Analysis Report WZ1j9bqSlV

Overview

General Information

Sample Name: WZ1j9bqSlV (renamed file extension from none to exe)
Analysis ID: 317623
MD5: e320c9dcc1512107fc6bc5e8b71d27d3
SHA1: 171b4e36060d479c7e052d737cb7d1148f1c2613
SHA256: f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb

Most interesting Screenshot:

Detection

Emotet
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: WZ1j9bqSlV.exe Virustotal: Detection: 52% Perma Link
Source: WZ1j9bqSlV.exe Metadefender: Detection: 40% Perma Link
Source: WZ1j9bqSlV.exe ReversingLabs: Detection: 58%
Source: WZ1j9bqSlV.exe Virustotal: Detection: 52% Perma Link
Source: WZ1j9bqSlV.exe Metadefender: Detection: 40% Perma Link
Source: WZ1j9bqSlV.exe ReversingLabs: Detection: 58%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree, 1_2_02252330
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 1_2_02252730
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree, 1_2_02252010
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree, 1_2_02252330
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 1_2_02252730
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree, 1_2_02252010
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 0_2_0042860E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose, 0_2_004328E6
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02233A10
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 0_2_0042860E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose, 0_2_004328E6
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02233A10
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 1_2_0042860E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_004328E6 lstrlenA,FindFirstFileA,FindClose, 1_2_004328E6
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02253A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 1_2_02253A10

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49718 -> 27.78.27.110:443
Source: Traffic Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49727 -> 81.241.22.161:20
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49736 -> 91.121.200.35:8080
Source: Traffic Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49718 -> 27.78.27.110:443
Source: Traffic Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49727 -> 81.241.22.161:20
Source: Traffic Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49736 -> 91.121.200.35:8080
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49727 -> 81.241.22.161:20
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 91.121.200.35:8080
Source: global traffic TCP traffic: 192.168.2.5:49727 -> 81.241.22.161:20
Source: global traffic TCP traffic: 192.168.2.5:49736 -> 91.121.200.35:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 91.121.200.35 91.121.200.35
Source: Joe Sandbox View IP Address: 91.121.200.35 91.121.200.35
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
Source: Joe Sandbox View ASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
Source: Joe Sandbox View ASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 27.78.27.110:443
Source: global traffic TCP traffic: 192.168.2.5:49718 -> 27.78.27.110:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 1_2_02252A80
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW, 1_2_02252A80
Source: unknown HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
Source: unknown HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/77)
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000003.375609039.0000000002A11000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/a
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/em32
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/n
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/%
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/u
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000002.00000002.499728768.0000021D13630000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000002.306481032.000001963403A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/77)
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000003.375609039.0000000002A11000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/a
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/em32
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/n
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/%
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/u
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000002.00000002.499728768.0000021D13630000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000002.306481032.000001963403A000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: unlodctr.exe, 00000001.00000002.498130310.000000000079A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: unlodctr.exe, 00000001.00000002.498130310.000000000079A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00424554 GetKeyState,GetKeyState,GetKeyState, 0_2_00424554
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0040AAE1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_00439719
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 0_2_0040589A
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 0_2_00423E75
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00424554 GetKeyState,GetKeyState,GetKeyState, 0_2_00424554
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 0_2_0040AAE1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 0_2_00439719
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 0_2_0040589A
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 0_2_00423E75
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00424554 GetKeyState,GetKeyState,GetKeyState, 1_2_00424554
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 1_2_0040AAE1
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent, 1_2_00439719
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA, 1_2_0040589A
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow, 1_2_00423E75

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.498518056.0000000002251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.498493339.0000000002234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236225902.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236214362.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.498077947.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236259963.0000000002314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.WZ1j9bqSlV.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.unlodctr.exe.2250000.1.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 1_2_02252730
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey, 1_2_02252730

System Summary:

barindex
Creates files inside the system directory
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\ Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File deleted: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File deleted: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043E223 0_2_0043E223
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044E361 0_2_0044E361
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0040C634 0_2_0040C634
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043EA03 0_2_0043EA03
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044CAE5 0_2_0044CAE5
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043EE23 0_2_0043EE23
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044D1DD 0_2_0044D1DD
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044360B 0_2_0044360B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043DD4E 0_2_0043DD4E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02238180 0_2_02238180
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02237590 0_2_02237590
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02231C70 0_2_02231C70
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043E223 0_2_0043E223
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044E361 0_2_0044E361
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0040C634 0_2_0040C634
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043EA03 0_2_0043EA03
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044CAE5 0_2_0044CAE5
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043EE23 0_2_0043EE23
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044D1DD 0_2_0044D1DD
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044360B 0_2_0044360B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043DD4E 0_2_0043DD4E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02238180 0_2_02238180
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02237590 0_2_02237590
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02231C70 0_2_02231C70
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043E223 1_2_0043E223
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0044E361 1_2_0044E361
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0040C634 1_2_0040C634
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043EA03 1_2_0043EA03
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0044CAE5 1_2_0044CAE5
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043EE23 1_2_0043EE23
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0044D1DD 1_2_0044D1DD
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0044360B 1_2_0044360B
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043DD4E 1_2_0043DD4E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02258180 1_2_02258180
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02257590 1_2_02257590
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02251C70 1_2_02251C70
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078912E 1_2_0078912E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078380E 1_2_0078380E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00789D1E 1_2_00789D1E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0043D4FB appears 236 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0043D52E appears 47 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0041CD0D appears 36 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0043D1FC appears 60 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: String function: 0043D4FB appears 236 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: String function: 0043D52E appears 47 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: String function: 0041CD0D appears 36 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: String function: 0043D1FC appears 60 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0043D4FB appears 236 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0043D52E appears 47 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0041CD0D appears 36 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: String function: 0043D1FC appears 60 times
PE file contains strange resources
Source: WZ1j9bqSlV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ1j9bqSlV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ1j9bqSlV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ1j9bqSlV.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: WZ1j9bqSlV.exe, 00000000.00000002.235513271.0000000000470000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp Binary or memory string: originalfilename vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.236832361.0000000002A70000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.235513271.0000000000470000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp Binary or memory string: originalfilename vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.236832361.0000000002A70000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Source: classification engine Classification label: mal76.troj.evad.winEXE@14/5@0/4
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00417BCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_00417BCC
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00417BCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA, 0_2_00417BCC
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_02238730
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle, 0_2_02238730
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02254CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification, 1_2_02254CA0
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02254CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification, 1_2_02254CA0
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance, 0_2_004340AF
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance, 0_2_004340AF
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00416858 FindResourceA,LoadResource,LockResource,FreeResource, 0_2_00416858
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00416858 FindResourceA,LoadResource,LockResource,FreeResource, 0_2_00416858
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02235060
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02235060
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3000:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3000:120:WilError_01
Source: WZ1j9bqSlV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WZ1j9bqSlV.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: WZ1j9bqSlV.exe Virustotal: Detection: 52%
Source: WZ1j9bqSlV.exe Metadefender: Detection: 40%
Source: WZ1j9bqSlV.exe ReversingLabs: Detection: 58%
Source: WZ1j9bqSlV.exe Virustotal: Detection: 52%
Source: WZ1j9bqSlV.exe Metadefender: Detection: 40%
Source: WZ1j9bqSlV.exe ReversingLabs: Detection: 58%
Source: unknown Process created: C:\Users\user\Desktop\WZ1j9bqSlV.exe 'C:\Users\user\Desktop\WZ1j9bqSlV.exe'
Source: unknown Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\WZ1j9bqSlV.exe 'C:\Users\user\Desktop\WZ1j9bqSlV.exe'
Source: unknown Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WZ1j9bqSlV.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow, 0_2_00401D50
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow, 0_2_00401D50
PE file contains an invalid checksum
Source: WZ1j9bqSlV.exe Static PE information: real checksum: 0x958ba should be: 0x8ef7a
Source: WZ1j9bqSlV.exe Static PE information: real checksum: 0x958ba should be: 0x8ef7a
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043D241 push ecx; ret 0_2_0043D254
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043D5D3 push ecx; ret 0_2_0043D5E6
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235E70 push ecx; mov dword ptr [esp], 00008D73h 0_2_02235E71
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235E40 push ecx; mov dword ptr [esp], 0000AEA2h 0_2_02235E41
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 00007473h 0_2_02235EA1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E2ADh 0_2_02235F21
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235F70 push ecx; mov dword ptr [esp], 000084ADh 0_2_02235F71
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235FB0 push ecx; mov dword ptr [esp], 0000460Eh 0_2_02235FB1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235D30 push ecx; mov dword ptr [esp], 00002C7Ch 0_2_02235D31
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 000021B4h 0_2_02235D01
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235D70 push ecx; mov dword ptr [esp], 00008067h 0_2_02235D71
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235DA0 push ecx; mov dword ptr [esp], 000036B8h 0_2_02235DA1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235DE0 push ecx; mov dword ptr [esp], 000025AAh 0_2_02235DE1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043D241 push ecx; ret 0_2_0043D254
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043D5D3 push ecx; ret 0_2_0043D5E6
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235E70 push ecx; mov dword ptr [esp], 00008D73h 0_2_02235E71
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235E40 push ecx; mov dword ptr [esp], 0000AEA2h 0_2_02235E41
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 00007473h 0_2_02235EA1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E2ADh 0_2_02235F21
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235F70 push ecx; mov dword ptr [esp], 000084ADh 0_2_02235F71
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235FB0 push ecx; mov dword ptr [esp], 0000460Eh 0_2_02235FB1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235D30 push ecx; mov dword ptr [esp], 00002C7Ch 0_2_02235D31
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 000021B4h 0_2_02235D01
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235D70 push ecx; mov dword ptr [esp], 00008067h 0_2_02235D71
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235DA0 push ecx; mov dword ptr [esp], 000036B8h 0_2_02235DA1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02235DE0 push ecx; mov dword ptr [esp], 000025AAh 0_2_02235DE1
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043D241 push ecx; ret 1_2_0043D254
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043D5D3 push ecx; ret 1_2_0043D5E6
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255E70 push ecx; mov dword ptr [esp], 00008D73h 1_2_02255E71
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255E40 push ecx; mov dword ptr [esp], 0000AEA2h 1_2_02255E41
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255EA0 push ecx; mov dword ptr [esp], 00007473h 1_2_02255EA1
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255F20 push ecx; mov dword ptr [esp], 0000E2ADh 1_2_02255F21
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255F70 push ecx; mov dword ptr [esp], 000084ADh 1_2_02255F71
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255FB0 push ecx; mov dword ptr [esp], 0000460Eh 1_2_02255FB1
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255D30 push ecx; mov dword ptr [esp], 00002C7Ch 1_2_02255D31
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255D00 push ecx; mov dword ptr [esp], 000021B4h 1_2_02255D01
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255D70 push ecx; mov dword ptr [esp], 00008067h 1_2_02255D71
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255DA0 push ecx; mov dword ptr [esp], 000036B8h 1_2_02255DA1
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02255DE0 push ecx; mov dword ptr [esp], 000025AAh 1_2_02255DE1
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_007878CE push ecx; mov dword ptr [esp], 00002C7Ch 1_2_007878CF
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078789E push ecx; mov dword ptr [esp], 000021B4h 1_2_0078789F
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078797E push ecx; mov dword ptr [esp], 000025AAh 1_2_0078797F
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078793E push ecx; mov dword ptr [esp], 000036B8h 1_2_0078793F
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078790E push ecx; mov dword ptr [esp], 00008067h 1_2_0078790F

Persistence and Installation Behavior:

barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Executable created and started: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Executable created and started: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Jump to behavior
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe PE file moved: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe PE file moved: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File opened: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File opened: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00406091 IsWindowVisible,IsIconic, 0_2_00406091
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0041C7BA GetParent,GetParent,IsIconic,GetParent, 0_2_0041C7BA
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 0_2_004274CC
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00407C2E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00406091 IsWindowVisible,IsIconic, 0_2_00406091
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0041C7BA GetParent,GetParent,IsIconic,GetParent, 0_2_0041C7BA
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 0_2_004274CC
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect, 0_2_00407C2E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00406091 IsWindowVisible,IsIconic, 1_2_00406091
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0041C7BA GetParent,GetParent,IsIconic,GetParent, 1_2_0041C7BA
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA, 1_2_004274CC
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect, 1_2_00407C2E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02235060
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap, 0_2_02235060
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 5080 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5080 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 0_2_0042860E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose, 0_2_004328E6
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02233A10
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 0_2_0042860E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose, 0_2_004328E6
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 0_2_02233A10
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA, 1_2_0042860E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_004328E6 lstrlenA,FindFirstFileA,FindClose, 1_2_004328E6
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02253A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose, 1_2_02253A10
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043FEAF VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect, 0_2_0043FEAF
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043FEAF VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect, 0_2_0043FEAF
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000002.00000002.499576636.0000021D13460000.00000004.00000001.sdmp Binary or memory string: (@Hyper-V RAW
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.499561895.0000021D13453000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000002.00000002.498003505.0000021D0DE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW]F
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.497830166.000001C87DC2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000002.00000002.499576636.0000021D13460000.00000004.00000001.sdmp Binary or memory string: (@Hyper-V RAW
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.499561895.0000021D13453000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000002.00000002.498003505.0000021D0DE29000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW]F
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.497830166.000001C87DC2A000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow, 0_2_00401D50
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow, 0_2_00401D50
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043C70B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043C70B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043C70B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043C70B
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043FEAF VirtualProtect ?,-00000001,00000104,? 0_2_0043FEAF
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043FEAF VirtualProtect ?,-00000001,00000104,? 0_2_0043FEAF
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow, 0_2_00401D50
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow, 0_2_00401D50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02234E10 mov eax, dword ptr fs:[00000030h] 0_2_02234E10
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02233F70 mov eax, dword ptr fs:[00000030h] 0_2_02233F70
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02234E10 mov eax, dword ptr fs:[00000030h] 0_2_02234E10
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_02233F70 mov eax, dword ptr fs:[00000030h] 0_2_02233F70
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02254E10 mov eax, dword ptr fs:[00000030h] 1_2_02254E10
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02253F70 mov eax, dword ptr fs:[00000030h] 1_2_02253F70
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00780456 mov eax, dword ptr fs:[00000030h] 1_2_00780456
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0078095E mov eax, dword ptr fs:[00000030h] 1_2_0078095E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_007869AE mov eax, dword ptr fs:[00000030h] 1_2_007869AE
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00785B0E mov eax, dword ptr fs:[00000030h] 1_2_00785B0E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_02231030 mov eax, dword ptr fs:[00000030h] 1_2_02231030
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_022342E0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_022342E0
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_022342E0 GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap, 0_2_022342E0
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004441B4 SetUnhandledExceptionFilter, 0_2_004441B4
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043C70B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043C70B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00442881 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00442881
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044750E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0044750E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004441B4 SetUnhandledExceptionFilter, 0_2_004441B4
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0043C70B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043C70B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00442881 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00442881
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_0044750E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0044750E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_004441B4 SetUnhandledExceptionFilter, 1_2_004441B4
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0043C70B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0043C70B
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_00442881 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00442881
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: 1_2_0044750E SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0044750E
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Progman
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: unlodctr.exe, 00000001.00000002.498416565.0000000000E20000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00442EEF cpuid 0_2_00442EEF
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00442EEF cpuid 0_2_00442EEF
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: GetLocaleInfoA,LoadLibraryA, 0_2_004130D5
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: GetLocaleInfoA, 0_2_0044B0B2
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: GetLocaleInfoA,LoadLibraryA, 0_2_004130D5
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: GetLocaleInfoA, 0_2_0044B0B2
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: GetLocaleInfoA,LoadLibraryA, 1_2_004130D5
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Code function: GetLocaleInfoA, 1_2_0044B0B2
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00444A8B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00444A8B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00444A8B GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00444A8B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00448D4B _strlen,_strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00448D4B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_00448D4B _strlen,_strlen,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte, 0_2_00448D4B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance, 0_2_004340AF
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe Code function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance, 0_2_004340AF
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000009.00000002.497853652.000002781AC3D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.497900244.000002781AD02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.497853652.000002781AC3D000.00000004.00000001.sdmp Binary or memory string: (@\REGISTRY\USER\S-1-5-19ws Defender\MsMpeng.exe
Source: svchost.exe, 00000009.00000002.497900244.000002781AD02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000001.00000002.498518056.0000000002251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.498493339.0000000002234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236225902.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236214362.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.498077947.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.236259963.0000000002314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0.2.WZ1j9bqSlV.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.unlodctr.exe.2250000.1.unpack, type: UNPACKEDPE