Loading ...

Play interactive tourEdit tour

Analysis Report WZ1j9bqSlV

Overview

General Information

Sample Name:WZ1j9bqSlV (renamed file extension from none to exe)
Analysis ID:317623
MD5:e320c9dcc1512107fc6bc5e8b71d27d3
SHA1:171b4e36060d479c7e052d737cb7d1148f1c2613
SHA256:f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb

Most interesting Screenshot:

Detection

Emotet
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Drops executables to the windows directory (C:\Windows) and starts them
Hides that the sample has been downloaded from the Internet (zone.identifier)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files to the windows directory (C:\Windows)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • WZ1j9bqSlV.exe (PID: 3220 cmdline: 'C:\Users\user\Desktop\WZ1j9bqSlV.exe' MD5: E320C9DCC1512107FC6BC5E8B71D27D3)
    • unlodctr.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe MD5: E320C9DCC1512107FC6BC5E8B71D27D3)
  • svchost.exe (PID: 5380 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6172 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6248 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6332 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6388 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6420 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5316 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.498518056.0000000002251000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000001.00000002.498493339.0000000002234000.00000004.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000000.00000002.236225902.0000000002231000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000000.00000002.236214362.0000000002220000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000001.00000002.498077947.0000000000780000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.WZ1j9bqSlV.exe.2230000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              1.2.unlodctr.exe.2250000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: WZ1j9bqSlV.exeVirustotal: Detection: 52%Perma Link
                Source: WZ1j9bqSlV.exeMetadefender: Detection: 40%Perma Link
                Source: WZ1j9bqSlV.exeReversingLabs: Detection: 58%
                Source: WZ1j9bqSlV.exeVirustotal: Detection: 52%Perma Link
                Source: WZ1j9bqSlV.exeMetadefender: Detection: 40%Perma Link
                Source: WZ1j9bqSlV.exeReversingLabs: Detection: 58%
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,1_2_02252330
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,1_2_02252730
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree,1_2_02252010
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,1_2_02252330
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,1_2_02252730
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree,1_2_02252010
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_0042860E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose,0_2_004328E6
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_02233A10
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,0_2_0042860E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose,0_2_004328E6
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,0_2_02233A10
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,1_2_0042860E
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_004328E6 lstrlenA,FindFirstFileA,FindClose,1_2_004328E6
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02253A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,1_2_02253A10

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49718 -> 27.78.27.110:443
                Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49727 -> 81.241.22.161:20
                Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49736 -> 91.121.200.35:8080
                Source: TrafficSnort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49718 -> 27.78.27.110:443
                Source: TrafficSnort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49727 -> 81.241.22.161:20
                Source: TrafficSnort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49736 -> 91.121.200.35:8080
                Source: global trafficTCP traffic: 192.168.2.5:49727 -> 81.241.22.161:20
                Source: global trafficTCP traffic: 192.168.2.5:49736 -> 91.121.200.35:8080
                Source: global trafficTCP traffic: 192.168.2.5:49727 -> 81.241.22.161:20
                Source: global trafficTCP traffic: 192.168.2.5:49736 -> 91.121.200.35:8080
                Source: Joe Sandbox ViewIP Address: 91.121.200.35 91.121.200.35
                Source: Joe Sandbox ViewIP Address: 91.121.200.35 91.121.200.35
                Source: Joe Sandbox ViewASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
                Source: Joe Sandbox ViewASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
                Source: Joe Sandbox ViewASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
                Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                Source: global trafficTCP traffic: 192.168.2.5:49718 -> 27.78.27.110:443
                Source: global trafficTCP traffic: 192.168.2.5:49718 -> 27.78.27.110:443
                Source: global trafficHTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 27.78.27.110
                Source: unknownTCP traffic detected without corresponding DNS query: 27.78.27.110
                Source: unknownTCP traffic detected without corresponding DNS query: 27.78.27.110
                Source: unknownTCP traffic detected without corresponding DNS query: 81.241.22.161
                Source: unknownTCP traffic detected without corresponding DNS query: 81.241.22.161
                Source: unknownTCP traffic detected without corresponding DNS query: 81.241.22.161
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 27.78.27.110
                Source: unknownTCP traffic detected without corresponding DNS query: 27.78.27.110
                Source: unknownTCP traffic detected without corresponding DNS query: 27.78.27.110
                Source: unknownTCP traffic detected without corresponding DNS query: 81.241.22.161
                Source: unknownTCP traffic detected without corresponding DNS query: 81.241.22.161
                Source: unknownTCP traffic detected without corresponding DNS query: 81.241.22.161
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: unknownTCP traffic detected without corresponding DNS query: 91.121.200.35
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,1_2_02252A80
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,1_2_02252A80
                Source: unknownHTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/77)
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000003.375609039.0000000002A11000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/
                Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/a
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/em32
                Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/n
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/
                Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/%
                Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/u
                Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000002.00000002.499728768.0000021D13630000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306481032.000001963403A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/77)
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000003.375609039.0000000002A11000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/
                Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/a
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/em32
                Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmpString found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/n
                Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/
                Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/%
                Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmpString found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/u
                Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
                Source: svchost.exe, 00000002.00000002.499728768.0000021D13630000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
                Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
                Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
                Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                Source: svchost.exe, 00000007.00000002.306481032.000001963403A000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unlodctr.exe, 00000001.00000002.498130310.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: unlodctr.exe, 00000001.00000002.498130310.000000000079A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00424554 GetKeyState,GetKeyState,GetKeyState,0_2_00424554
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0040AAE1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_00439719
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_0040589A
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00423E75
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00424554 GetKeyState,GetKeyState,GetKeyState,0_2_00424554
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,0_2_0040AAE1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,0_2_00439719
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,0_2_0040589A
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,0_2_00423E75
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_00424554 GetKeyState,GetKeyState,GetKeyState,1_2_00424554
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,1_2_0040AAE1
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,1_2_00439719
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,1_2_0040589A
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,1_2_00423E75

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000001.00000002.498518056.0000000002251000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.498493339.0000000002234000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.236225902.0000000002231000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.236214362.0000000002220000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.498077947.0000000000780000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.236259963.0000000002314000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.WZ1j9bqSlV.exe.2230000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.unlodctr.exe.2250000.1.unpack, type: UNPACKEDPE
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,1_2_02252730
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,1_2_02252730
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\Jump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\Jump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile deleted: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile deleted: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.IdentifierJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043E2230_2_0043E223
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044E3610_2_0044E361
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0040C6340_2_0040C634
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043EA030_2_0043EA03
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044CAE50_2_0044CAE5
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043EE230_2_0043EE23
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044D1DD0_2_0044D1DD
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044360B0_2_0044360B
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043DD4E0_2_0043DD4E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_022381800_2_02238180
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_022375900_2_02237590
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02231C700_2_02231C70
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043E2230_2_0043E223
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044E3610_2_0044E361
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0040C6340_2_0040C634
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043EA030_2_0043EA03
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044CAE50_2_0044CAE5
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043EE230_2_0043EE23
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044D1DD0_2_0044D1DD
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0044360B0_2_0044360B
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043DD4E0_2_0043DD4E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_022381800_2_02238180
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_022375900_2_02237590
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02231C700_2_02231C70
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0043E2231_2_0043E223
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0044E3611_2_0044E361
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0040C6341_2_0040C634
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0043EA031_2_0043EA03
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0044CAE51_2_0044CAE5
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0043EE231_2_0043EE23
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0044D1DD1_2_0044D1DD
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0044360B1_2_0044360B
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0043DD4E1_2_0043DD4E
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_022581801_2_02258180
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_022575901_2_02257590
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02251C701_2_02251C70
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0078912E1_2_0078912E
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0078380E1_2_0078380E
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_00789D1E1_2_00789D1E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0043D4FB appears 236 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0043D52E appears 47 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0041CD0D appears 36 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0043D1FC appears 60 times
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: String function: 0043D4FB appears 236 times
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: String function: 0043D52E appears 47 times
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: String function: 0041CD0D appears 36 times
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: String function: 0043D1FC appears 60 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0043D4FB appears 236 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0043D52E appears 47 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0041CD0D appears 36 times
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: String function: 0043D1FC appears 60 times
                Source: WZ1j9bqSlV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: WZ1j9bqSlV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: WZ1j9bqSlV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: WZ1j9bqSlV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: WZ1j9bqSlV.exe, 00000000.00000002.235513271.0000000000470000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.236832361.0000000002A70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exeBinary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.235513271.0000000000470000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmpBinary or memory string: originalfilename vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exe, 00000000.00000002.236832361.0000000002A70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs WZ1j9bqSlV.exe
                Source: WZ1j9bqSlV.exeBinary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: xboxlivetitleid.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cdpsgshims.dllJump to behavior
                Source: classification engineClassification label: mal76.troj.evad.winEXE@14/5@0/4
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00417BCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_00417BCC
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00417BCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,0_2_00417BCC
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,0_2_02238730
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,0_2_02238730
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02254CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,1_2_02254CA0
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02254CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,1_2_02254CA0
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance,0_2_004340AF
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance,0_2_004340AF
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00416858 FindResourceA,LoadResource,LockResource,FreeResource,0_2_00416858
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00416858 FindResourceA,LoadResource,LockResource,FreeResource,0_2_00416858
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,0_2_02235060
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,0_2_02235060
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3000:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3000:120:WilError_01
                Source: WZ1j9bqSlV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: WZ1j9bqSlV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: WZ1j9bqSlV.exeVirustotal: Detection: 52%
                Source: WZ1j9bqSlV.exeMetadefender: Detection: 40%
                Source: WZ1j9bqSlV.exeReversingLabs: Detection: 58%
                Source: WZ1j9bqSlV.exeVirustotal: Detection: 52%
                Source: WZ1j9bqSlV.exeMetadefender: Detection: 40%
                Source: WZ1j9bqSlV.exeReversingLabs: Detection: 58%
                Source: unknownProcess created: C:\Users\user\Desktop\WZ1j9bqSlV.exe 'C:\Users\user\Desktop\WZ1j9bqSlV.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\WZ1j9bqSlV.exe 'C:\Users\user\Desktop\WZ1j9bqSlV.exe'
                Source: unknownProcess created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                Source: unknownProcess created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeJump to behavior
                Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenableJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: WZ1j9bqSlV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow,0_2_00401D50
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow,0_2_00401D50
                Source: WZ1j9bqSlV.exeStatic PE information: real checksum: 0x958ba should be: 0x8ef7a
                Source: WZ1j9bqSlV.exeStatic PE information: real checksum: 0x958ba should be: 0x8ef7a
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043D241 push ecx; ret 0_2_0043D254
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043D5D3 push ecx; ret 0_2_0043D5E6
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235E70 push ecx; mov dword ptr [esp], 00008D73h0_2_02235E71
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235E40 push ecx; mov dword ptr [esp], 0000AEA2h0_2_02235E41
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 00007473h0_2_02235EA1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E2ADh0_2_02235F21
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235F70 push ecx; mov dword ptr [esp], 000084ADh0_2_02235F71
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235FB0 push ecx; mov dword ptr [esp], 0000460Eh0_2_02235FB1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235D30 push ecx; mov dword ptr [esp], 00002C7Ch0_2_02235D31
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235D00 push ecx; mov dword ptr [esp], 000021B4h0_2_02235D01
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235D70 push ecx; mov dword ptr [esp], 00008067h0_2_02235D71
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235DA0 push ecx; mov dword ptr [esp], 000036B8h0_2_02235DA1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235DE0 push ecx; mov dword ptr [esp], 000025AAh0_2_02235DE1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043D241 push ecx; ret 0_2_0043D254
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0043D5D3 push ecx; ret 0_2_0043D5E6
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235E70 push ecx; mov dword ptr [esp], 00008D73h0_2_02235E71
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235E40 push ecx; mov dword ptr [esp], 0000AEA2h0_2_02235E41
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 00007473h0_2_02235EA1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E2ADh0_2_02235F21
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235F70 push ecx; mov dword ptr [esp], 000084ADh0_2_02235F71
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235FB0 push ecx; mov dword ptr [esp], 0000460Eh0_2_02235FB1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235D30 push ecx; mov dword ptr [esp], 00002C7Ch0_2_02235D31
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235D00 push ecx; mov dword ptr [esp], 000021B4h0_2_02235D01
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235D70 push ecx; mov dword ptr [esp], 00008067h0_2_02235D71
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235DA0 push ecx; mov dword ptr [esp], 000036B8h0_2_02235DA1
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_02235DE0 push ecx; mov dword ptr [esp], 000025AAh0_2_02235DE1
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0043D241 push ecx; ret 1_2_0043D254
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0043D5D3 push ecx; ret 1_2_0043D5E6
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255E70 push ecx; mov dword ptr [esp], 00008D73h1_2_02255E71
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255E40 push ecx; mov dword ptr [esp], 0000AEA2h1_2_02255E41
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255EA0 push ecx; mov dword ptr [esp], 00007473h1_2_02255EA1
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255F20 push ecx; mov dword ptr [esp], 0000E2ADh1_2_02255F21
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255F70 push ecx; mov dword ptr [esp], 000084ADh1_2_02255F71
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255FB0 push ecx; mov dword ptr [esp], 0000460Eh1_2_02255FB1
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255D30 push ecx; mov dword ptr [esp], 00002C7Ch1_2_02255D31
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255D00 push ecx; mov dword ptr [esp], 000021B4h1_2_02255D01
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255D70 push ecx; mov dword ptr [esp], 00008067h1_2_02255D71
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255DA0 push ecx; mov dword ptr [esp], 000036B8h1_2_02255DA1
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_02255DE0 push ecx; mov dword ptr [esp], 000025AAh1_2_02255DE1
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_007878CE push ecx; mov dword ptr [esp], 00002C7Ch1_2_007878CF
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0078789E push ecx; mov dword ptr [esp], 000021B4h1_2_0078789F
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0078797E push ecx; mov dword ptr [esp], 000025AAh1_2_0078797F
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0078793E push ecx; mov dword ptr [esp], 000036B8h1_2_0078793F
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0078790E push ecx; mov dword ptr [esp], 00008067h1_2_0078790F

                Persistence and Installation Behavior:

                barindex
                Drops executables to the windows directory (C:\Windows) and starts themShow sources
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeExecutable created and started: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeExecutable created and started: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exePE file moved: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exePE file moved: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile opened: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeFile opened: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00406091 IsWindowVisible,IsIconic,0_2_00406091
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0041C7BA GetParent,GetParent,IsIconic,GetParent,0_2_0041C7BA
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_004274CC
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect,0_2_00407C2E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00406091 IsWindowVisible,IsIconic,0_2_00406091
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_0041C7BA GetParent,GetParent,IsIconic,GetParent,0_2_0041C7BA
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,0_2_004274CC
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeCode function: 0_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect,0_2_00407C2E
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_00406091 IsWindowVisible,IsIconic,1_2_00406091
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_0041C7BA GetParent,GetParent,IsIconic,GetParent,1_2_0041C7BA
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,1_2_004274CC
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeCode function: 1_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect,1_2_00407C2E
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WZ1j9bqSlV.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior