Windows Analysis Report
ILQ18dgzMU.exe

Overview

General Information

Sample name: ILQ18dgzMU.exe
renamed because original name is a hash value
Original sample name: a153080f9a968b6488cf1cf2e2ea78a3.exe
Analysis ID: 1565415
MD5: a153080f9a968b6488cf1cf2e2ea78a3
SHA1: 6537f18fb326bcb4d7fc503c40b7bb21a136f560
SHA256: e0989c99125dbc5957c7ecdfdc37ff6b7f31f2979531f3fb8747127243f28b7d
Tags: exeGh0stRATuser-abuse_ch
Infos:

Detection

GhostRat, Nitol
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GhostRat
Yara detected Nitol
AI detected suspicious sample
Checks if browser processes are running
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Drops executables to the windows directory (C:\Windows) and starts them
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Delete All Scheduled Tasks
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to clear windows event logs (to hide its activities)
Contains functionality to delete services
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ILQ18dgzMU.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Avira: detection malicious, Label: BDS/Agent.IR
Multi AV Scanner detection for dropped file
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe ReversingLabs: Detection: 94%
Multi AV Scanner detection for submitted file
Source: ILQ18dgzMU.exe ReversingLabs: Detection: 94%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ILQ18dgzMU.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ILQ18dgzMU.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 0_2_10001A20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen, 0_2_100014B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_10008880
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle, 0_2_10009090
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose, 0_2_10008CE0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose, 0_2_100086B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10008FD0 FindFirstFileA,FindClose,FindClose, 0_2_10008FD0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 32_2_10008880
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle, 32_2_10009090
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 32_2_10001A20
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen, 32_2_100014B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose, 32_2_10008CE0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose, 32_2_100086B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10008FD0 FindFirstFileA,FindClose,FindClose, 32_2_10008FD0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100084F0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen, 0_2_100084F0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.4:49736 -> 172.65.190.172:8000
Source: Network traffic Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:49736 -> 172.65.190.172:8000
Source: Network traffic Suricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.4:49917 -> 172.65.190.172:8000
Source: Network traffic Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:49917 -> 172.65.190.172:8000
Source: Network traffic Suricata IDS: 2013214 - Severity 1 - ET MALWARE Gh0st Remote Access Trojan Encrypted Session To CnC Server : 192.168.2.4:50004 -> 172.65.190.172:8000
Source: Network traffic Suricata IDS: 2016922 - Severity 1 - ET MALWARE Backdoor family PCRat/Gh0st CnC traffic : 192.168.2.4:50004 -> 172.65.190.172:8000
Contains functionality to download and execute PE files
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000B880 Sleep,wsprintfA,GetTickCount,GetTickCount,wsprintfA,URLDownloadToFileA,GetTempPathA,fopen,fscanf,fscanf,GetTickCount,wsprintfA,GetTickCount,wsprintfA,URLDownloadToFileA,ShellExecuteA,fscanf,fclose,DeleteFileA,Sleep, 0_2_1000B880
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 0_2_10001A20
Source: global traffic DNS traffic detected: DNS query: www.wk1888.com
Source: global traffic DNS traffic detected: DNS query: www.af0575.com
Source: global traffic DNS traffic detected: DNS query: www.fz0575.com
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000FBB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard, 0_2_1000FBB0
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000FBB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard, 0_2_1000FBB0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1000FBB0 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard, 32_2_1000FBB0
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000FC20 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,??2@YAPAXI@Z,GlobalUnlock,CloseClipboard,??3@YAXPAX@Z, 0_2_1000FC20

E-Banking Fraud
barindex
Checks if browser processes are running
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command 0_2_1000A840
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: RegOpenKeyExA,RegQueryValueA,RegCloseKey,Sleep,lstrlen,strstr,lstrcpy,CreateProcessA, Applications\iexplore.exe\shell\open\command 32_2_1000A840
Too many similar processes found
Source: at.exe Process created: 50

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: gh0st Author: https://github.com/jackcr/
Source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: gh0st Author: https://github.com/jackcr/
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10002920 NtdllDefWindowProc_A, 0_2_10002920
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10002920 NtdllDefWindowProc_A, 32_2_10002920
Contains functionality to delete services
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10010E20 OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,DeleteService,RegDeleteKeyA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,ControlService,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,ChangeServiceConfigA,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep, 0_2_10010E20
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100121A0 ExitWindowsEx, 0_2_100121A0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000B280 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx, 0_2_1000B280
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100121A0 ExitWindowsEx, 32_2_100121A0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1000B280 _strrev,_strrev,_strrev,GetVersionExA,ExitWindowsEx, 32_2_1000B280
Creates files inside the system directory
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw== Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\SysWOW64\Default Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\SysWOW64\579E5A5B VVVVVVrr2unw== Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_004026B1 0_2_004026B1
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002D800 0_2_1002D800
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10030810 0_2_10030810
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10039010 0_2_10039010
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10068810 0_2_10068810
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001581D 0_2_1001581D
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10035820 0_2_10035820
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10039820 0_2_10039820
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10040020 0_2_10040020
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10036040 0_2_10036040
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10052841 0_2_10052841
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003A850 0_2_1003A850
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10036860 0_2_10036860
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100418A0 0_2_100418A0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100138C0 0_2_100138C0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100430D0 0_2_100430D0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001D8F0 0_2_1001D8F0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002F900 0_2_1002F900
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10033110 0_2_10033110
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10037910 0_2_10037910
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10023920 0_2_10023920
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10029920 0_2_10029920
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10058920 0_2_10058920
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10031160 0_2_10031160
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10035160 0_2_10035160
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10043960 0_2_10043960
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10042180 0_2_10042180
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003D990 0_2_1003D990
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10044990 0_2_10044990
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100329A0 0_2_100329A0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001E9B0 0_2_1001E9B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100419B0 0_2_100419B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003F9E0 0_2_1003F9E0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10055A0B 0_2_10055A0B
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10032230 0_2_10032230
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003B230 0_2_1003B230
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002F240 0_2_1002F240
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10033A40 0_2_10033A40
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10069240 0_2_10069240
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001F250 0_2_1001F250
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1004D250 0_2_1004D250
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10038A70 0_2_10038A70
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003D270 0_2_1003D270
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003CA80 0_2_1003CA80
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10042A80 0_2_10042A80
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1005029F 0_2_1005029F
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10031AA0 0_2_10031AA0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002D2B0 0_2_1002D2B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100392C0 0_2_100392C0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001E2D0 0_2_1001E2D0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003E2F0 0_2_1003E2F0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100572F0 0_2_100572F0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001BB00 0_2_1001BB00
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003A300 0_2_1003A300
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10050B15 0_2_10050B15
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10024350 0_2_10024350
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003EB50 0_2_1003EB50
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10042350 0_2_10042350
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10054368 0_2_10054368
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1005236B 0_2_1005236B
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10043380 0_2_10043380
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1004B3A0 0_2_1004B3A0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10041BA0 0_2_10041BA0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10017BD0 0_2_10017BD0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10035BD0 0_2_10035BD0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001D3E0 0_2_1001D3E0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001BC00 0_2_1001BC00
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10018C10 0_2_10018C10
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10037410 0_2_10037410
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002EC20 0_2_1002EC20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10036C20 0_2_10036C20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10056430 0_2_10056430
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1004C440 0_2_1004C440
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1005544D 0_2_1005544D
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10034450 0_2_10034450
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003BC60 0_2_1003BC60
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001DC80 0_2_1001DC80
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100364A0 0_2_100364A0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10040CA0 0_2_10040CA0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100354C0 0_2_100354C0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002D4D0 0_2_1002D4D0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10017500 0_2_10017500
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10052D17 0_2_10052D17
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003DD20 0_2_1003DD20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10042520 0_2_10042520
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1004DD30 0_2_1004DD30
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10051547 0_2_10051547
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003AD40 0_2_1003AD40
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10042D50 0_2_10042D50
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10041D60 0_2_10041D60
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10038D70 0_2_10038D70
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10039570 0_2_10039570
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001EDA0 0_2_1001EDA0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001E5B0 0_2_1001E5B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10039DB0 0_2_10039DB0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10023DC0 0_2_10023DC0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10065DC0 0_2_10065DC0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100155CE 0_2_100155CE
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003C5F0 0_2_1003C5F0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003D600 0_2_1003D600
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10066620 0_2_10066620
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10067E30 0_2_10067E30
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10034E50 0_2_10034E50
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1004B650 0_2_1004B650
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10040660 0_2_10040660
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10058E70 0_2_10058E70
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10064E80 0_2_10064E80
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10015EA0 0_2_10015EA0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100646B0 0_2_100646B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10047EF0 0_2_10047EF0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10041F20 0_2_10041F20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001CF30 0_2_1001CF30
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1003B730 0_2_1003B730
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10029750 0_2_10029750
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10053766 0_2_10053766
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10054F6A 0_2_10054F6A
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10038770 0_2_10038770
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10051F79 0_2_10051F79
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10016F80 0_2_10016F80
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10044F80 0_2_10044F80
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10043F90 0_2_10043F90
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10037FA0 0_2_10037FA0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100427B0 0_2_100427B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002FFC0 0_2_1002FFC0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1001DFE0 0_2_1001DFE0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10036FE0 0_2_10036FE0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1002CFF0 0_2_1002CFF0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10045FF0 0_2_10045FF0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002D800 32_2_1002D800
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10030810 32_2_10030810
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10039010 32_2_10039010
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10068810 32_2_10068810
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001581D 32_2_1001581D
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10035820 32_2_10035820
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10039820 32_2_10039820
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10040020 32_2_10040020
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10036040 32_2_10036040
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10052841 32_2_10052841
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003A850 32_2_1003A850
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10036860 32_2_10036860
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100418A0 32_2_100418A0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100138C0 32_2_100138C0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100430D0 32_2_100430D0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001D8F0 32_2_1001D8F0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002F900 32_2_1002F900
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10033110 32_2_10033110
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10037910 32_2_10037910
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10023920 32_2_10023920
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10029920 32_2_10029920
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10058920 32_2_10058920
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10031160 32_2_10031160
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10035160 32_2_10035160
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10043960 32_2_10043960
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10042180 32_2_10042180
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003D990 32_2_1003D990
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10044990 32_2_10044990
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100329A0 32_2_100329A0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001E9B0 32_2_1001E9B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100419B0 32_2_100419B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003F9E0 32_2_1003F9E0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10055A0B 32_2_10055A0B
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10032230 32_2_10032230
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003B230 32_2_1003B230
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002F240 32_2_1002F240
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10033A40 32_2_10033A40
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10069240 32_2_10069240
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001F250 32_2_1001F250
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1004D250 32_2_1004D250
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10038A70 32_2_10038A70
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003D270 32_2_1003D270
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003CA80 32_2_1003CA80
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10042A80 32_2_10042A80
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1005029F 32_2_1005029F
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10031AA0 32_2_10031AA0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002D2B0 32_2_1002D2B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100392C0 32_2_100392C0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001E2D0 32_2_1001E2D0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003E2F0 32_2_1003E2F0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100572F0 32_2_100572F0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001BB00 32_2_1001BB00
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003A300 32_2_1003A300
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10050B15 32_2_10050B15
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10024350 32_2_10024350
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003EB50 32_2_1003EB50
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10042350 32_2_10042350
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10054368 32_2_10054368
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1005236B 32_2_1005236B
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10043380 32_2_10043380
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1004B3A0 32_2_1004B3A0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10041BA0 32_2_10041BA0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10017BD0 32_2_10017BD0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10035BD0 32_2_10035BD0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001D3E0 32_2_1001D3E0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001BC00 32_2_1001BC00
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10018C10 32_2_10018C10
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10037410 32_2_10037410
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002EC20 32_2_1002EC20
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10036C20 32_2_10036C20
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10056430 32_2_10056430
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1004C440 32_2_1004C440
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1005544D 32_2_1005544D
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10034450 32_2_10034450
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003BC60 32_2_1003BC60
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001DC80 32_2_1001DC80
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100364A0 32_2_100364A0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10040CA0 32_2_10040CA0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100354C0 32_2_100354C0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002D4D0 32_2_1002D4D0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10017500 32_2_10017500
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10052D17 32_2_10052D17
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003DD20 32_2_1003DD20
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10042520 32_2_10042520
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1004DD30 32_2_1004DD30
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10051547 32_2_10051547
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003AD40 32_2_1003AD40
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10042D50 32_2_10042D50
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10041D60 32_2_10041D60
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10038D70 32_2_10038D70
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10039570 32_2_10039570
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001EDA0 32_2_1001EDA0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001E5B0 32_2_1001E5B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10039DB0 32_2_10039DB0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10023DC0 32_2_10023DC0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10065DC0 32_2_10065DC0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100155CE 32_2_100155CE
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003C5F0 32_2_1003C5F0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003D600 32_2_1003D600
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10066620 32_2_10066620
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10067E30 32_2_10067E30
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10034E50 32_2_10034E50
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1004B650 32_2_1004B650
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10040660 32_2_10040660
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10058E70 32_2_10058E70
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10064E80 32_2_10064E80
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10015EA0 32_2_10015EA0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100646B0 32_2_100646B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10047EF0 32_2_10047EF0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10041F20 32_2_10041F20
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001CF30 32_2_1001CF30
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1003B730 32_2_1003B730
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10029750 32_2_10029750
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10053766 32_2_10053766
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10054F6A 32_2_10054F6A
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10038770 32_2_10038770
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10051F79 32_2_10051F79
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10016F80 32_2_10016F80
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10044F80 32_2_10044F80
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10043F90 32_2_10043F90
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10037FA0 32_2_10037FA0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100427B0 32_2_100427B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002FFC0 32_2_1002FFC0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1001DFE0 32_2_1001DFE0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10036FE0 32_2_10036FE0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_1002CFF0 32_2_1002CFF0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10045FF0 32_2_10045FF0
Uses 32bit PE files
Source: ILQ18dgzMU.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: gh0st author = https://github.com/jackcr/
Source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: gh0st author = https://github.com/jackcr/
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@64/4@6/1
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10012110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle, 0_2_10012110
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10012110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,CloseHandle, 32_2_10012110
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100084F0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen, 0_2_100084F0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle, 0_2_100018A0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10019900 CoCreateInstance,SysFreeString, 0_2_10019900
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100098B0 CloseHandle,CreateThread,??2@YAPAXI@Z,FindResourceA,LoadResource,LockResource,??3@YAXPAX@Z, 0_2_100098B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10010E20 OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,DeleteService,RegDeleteKeyA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,ControlService,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,ChangeServiceConfigA,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep, 0_2_10010E20
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Mutant created: \Sessions\1\BaseNamedObjects\AAAAAA9PT0vfT4rqenp70A/Pqpp6+vr58= BBBBBB9PT0vf4Fr7K0sr0A/Pqpp6+vr58= CCCCCC9PT0vQXpr7K0sr0A/Pqpp6+vr58= GGGGGG4wIF/vL7858= XXXXXX579E5A5B VVVVVVrr2unw==
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
Source: ILQ18dgzMU.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ILQ18dgzMU.exe ReversingLabs: Detection: 94%
Source: ILQ18dgzMU.exe String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
Source: svchsot.exe String found in binary or memory: cmd.exe /c net user guest /active:yes && net user guest %s && net localgroup administrators guest /add
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File read: C:\Users\user\Desktop\ILQ18dgzMU.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ILQ18dgzMU.exe "C:\Users\user\Desktop\ILQ18dgzMU.exe"
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net start "Task Scheduler"
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Task Scheduler"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Source: unknown Process created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe "C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe"
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\JH.BAT"" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net start "Task Scheduler" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Task Scheduler" Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: msvcp60.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: msv1_0.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: ntlmshared.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: schedcli.dll
Source: C:\Windows\SysWOW64\at.exe Section loaded: netutils.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: apphelp.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: wininet.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: avicap32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: msvfw32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: winmm.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: urlmon.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: iertutil.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: srvcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: netutils.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: msvcp60.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: netapi32.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: samcli.dll
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Section loaded: wtsapi32.dll
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_00401301 IsBadReadPtr,LoadLibraryA,GetProcAddress, 0_2_00401301
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_00404620 push eax; ret 0_2_0040464E
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100699B0 push eax; ret 0_2_100699DE
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100FAA45 push edi; ret 0_2_100FAA46
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10026E51 push cs; ret 0_2_10026E52
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100699B0 push eax; ret 32_2_100699DE
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100FAA45 push edi; ret 32_2_100FAA46
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10026E51 push cs; ret 32_2_10026E52

Persistence and Installation Behavior
barindex
Drops executables to the windows directory (C:\Windows) and starts them
Source: unknown Executable created and started: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 0_2_10001A20
Drops PE files
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe File created: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /f
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10010E20 OpenSCManagerA,OpenServiceA,QueryServiceStatus,ControlService,Sleep,DeleteService,RegDeleteKeyA,OpenSCManagerA,OpenServiceA,StartServiceA,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,LockServiceDatabase,OpenSCManagerA,OpenServiceA,ControlService,CloseServiceHandle,OpenSCManagerA,OpenServiceA,LockServiceDatabase,ChangeServiceConfigA,UnlockServiceDatabase,CloseServiceHandle,CloseServiceHandle,Sleep, 0_2_10010E20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw== Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run XXXXXX579E5A5B VVVVVVrr2unw== Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto
Contains functionality to clear windows event logs (to hide its activities)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000A660 OpenEventLogA,ClearEventLogA,OpenEventLogA,ClearEventLogA,CloseEventLog, 0_2_1000A660
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10002410 0_2_10002410
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10002410 32_2_10002410
Contains functionality to detect virtual machines (IN, VMware)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001800 in eax, dx 0_2_10001800
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle, 0_2_100018A0
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc, 0_2_100108F0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: OpenSCManagerA,OutputDebugStringA,LocalAlloc,LocalAlloc,EnumServicesStatusA,LocalAlloc,lstrlen,LocalAlloc,OpenServiceA,LocalAlloc,QueryServiceConfigA,lstrcat,lstrcat,lstrcat,lstrcat,wsprintfA,wsprintfA,wsprintfA,wsprintfA,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,LocalSize,LocalReAlloc,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,lstrlen,CloseServiceHandle,LocalFree,CloseServiceHandle,LocalReAlloc, 32_2_100108F0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Window / User API: threadDelayed 1194 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Window / User API: threadDelayed 379 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Window / User API: threadDelayed 7127 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Found large amount of non-executed APIs
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe API coverage: 1.5 %
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10002410 0_2_10002410
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10002410 32_2_10002410
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388 Thread sleep count: 1194 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388 Thread sleep time: -214920000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7400 Thread sleep count: 379 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388 Thread sleep count: 7127 > 30 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe TID: 7388 Thread sleep time: -1282860000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 0_2_10001A20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen, 0_2_100014B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_10008880
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle, 0_2_10009090
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose, 0_2_10008CE0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose, 0_2_100086B0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10008FD0 FindFirstFileA,FindClose,FindClose, 0_2_10008FD0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10008880 wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 32_2_10008880
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10009090 FindFirstFileA,FindClose,CreateFileA,CloseHandle, 32_2_10009090
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 32_2_10001A20
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100014B0 GetSystemDirectoryA,FindFirstFileA,CreateFileA,ReadFile,wsprintfA,wsprintfA,CloseHandle,wsprintfA,lstrlen,lstrlen,wsprintfA,lstrlen, 32_2_100014B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10008CE0 lstrlen,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,wsprintfA,??2@YAPAXI@Z,??3@YAXPAX@Z,wsprintfA,FindNextFileA,FindClose, 32_2_10008CE0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_100086B0 LocalAlloc,wsprintfA,FindFirstFileA,LocalReAlloc,lstrlen,FindNextFileA,LocalFree,FindClose, 32_2_100086B0
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Code function: 32_2_10008FD0 FindFirstFileA,FindClose,FindClose, 32_2_10008FD0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100084F0 GetLogicalDriveStringsA,GetVolumeInformationA,SHGetFileInfo,lstrlen,lstrlen,lstrlen,GetDiskFreeSpaceExA,GetDriveTypeA,lstrlen, 0_2_100084F0
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001600 Sleep,GetTickCount,GetVersionExA,getsockname,GetSystemInfo,GlobalMemoryStatus, 0_2_10001600
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Thread delayed: delay time: 180000 Jump to behavior
Source: ILQ18dgzMU.exe, 00000000.00000002.4082758555.000000000047E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllV
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe API call chain: ExitProcess graph end node
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe API call chain: ExitProcess graph end node
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe API call chain: ExitProcess graph end node
Source: C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000F8D0 SendMessageA,SystemParametersInfoA,Sleep,SystemParametersInfoA,SendMessageA,SystemParametersInfoA,SendMessageA,BlockInput,BlockInput, 0_2_1000F8D0
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_100018A0 wsprintfA,CreateToolhelp32Snapshot,Process32First,_strcmpi,GetCurrentProcessId,OpenProcess,GetModuleFileNameExA,K32GetModuleFileNameExA,_strcmpi,CloseHandle,Process32Next,CloseHandle, 0_2_100018A0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_00401301 IsBadReadPtr,LoadLibraryA,GetProcAddress, 0_2_00401301
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_00401000 VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualAlloc,VirtualAlloc, 0_2_00401000
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000F9D0 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event, 0_2_1000F9D0
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_1000F9D0 mouse_event,SetCursorPos,WindowFromPoint,SetCapture,MapVirtualKeyA,keybd_event,MapVirtualKeyA,keybd_event,mouse_event,mouse_event, 0_2_1000F9D0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /tn * /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\sc.exe sc config Schedule start= auto Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net start "Task Scheduler" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 0:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 1:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 2:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 3:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 4:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 5:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 6:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 7:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 8:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 9:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 10:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 11:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 12:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 13:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 14:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 15:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 16:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 17:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 18:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 19:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 20:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 21:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 22:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 23:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\at.exe At 24:00 C:\Windows\XXXXXX579E5A5B VVVVVVrr2unw==\svchsot.exe Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 start "Task Scheduler" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10026D20 cpuid 0_2_10026D20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10001A20 GetSystemDirectoryA,wsprintfA,wsprintfA,CreateFileA,CloseHandle,Sleep,Sleep,FindFirstFileA,GetCurrentDirectoryA,strstr,Sleep,GetVersionExA,GetSystemDefaultLCID,Sleep,Sleep,Sleep,GetLocalTime,wsprintfA,_mkdir,Sleep,GetModuleFileNameA,CopyFileA,wsprintfA,wsprintfA,BeginUpdateResourceA,UpdateResourceA,EndUpdateResourceA,CloseHandle,Sleep,ShellExecuteA,Sleep,GetWindowsDirectoryA,wsprintfA,wsprintfA,_mkdir,_mkdir,_mkdir,_mkdir,URLDownloadToFileA,Sleep,ShellExecuteA,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA,Sleep,URLDownloadToFileA,Sleep,ShellExecuteA, 0_2_10001A20
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_10007200 LookupAccountNameA,IsValidSid,Sleep,LoadLibraryA,GetProcAddress,FreeLibrary, 0_2_10007200
Source: C:\Users\user\Desktop\ILQ18dgzMU.exe Code function: 0_2_00401D21 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA, 0_2_00401D21
AV process strings found (often used to terminate AV products)
Source: ILQ18dgzMU.exe, ILQ18dgzMU.exe, 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, svchsot.exe, 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: kxetray.exe
Source: ILQ18dgzMU.exe, ILQ18dgzMU.exe, 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, svchsot.exe, 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: KSafeTray.exe
Source: ILQ18dgzMU.exe, ILQ18dgzMU.exe, 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, svchsot.exe, svchsot.exe, 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: 360tray.exe

Stealing of Sensitive Information
barindex
Yara detected GhostRat
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Nitol
Source: Yara match File source: 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ILQ18dgzMU.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchsot.exe PID: 8024, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected GhostRat
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000000.00000002.4082870617.00000000007A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3947674150.0000000000780000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.3090838933.0000000002150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Nitol
Source: Yara match File source: 00000020.00000002.1733553944.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4083178807.000000001007A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ILQ18dgzMU.exe PID: 7384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchsot.exe PID: 8024, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565415 Sample: ILQ18dgzMU.exe Startdate: 29/11/2024 Architecture: WINDOWS Score: 100 35 www.wk1888.com 2->35 37 www.fz0575.com 2->37 39 2 other IPs or domains 2->39 45 Suricata IDS alerts for network traffic 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Antivirus detection for dropped file 2->49 51 12 other signatures 2->51 9 ILQ18dgzMU.exe 1 6 2->9         started        14 svchsot.exe 2->14         started        signatures3 process4 dnsIp5 41 expired.gname.net 172.65.190.172, 49736, 49917, 50004 CLOUDFLARENETUS United States 9->41 29 C:\Windows\...\svchsot.exe, PE32 9->29 dropped 31 C:\Windows\...\svchsot.exe:Zone.Identifier, ASCII 9->31 dropped 33 C:\Windows\...\JH.BAT, DOS 9->33 dropped 53 Found stalling execution ending in API Sleep call 9->53 55 Contains functionality to detect virtual machines (IN, VMware) 9->55 57 Checks if browser processes are running 9->57 59 Contains functionality to detect sleep reduction / modifications 9->59 16 cmd.exe 1 9->16         started        file6 signatures7 process8 signatures9 43 Uses schtasks.exe or at.exe to add and modify task schedules 16->43 19 net.exe 1 16->19         started        21 conhost.exe 16->21         started        23 schtasks.exe 1 16->23         started        25 26 other processes 16->25 process10 process11 27 net1.exe 1 19->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.65.190.172
 expired.gname.net United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
expired.gname.net 172.65.190.172 true
www.af0575.com unknown unknown
www.wk1888.com unknown unknown
www.fz0575.com unknown unknown