xlsxGet hashmaliciousBrowse
                                                                                                    • 107.172.73.191
                                                                                                    Notification.xlsxGet hashmaliciousBrowse
                                                                                                    • 107.172.93.32
                                                                                                    swift confrimation copy.xlsxGet hashmaliciousBrowse
                                                                                                    • 192.3.141.149
                                                                                                    ORDERCONFIRMATION_00001679918.xlsxGet hashmaliciousBrowse
                                                                                                    • 23.94.159.204
                                                                                                    suppression des suspensions.xlsxGet hashmaliciousBrowse
                                                                                                    • 107.172.73.191
                                                                                                    rrVvnZMcFsGet hashmaliciousBrowse
                                                                                                    • 23.94.26.138
                                                                                                    pAu4km62R9Get hashmaliciousBrowse
                                                                                                    • 23.94.26.138
                                                                                                    kUFNxyzq7hGet hashmaliciousBrowse
                                                                                                    • 23.94.26.138
                                                                                                    RPM.xlsxGet hashmaliciousBrowse
                                                                                                    • 23.95.13.176
                                                                                                    OOLU2032650751.docGet hashmaliciousBrowse
                                                                                                    • 107.175.64.227
                                                                                                    Invoice PO.docGet hashmaliciousBrowse
                                                                                                    • 107.175.64.227
                                                                                                    MOQ-Request_0927210-006452.xlsxGet hashmaliciousBrowse
                                                                                                    • 107.173.219.122
                                                                                                    RFQ_final version.xlsxGet hashmaliciousBrowse
                                                                                                    • 107.173.219.122
                                                                                                    New Price List.xlsxGet hashmaliciousBrowse
                                                                                                    • 192.227.225.173
                                                                                                    RFQ.xlsxGet hashmaliciousBrowse
                                                                                                    • 23.94.159.207
                                                                                                    RFQ.xlsxGet hashmaliciousBrowse
                                                                                                    • 23.94.159.207
                                                                                                    X86_64Get hashmaliciousBrowse
                                                                                                    • 172.245.168.189
                                                                                                    RQcnbthZwWGet hashmaliciousBrowse
                                                                                                    • 172.245.168.189
                                                                                                    haK4nXUWd3Get hashmaliciousBrowse
                                                                                                    • 172.245.168.189
                                                                                                    YIjCULj55aGet hashmaliciousBrowse
                                                                                                    • 172.245.168.189

                                                                                                    JA3 Fingerprints

                                                                                                    No context

                                                                                                    Dropped Files

                                                                                                    No context

                                                                                                    Created / dropped Files

                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):4096
                                                                                                    Entropy (8bit):0.5961753579683815
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:bJtk1GaD0JOCEfMuaaD0JOCEfMKQmD7/tAl/gz2cE0fMbhEZolrRSQ2hyYIIT:boGaD0JcaaD0JwQQ7/tAg/0bjSQJ
                                                                                                    MD5:FEDBD07F059E293B1CD3A36CE0BF727A
                                                                                                    SHA1:C75214CD386425539B6F6CFD4F48F90753ECC8E7
                                                                                                    SHA-256:5F2FC139A11B5A3E93489883C7A89D0E8B1A4041C87A7ECCEC784845724B031F
                                                                                                    SHA-512:2C6E4AAEA9EFB60D669ED1E420000D09300C46718D9C113DD7A3043703C0BAADFEB9768C78FC80CB5419A1CA845E5985045D452B90EF0FFFFBC0F252CCF70386
                                                                                                    Malicious:false
                                                                                                    Preview: ....E..h..(..........y............... ..1C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@........................y............&......e.f.3...w.......................3...w..................h..C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b...G............................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0xa82e71d7, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                    Category:dropped
                                                                                                    Size (bytes):32768
                                                                                                    Entropy (8bit):0.09679207472564298
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:6:BOzzwl/+0XRIE11Y8TRXQlFHKrOzzwl/+0XRIE11Y8TRXQlFHK:K0+0XO4blQlFHKA0+0XO4blQlFHK
                                                                                                    MD5:CDEE6462BDFBADCE486062CB208FC2D9
                                                                                                    SHA1:8DB277B7CA8CCF9AFDA1AAB7A52FDA9FBAE4FC53
                                                                                                    SHA-256:7CFEB754B63AD2FB2518B163B7626B390B012D8A21773FE973F30E3923A7CC7A
                                                                                                    SHA-512:73DA8F7A98AAB76E4955CB961CBC688C69FB07EF9FD59DCDFAC6A1F379515E7BA1FA601572CAD8400DF8D84E45B7320BC65A767C67A132C5DF53E61478565380
                                                                                                    Malicious:false
                                                                                                    Preview: ..q.... ................e.f.3...w........................&..........w.......y..h.(..............................3...w...........................................................................................................B...........@...................................................................................................... ........3...w.......................................................................................................................................................................................................................................'J!.....y..................n........y..........................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:data
                                                                                                    Category:dropped
                                                                                                    Size (bytes):8192
                                                                                                    Entropy (8bit):0.1120151278868993
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:+G1Ev1oj8l/bJdAtiE1Tll:pQKj8t4np
                                                                                                    MD5:CEFA19C920301379F5EF73328CDDC635
                                                                                                    SHA1:C2E331B44A1FD9E196F915D0E12208220B4D7A40
                                                                                                    SHA-256:3874419093305358718AEF8A3E11991C90376C705A62C9599D5F0FBCA8F9D678
                                                                                                    SHA-512:79A5FB2F15E7C11D28D6CFBB127C4F775AC64F5CFA409FD8E486995DAC171E7BFB870CC19D6BE84567619159BAEBC07E7B197C4C83611F384AE73C8911B14E39
                                                                                                    Malicious:false
                                                                                                    Preview: H..a.....................................3...w.......y.......w...............w.......w....:O.....w..................n........y..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                                                                                    Process:C:\Windows\System32\svchost.exe
                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                    Category:dropped
                                                                                                    Size (bytes):55
                                                                                                    Entropy (8bit):4.306461250274409
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                    Malicious:false
                                                                                                    Preview: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}
                                                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log
                                                                                                    Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                    File Type:data
                                                                                                    Category:modified
                                                                                                    Size (bytes):906
                                                                                                    Entropy (8bit):3.148114293486276
                                                                                                    Encrypted:false
                                                                                                    SSDEEP:12:58KRBubdpkoF1AG3rlsQlwAuXURk9+MlWlLehB4yAq7ejCEsQlwAuXUw:OaqdmuF3rlp+z+kWReH4yJ7MNp+Z
                                                                                                    MD5:19E4C16502BE85E35AE649BCC464A2FC
                                                                                                    SHA1:5F2C7E7EDDE9D2FB82173C8D2D475261962B6EC8
                                                                                                    SHA-256:DF3C8E555F788FD5070E09BE94C3C9E6D1BEEF3F1B56AC5BE54F99EEB2DAA57D
                                                                                                    SHA-512:04F1E4A94FA9351E3CE88A8DC62453D19FDCD211C61EC1518D40F97DEC3ACD6BE65A2BFABD8E1BA8B4E449F276C694DF8804AA5D75EFF04DD2585D351A2AACEB
                                                                                                    Malicious:false
                                                                                                    Preview: ........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. S.e.p. .. 2.9. .. 2.0.2.1. .0.4.:.1.5.:.3.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. S.e.p. .. 2.9. .. 2.0.2.1. .0.4.:.1.5.:.3.2.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                                                                    Static File Info

                                                                                                    General

                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                    Entropy (8bit):6.227386311899768
                                                                                                    TrID:
                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                    File name:RpcNs4.exe
                                                                                                    File size:310784
                                                                                                    MD5:1ed37c4a225bbd35716cf241e14541a8
                                                                                                    SHA1:51caf718c3d85847e9f9246b291149a0a7afb698
                                                                                                    SHA256:8b504e796986fbae7d1bea49c95dfad222758cca5cada56472f40a0bde41e485
                                                                                                    SHA512:fa54f2057b8e85c1a84307ee2325cda4393960ca81efe87e929dd5e19516e62604b9081d0964c23b2e8d97fc7a02d5b66a952dc0771a5249cf10074fa765a5e3
                                                                                                    SSDEEP:3072:sNzPwNwAtJKqgYLdcF7pGG7MjzQP3xswlVQN2Lxu2ntX8NUX7uFLuloc:sJPwNwAt/T2F7JcN8U2tM6iV8
                                                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............u.U.u.U.u.U.'.U.u.U.'8U.u.U.'.U.u.Uy.,U.u.U.u.U.u.U...U.u.U..;U.u.U.'<U.u.U.upU.u.U..9U.u.URich.u.U................PE..L..

                                                                                                    File Icon

                                                                                                    Icon Hash:317971b1b1b1b1b0

                                                                                                    Static PE Info

                                                                                                    General

                                                                                                    Entrypoint:0x402aec
                                                                                                    Entrypoint Section:.text
                                                                                                    Digitally signed:false
                                                                                                    Imagebase:0x400000
                                                                                                    Subsystem:windows gui
                                                                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                                                    DLL Characteristics:TERMINAL_SERVER_AWARE, NX_COMPAT
                                                                                                    Time Stamp:0x5F68E28E [Mon Sep 21 17:27:42 2020 UTC]
                                                                                                    TLS Callbacks:
                                                                                                    CLR (.Net) Version:
                                                                                                    OS Version Major:6
                                                                                                    OS Version Minor:0
                                                                                                    File Version Major:6
                                                                                                    File Version Minor:0
                                                                                                    Subsystem Version Major:6
                                                                                                    Subsystem Version Minor:0
                                                                                                    Import Hash:81f57b81eb6db8b252da01e9143dfb75

                                                                                                    Entrypoint Preview

                                                                                                    Instruction
                                                                                                    call 00007F532C740C35h
                                                                                                    jmp 00007F532C73D725h
                                                                                                    push 00000014h
                                                                                                    push 00434230h
                                                                                                    call 00007F532C741453h
                                                                                                    call 00007F532C740FCFh
                                                                                                    movzx esi, ax
                                                                                                    push 00000002h
                                                                                                    call 00007F532C740BC8h
                                                                                                    pop ecx
                                                                                                    mov eax, 00005A4Dh
                                                                                                    cmp word ptr [00400000h], ax
                                                                                                    je 00007F532C73D726h
                                                                                                    xor ebx, ebx
                                                                                                    jmp 00007F532C73D755h
                                                                                                    mov eax, dword ptr [0040003Ch]
                                                                                                    cmp dword ptr [eax+00400000h], 00004550h
                                                                                                    jne 00007F532C73D70Dh
                                                                                                    mov ecx, 0000010Bh
                                                                                                    cmp word ptr [eax+00400018h], cx
                                                                                                    jne 00007F532C73D6FFh
                                                                                                    xor ebx, ebx
                                                                                                    cmp dword ptr [eax+00400074h], 0Eh
                                                                                                    jbe 00007F532C73D72Bh
                                                                                                    cmp dword ptr [eax+004000E8h], ebx
                                                                                                    setne bl
                                                                                                    mov dword ptr [ebp-1Ch], ebx
                                                                                                    call 00007F532C73EC50h
                                                                                                    test eax, eax
                                                                                                    jne 00007F532C73D72Ah
                                                                                                    push 0000001Ch
                                                                                                    call 00007F532C73D847h
                                                                                                    pop ecx
                                                                                                    call 00007F532C73EF13h
                                                                                                    test eax, eax
                                                                                                    jne 00007F532C73D72Ah
                                                                                                    push 00000010h
                                                                                                    call 00007F532C73D836h
                                                                                                    pop ecx
                                                                                                    call 00007F532C740C41h
                                                                                                    and dword ptr [ebp-04h], 00000000h
                                                                                                    call 00007F532C74052Ch
                                                                                                    test eax, eax
                                                                                                    jns 00007F532C73D72Ah
                                                                                                    push 0000001Bh
                                                                                                    call 00007F532C73D81Ch
                                                                                                    pop ecx
                                                                                                    call dword ptr [004390E8h]
                                                                                                    mov dword ptr [00438C14h], eax
                                                                                                    call 00007F532C740C5Ch
                                                                                                    mov dword ptr [004369BCh], eax
                                                                                                    call 00007F532C740819h
                                                                                                    test eax, eax
                                                                                                    jns 00007F532C73D72Ah

                                                                                                    Rich Headers

                                                                                                    Programming Language:
                                                                                                    • [C++] VS2013 UPD5 build 40629
                                                                                                    • [ C ] VS2013 build 21005
                                                                                                    • [LNK] VS2013 UPD5 build 40629
                                                                                                    • [EXP] VS2013 UPD5 build 40629
                                                                                                    • [C++] VS2013 build 21005
                                                                                                    • [ASM] VS2013 build 21005
                                                                                                    • [RES] VS2013 build 21005

                                                                                                    Data Directories

                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x34b200x15c.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x392b40x50.idata
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3a0000x13d10.rsrc
                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x4e0000x1bc4.reloc
                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x323d80x40.rdata
                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x390000x2b4.idata
                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                    Sections

                                                                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                    .text0x10000x2a1d10x2a200False0.40440699184data5.8183204417IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                                    .rdata0x2c0000x8c7c0x8e00False0.263011663732data3.37323787881IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .data0x350000x3c200x1a00False0.244891826923data2.84139335758IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                                    .idata0x390000xfb90x1000False0.3642578125data4.6782022268IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .rsrc0x3a0000x13d100x13e00False0.767614976415data6.94887089309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                    .reloc0x4e0000x207f0x2200False0.650620404412data5.98371531894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                    Resources

                                                                                                    NameRVASizeTypeLanguageCountry
                                                                                                    RT_BITMAP0x493780x1244dataEnglishUnited States
                                                                                                    RT_ICON0x3a3b00x2e8dataEnglishUnited States
                                                                                                    RT_ICON0x3a6980x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                                                                    RT_MENU0x493200x54dataEnglishUnited States
                                                                                                    RT_STRING0x4a5c00xbcdataEnglishUnited States
                                                                                                    RT_GROUP_ICON0x3a7c00x22dataEnglishUnited States
                                                                                                    RT_MANIFEST0x4a6800x17dXML 1.0 document textEnglishUnited States
                                                                                                    None0x3a7e80xeb33dataEnglishUnited States

                                                                                                    Imports

                                                                                                    DLLImport
                                                                                                    KERNEL32.dllSetFilePointerEx, SetStdHandle, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetStringTypeW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapReAlloc, WriteConsoleW, OutputDebugStringW, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, LoadLibraryExW, FreeLibrary, SetConsoleCtrlHandler, FatalAppExitA, LeaveCriticalSection, EnterCriticalSection, CreateSemaphoreW, GetModuleHandleW, GetTickCount, TlsFree, TlsSetValue, CloseHandle, LoadLibraryA, GetProcAddress, VirtualAlloc, HeapSize, GetLocalTime, HeapAlloc, RtlUnwind, GetCommandLineA, GetLastError, HeapFree, IsDebuggerPresent, IsProcessorFeaturePresent, EncodePointer, DecodePointer, RaiseException, ExitProcess, GetModuleHandleExW, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, GetStdHandle, WriteFile, GetModuleFileNameW, GetProcessHeap, SetLastError, GetCurrentThread, GetCurrentThreadId, GetFileType, DeleteCriticalSection, GetStartupInfoW, GetModuleFileNameA, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, GetEnvironmentStringsW, FreeEnvironmentStringsW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeCriticalSectionAndSpinCount, CreateEventW, Sleep, GetCurrentProcess, TerminateProcess, TlsAlloc, TlsGetValue, CreateFileW
                                                                                                    USER32.dllLoadIconA, LoadCursorA, MessageBoxA, EndPaint, BeginPaint, UpdateWindow, TranslateAcceleratorA, LoadAcceleratorsA, ShowWindow, RegisterClassExA, PostQuitMessage, DispatchMessageA, TranslateMessage, GetMessageA, LoadStringA, LoadBitmapA, GetDesktopWindow, SetWindowLongA, GetWindowLongA, GetCursorPos, GetWindowRect, ReleaseDC, GetDC, TrackPopupMenu, GetSubMenu, CheckMenuItem, LoadMenuA, KillTimer, SetTimer, SetWindowPos, DestroyWindow, CreateWindowExA, DefWindowProcA
                                                                                                    GDI32.dllSelectObject, DeleteObject, DeleteDC, CreateCompatibleDC, BitBlt, StretchBlt

                                                                                                    Exports

                                                                                                    NameOrdinalAddress
                                                                                                    lhxXfY9mIrDZ10x40103c

                                                                                                    Possible Origin

                                                                                                    Language of compilation systemCountry where language is spokenMap
                                                                                                    EnglishUnited States

                                                                                                    Network Behavior

                                                                                                    Snort IDS Alerts

                                                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                    09/29/21-04:15:05.886157ICMP399ICMP Destination Unreachable Host Unreachable108.167.150.86192.168.2.5
                                                                                                    09/29/21-04:15:08.898226ICMP399ICMP Destination Unreachable Host Unreachable108.167.150.86192.168.2.5
                                                                                                    09/29/21-04:15:14.914137ICMP399ICMP Destination Unreachable Host Unreachable108.167.150.86192.168.2.5

                                                                                                    Network Port Distribution

                                                                                                    TCP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Sep 29, 2021 04:14:34.579462051 CEST4973680192.168.2.5190.191.171.72
                                                                                                    Sep 29, 2021 04:14:37.590918064 CEST4973680192.168.2.5190.191.171.72
                                                                                                    Sep 29, 2021 04:14:43.591281891 CEST4973680192.168.2.5190.191.171.72
                                                                                                    Sep 29, 2021 04:14:58.564569950 CEST497458080192.168.2.55.189.168.53
                                                                                                    Sep 29, 2021 04:14:58.596065044 CEST8080497455.189.168.53192.168.2.5
                                                                                                    Sep 29, 2021 04:14:59.108776093 CEST497458080192.168.2.55.189.168.53
                                                                                                    Sep 29, 2021 04:14:59.141755104 CEST8080497455.189.168.53192.168.2.5
                                                                                                    Sep 29, 2021 04:14:59.655216932 CEST497458080192.168.2.55.189.168.53
                                                                                                    Sep 29, 2021 04:14:59.685148001 CEST8080497455.189.168.53192.168.2.5
                                                                                                    Sep 29, 2021 04:15:02.749850988 CEST497517080192.168.2.5162.241.41.111
                                                                                                    Sep 29, 2021 04:15:05.765048027 CEST497517080192.168.2.5162.241.41.111
                                                                                                    Sep 29, 2021 04:15:11.781199932 CEST497517080192.168.2.5162.241.41.111
                                                                                                    Sep 29, 2021 04:15:27.074985027 CEST497857080192.168.2.5190.85.46.52
                                                                                                    Sep 29, 2021 04:15:30.079667091 CEST497857080192.168.2.5190.85.46.52
                                                                                                    Sep 29, 2021 04:15:36.080301046 CEST497857080192.168.2.5190.85.46.52
                                                                                                    Sep 29, 2021 04:15:51.844423056 CEST497907080192.168.2.537.205.9.252
                                                                                                    Sep 29, 2021 04:15:54.847382069 CEST497907080192.168.2.537.205.9.252
                                                                                                    Sep 29, 2021 04:16:00.847948074 CEST497907080192.168.2.537.205.9.252
                                                                                                    Sep 29, 2021 04:16:15.304163933 CEST497938080192.168.2.5172.96.190.154
                                                                                                    Sep 29, 2021 04:16:15.472785950 CEST808049793172.96.190.154192.168.2.5
                                                                                                    Sep 29, 2021 04:16:15.974430084 CEST497938080192.168.2.5172.96.190.154
                                                                                                    Sep 29, 2021 04:16:16.143085957 CEST808049793172.96.190.154192.168.2.5
                                                                                                    Sep 29, 2021 04:16:16.646538019 CEST497938080192.168.2.5172.96.190.154
                                                                                                    Sep 29, 2021 04:16:16.815198898 CEST808049793172.96.190.154192.168.2.5

                                                                                                    UDP Packets

                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                    Sep 29, 2021 04:14:05.641190052 CEST6206053192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:14:05.662507057 CEST53620608.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:14:19.959433079 CEST6180553192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:14:19.976883888 CEST53618058.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:14:37.067980051 CEST5479553192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:14:37.104115963 CEST53547958.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:14:56.899835110 CEST4955753192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:14:56.932769060 CEST53495578.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:12.343552113 CEST6173353192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:12.354193926 CEST6544753192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:12.374015093 CEST53654478.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:12.379074097 CEST53617338.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:15.998997927 CEST5244153192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:16.018075943 CEST53524418.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:27.754755020 CEST6217653192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:27.780180931 CEST53621768.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:28.400073051 CEST5959653192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:28.419282913 CEST53595968.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:50.121165037 CEST6529653192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:50.153857946 CEST53652968.8.8.8192.168.2.5
                                                                                                    Sep 29, 2021 04:15:51.985894918 CEST6318353192.168.2.58.8.8.8
                                                                                                    Sep 29, 2021 04:15:52.013561010 CEST53631838.8.8.8192.168.2.5

                                                                                                    Code Manipulations

                                                                                                    Statistics

                                                                                                    Behavior

                                                                                                    Click to jump to process

                                                                                                    System Behavior

                                                                                                    Analysis Process: RpcNs4.exe PID: 5968 Parent PID: 2092

                                                                                                    General

                                                                                                    Start time:04:14:12
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Users\user\Desktop\RpcNs4.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:'C:\Users\user\Desktop\RpcNs4.exe'
                                                                                                    Imagebase:0x400000
                                                                                                    File size:310784 bytes
                                                                                                    MD5 hash:1ED37C4A225BBD35716CF241E14541A8
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.256801219.00000000005F4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.256746048.00000000005E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000002.00000002.257541494.00000000020B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:low

                                                                                                    Analysis Process: networkitemfactory.exe PID: 900 Parent PID: 5968

                                                                                                    General

                                                                                                    Start time:04:14:14
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
                                                                                                    Wow64 process (32bit):true
                                                                                                    Commandline:C:\Windows\SysWOW64\rasphone\networkitemfactory.exe
                                                                                                    Imagebase:0x400000
                                                                                                    File size:310784 bytes
                                                                                                    MD5 hash:1ED37C4A225BBD35716CF241E14541A8
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Yara matches:
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.517659433.0000000000510000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.519092750.00000000020B1000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000004.00000002.519022380.0000000002094000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                    Reputation:low

                                                                                                    Analysis Process: svchost.exe PID: 4840 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:16
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 3228 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:20
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 4228 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:26
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 5992 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:27
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 2852 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:28
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 5984 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:29
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: SgrmBroker.exe PID: 1752 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:30
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                    Imagebase:0x7ff6ee970000
                                                                                                    File size:163336 bytes
                                                                                                    MD5 hash:D3170A3F3A9626597EEE1888686E3EA6
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language
                                                                                                    Reputation:high

                                                                                                    Analysis Process: svchost.exe PID: 5780 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:30
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 328 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:36
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: svchost.exe PID: 1560 Parent PID: 556

                                                                                                    General

                                                                                                    Start time:04:14:46
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\svchost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                    Imagebase:0x7ff797770000
                                                                                                    File size:51288 bytes
                                                                                                    MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:true
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: MpCmdRun.exe PID: 2252 Parent PID: 5780

                                                                                                    General

                                                                                                    Start time:04:15:31
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                                                                                                    Imagebase:0x7ff71de40000
                                                                                                    File size:455656 bytes
                                                                                                    MD5 hash:A267555174BFA53844371226F482B86B
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Analysis Process: conhost.exe PID: 4636 Parent PID: 2252

                                                                                                    General

                                                                                                    Start time:04:15:32
                                                                                                    Start date:29/09/2021
                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                    Wow64 process (32bit):false
                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                    Imagebase:0x7ff7ecfc0000
                                                                                                    File size:625664 bytes
                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                    Has elevated privileges:true
                                                                                                    Has administrator privileges:false
                                                                                                    Programmed in:C, C++ or other language

                                                                                                    Disassembly

                                                                                                    Code Analysis

                                                                                                    Reset < >