Report #10966 check_circle

  • Creation Date: Sept. 3, 2020, 3:04 p.m.
  • Last Update: Sept. 3, 2020, 3:09 p.m.
  • File: 001
  • Results:
Binary
DLL
False cancel
Size
224.25KB
trid
33.6% OS/2 Executable
33.1% Generic Win/DOS Executable
33.1% DOS Executable Generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
f5efa81034d6984fbb267269f80dc6e0
sha1
dc3922423713a410fcba8cf422aeb4e7cdf8b692
crc32
0x458b758
sha224
c5b63d7cf2f524daf96e1a7c1daa8eef6dcd81d0be1a388b3b10be93
sha256
0f415a88d185713dcb5162ee0089aef65b7af511ee6de9286f3d4f9ef53ad524
sha384
89081c774b300040744ffb72259105162fdccbc081c70b47e874d00e81abc1b133ee87ee1830de42c0fa1edad7bf0f03
sha512
3da5438386335d77ad896f74028376a7828f831266f200b919b654cf5b5f282998feaadf62e700b1e944daa8a0c31f0a3a0410787d712a588944dc89b8c70db1
ssdeep
3072:AuXvcfd10mQH+KD3c9ZhRDUK3u6uZF75HNGfI00ujlOTgfaR8DW1R4uL3GRvs:AOvcVqlH+8oRDcf75tqB0ujlhfaR8smE
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
HasModified_DOS_Message, domain, IP, contentis_base64, IsNET_EXE, HasOverlay, IsPE32, IsWindowsGUI

Suspicious
True check_circle

Strings
List
System.IO
System.Security.Cryptography
98d30.png
98d30.png
tFex256HtbePPBP.exe
tFex256HtbePPBP.exe
tFex256HtbePPBP.exe
2.0.0.0
}a%+o
milkTea
%elEP
System.Windows.Forms
mscoree.dll
get_Magenta
QSystem.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
hSystem.Drawing.Bitmap, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD4m[
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857AB1B65E80C75F28857ABB9C2880C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28857ABDB65E80C25F28F906
ResourceManager
txtKillburnChoco
txtKillburnChoco
password
Binder
ComputeHash
%/#=
HashAlgorithm
$9189263f-fcbd-42cb-929e-6a490a7d766e
add_PrintPage
txtKillburnChoco_Click
ComponentResourceManager
set_StartPosition
MD5CryptoServiceProvider
E>7;H'X+POS
_CorExeMain
\\,WuTc80
%T*[pO6d!
+EhTP
Form1_Load
ec719.resources
ec719.resources
button1_Click
button2_Click
button3_Click
set_Document
37S&G?I
timer1_Tick
set_AutoScaleMode
get_Controls
set_ClientSize
get_ControlLightLight
get_ButtonFace
get_ControlDark
set_DisplayStyle
add_Load
add_Tick
get_Items
set_Image
get_ASCII
set_Location
txtLatte_Click
add_Click
txtCoffeCake_Click
set_TabIndex
set_FileName
get_FileName
set_AutoSize
get_NewLine
set_Name
set_Icon
set_Font
set_Text
qinkL;tU
set_Size
get_Text
set_BackColor
set_ForeColor
txtMocha_Click
set_Filter
txtValeCoffee_Click
get_Black
set_TextAlign
set_ImageAlign
be0%U?H
set_Margin
set_Visible
get_Graphics
get_Checked
set_Enabled
set_Checked
get_ControlDarkDark
set_Multiline
txtMilkTea_Click
set_BorderStyle
chkMilkTea_CheckedChanged
chkCoffe_CheckedChanged
System.Resources
set_MaximizeBox
chkLatte_CheckedChanged
chkValeCoffee_CheckedChanged
txtCappu_Click

Foremost
Matches
0.exe, 224 KB, 48.png, 130 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: mscoree.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 8192
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .cle, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 8.0
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 224158
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: mscoree.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2020-05-03 18:14:15
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: True check_circle

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.cle: 71

pushpopmath
.cle: 40

garbagebytes
.cle: 24

software breakpoint
.cle: 1

fakeconditionaljumps
.cle: 2

programcontrolflowchange
.cle: 22

cpuinstructionsresultscomparison
.cle: 2

AVclass
remcos
1
VirusTotal
md5
f5efa81034d6984fbb267269f80dc6e0
sha1
dc3922423713a410fcba8cf422aeb4e7cdf8b692
SCANS (DETECTION RATE = 66.20%)
AVG
result: Win32:PWSX-gen [Trj]
update: 20200805
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20200805
version: 2.7.2019.1
detected: False cancel

MAX
update: 20200805
version: 2019.9.16.1
detected: False cancel

APEX
result: Malicious
update: 20200804
version: 6.56
detected: True check_circle

Bkav
update: 20200805
version: 1.3.0.9899
detected: False cancel

K7GW
result: Trojan ( 00568e031 )
update: 20200805
version: 11.127.34901
detected: True check_circle

ALYac
update: 20200805
version: 1.1.1.5
detected: False cancel

Avira
result: TR/Kryptik.hvdkh
update: 20200805
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cynet
result: Malicious (score: 90)
update: 20200805
version: 4.0.0.24
detected: True check_circle

Cyren
result: W32/MSIL_Kryptik.AQG.gen!Eldorado
update: 20200805
version: 6.3.0.2
detected: True check_circle

DrWeb
result: Trojan.Siggen9.44167
update: 20200805
version: 7.0.46.3050
detected: True check_circle

GData
result: Win32.Backdoor.Remcos.FXD5LV
update: 20200805
version: A:25.26484B:27.19695
detected: True check_circle

Panda
result: Trj/CI.A
update: 20200805
version: 4.6.4.2
detected: True check_circle

VBA32
result: TScope.Trojan.MSIL
update: 20200805
version: 4.4.1
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20200805
version: 85718
detected: True check_circle

Zoner
update: 20200805
version: 0.0.0.0
detected: False cancel

ClamAV
result: Win.Packed.Remcos-8070789-0
update: 20200805
version: 0.102.4.0
detected: True check_circle

Comodo
update: 20200728
version: 32668
detected: False cancel

F-Prot
result: W32/MSIL_Kryptik.AQG.gen!Eldorado
update: 20200805
version: 4.7.1.166
detected: True check_circle

Ikarus
result: Trojan.MSIL.Kryptik
update: 20200805
version: 0.1.5.2
detected: True check_circle

McAfee
result: GenericRXLE-RD!F5EFA81034D6
update: 20200805
version: 6.0.6.653
detected: True check_circle

Rising
result: Backdoor.Remcos!8.B89E (CLOUD)
update: 20200805
version: 25.0.0.26
detected: True check_circle

Sophos
result: Mal/MSIL-UG
update: 20200805
version: 4.98.0
detected: True check_circle

Yandex
update: 20200707
version: 5.5.2.24
detected: False cancel

Zillya
result: Trojan.Kryptik.Win32.2082638
update: 20200805
version: 2.0.0.4148
detected: True check_circle

Acronis
update: 20200603
version: 1.1.1.76
detected: False cancel

Alibaba
result: Trojan:Win32/starter.ali1000139
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
update: 20200805
version: 1.0.0.877
detected: False cancel

Cylance
result: Unsafe
update: 20200805
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20200727
version: 4.0.6
detected: True check_circle

FireEye
result: Generic.mg.f5efa81034d6984f
update: 20200805
version: 32.36.1.0
detected: True check_circle

Sangfor
update: 20200423
version: 1.0
detected: False cancel

TACHYON
update: 20200805
version: 2020-08-05.02
detected: False cancel

Tencent
update: 20200805
version: 1.0.0.1
detected: False cancel

ViRobot
result: Trojan.Win32.Z.Remcos.229632.E
update: 20200805
version: 2014.3.20.0
detected: True check_circle

Webroot
update: 20200805
version: 1.0.0.403
detected: False cancel

eGambit
update: 20200805
detected: False cancel

Ad-Aware
update: 20200805
version: 3.0.5.370
detected: False cancel

AegisLab
result: Trojan.MSIL.Remcos.m!c
update: 20200805
version: 4.2
detected: True check_circle

Emsisoft
update: 20200805
version: 2018.12.0.1641
detected: False cancel

F-Secure
result: Trojan.TR/Kryptik.hvdkh
update: 20200805
version: 12.0.86.52
detected: True check_circle

Fortinet
result: MSIL/GenKryptik.EJUF!tr
update: 20200805
version: 6.2.142.0
detected: True check_circle

Invincea
result: heuristic
update: 20200502
version: 6.3.6.26157
detected: True check_circle

Jiangmin
result: Backdoor.MSIL.cxec
update: 20200805
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20200805
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20200805
version: 1.0
detected: True check_circle

Symantec
result: ML.Attribute.HighConfidence
update: 20200805
version: 1.11.0.0
detected: True check_circle

Trapmine
update: 20200727
version: 3.5.0.1023
detected: False cancel

AhnLab-V3
result: Trojan/Win32.Agent.R340730
update: 20200805
version: 3.18.1.10026
detected: True check_circle

Antiy-AVL
result: Trojan/Win32.Sonbokli
update: 20200805
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: HEUR:Backdoor.MSIL.Remcos.gen
update: 20200805
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Trojan:MSIL/AgentTesla.BL!MTB
update: 20200805
version: 1.1.17300.4
detected: True check_circle

Qihoo-360
result: Generic/Backdoor.23a
update: 20200805
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: HEUR:Backdoor.MSIL.Remcos.gen
update: 20200805
version: 1.0
detected: True check_circle

Cybereason
result: malicious.23713a
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: a variant of MSIL/Kryptik.VSI
update: 20200805
version: 21771
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0DG220
update: 20200805
version: 11.0.0.1006
detected: True check_circle

BitDefender
update: 20200805
version: 7.2
detected: False cancel

CrowdStrike
result: win/malicious_confidence_100% (W)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 00568e031 )
update: 20200805
version: 11.127.34902
detected: True check_circle

SentinelOne
result: DFI - Malicious PE
update: 20200725
version: 4.4.0.0
detected: True check_circle

Avast-Mobile
update: 20200805
version: 200805-00
detected: False cancel

Malwarebytes
result: Backdoor.Remcos
update: 20200805
version: 3.6.4.335
detected: True check_circle

TotalDefense
update: 20200804
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Backdoor.MSIL
update: 20200805
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Remcos.hnkppj
update: 20200805
version: 1.0.134.25119
detected: True check_circle

BitDefenderTheta
result: Gen:NN.ZemsilF.34152.om1@ae5@0cg
update: 20200805
version: 7.2.37796.0
detected: True check_circle

MicroWorld-eScan
update: 20200805
version: 14.0.409.0
detected: False cancel

SUPERAntiSpyware
update: 20200731
version: 5.6.0.1032
detected: False cancel

TrendMicro-HouseCall
result: TROJ_GEN.R002C0DG220
update: 20200805
version: 10.0.0.1040
detected: True check_circle

total
71
sha256
0f415a88d185713dcb5162ee0089aef65b7af511ee6de9286f3d4f9ef53ad524
scan_id
0f415a88d185713dcb5162ee0089aef65b7af511ee6de9286f3d4f9ef53ad524-1596649806
resource
f5efa81034d6984fbb267269f80dc6e0
positives
47
scan_date
2020-08-05 17:50:06
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:43.543Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\
3/9/2020 - 14:45:43.543Unknown1480C:\malware.exeC:\
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows
3/9/2020 - 14:45:43.543Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:45:43.543Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:43.543Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:43.575Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:45:43.575Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:43.575Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:43.747Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:43.747Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:43.747Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:43.747Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:43.747Open1480C:\malware.exeC:\malware.exe.config
3/9/2020 - 14:45:44.75Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:45:44.497Unknown1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:45:44.497Unknown1480C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:45:44.497Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\index164.dat
3/9/2020 - 14:45:44.497Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
3/9/2020 - 14:45:44.512Unknown1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.668Open1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:44.715Read1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:44.762Unknown1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:44.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.903Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:44.997Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.43Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.137Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.184Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.465Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\
3/9/2020 - 14:45:45.465Unknown1480C:\malware.exeC:\
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Monitor
3/9/2020 - 14:45:45.465Unknown1480C:\malware.exeC:\Monitor
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:45:45.465Unknown1480C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.465Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:45:45.465Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:45:45.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Open1480C:\malware.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:45:45.481Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:45:45.481Open1480C:\malware.exeC:\malware.exe.config
3/9/2020 - 14:45:45.481Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.481Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.481Open1480C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:45:45.481Unknown1480C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.497Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.497Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:45.497Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:45.497Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:45:45.512Open1480C:\malware.exeC:\Windows\assembly\pubpol4.dat
3/9/2020 - 14:45:45.512Open1480C:\malware.exeC:\Windows\assembly\GAC\PublisherPolicy.tme
3/9/2020 - 14:45:45.512Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:45:45.512Unknown1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:45.512Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:45:45.512Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:45.512Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:45.512Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:45.512Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:45.512Read1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:45:45.559Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
3/9/2020 - 14:45:45.700Unknown1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.700Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
3/9/2020 - 14:45:45.700Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.747Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.793Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.840Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:45.981Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.28Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.122Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.168Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.215Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.262Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.309Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.403Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.450Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.497Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.543Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.590Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.637Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.684Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.731Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:46.778Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
3/9/2020 - 14:45:46.918Unknown1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:46.918Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
3/9/2020 - 14:45:46.918Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:46.965Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.59Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.293Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.340Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:47.387Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.528Unknown1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.528Open1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.528Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.668Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.918Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:47.965Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.59Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.293Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.340Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.387Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.434Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.528Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.668Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.903Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:48.997Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:49.43Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:49.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:49.137Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:49.372Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:49.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:49.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:49.981Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.28Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:50.122Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:50.122Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.168Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.215Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.262Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.309Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.403Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:50.497Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:50.497Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:50.543Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:50.590Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:50.637Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:50.684Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:50.731Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:50.778Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:50.825Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:50.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:50.918Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:50.965Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.59Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.340Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:51.387Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.434Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:51.528Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:51.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:51.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:51.668Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:51.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:51.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:51.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.137Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.184Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.325Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.559Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
3/9/2020 - 14:45:52.606Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
3/9/2020 - 14:45:52.653Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:45:52.700Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:45:52.747Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:45:52.793Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:52.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.872Open1480C:\malware.exeC:\Windows\Globalization\pt-br.nlp
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:52.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:52.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:52.981Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.28Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.122Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.168Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.215Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.262Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.309Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.403Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.450Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.497Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.543Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.590Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.637Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.684Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:53.731Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.778Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.825Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.918Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:53.965Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.59Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.293Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.340Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.387Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.434Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.528Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:54.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.668Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:54.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.903Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:45:54.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:54.997Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:55.43Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:55.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:55.137Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:45:55.184Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.325Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.559Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.606Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.653Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.700Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.747Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.793Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.840Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:55.981Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:56.28Open1480C:\malware.exeC:\Windows\assembly\GAC_32\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:56.28Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:56.168Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:56.168Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.215Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.215Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.215Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.262Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.309Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.356Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.403Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.450Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.497Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.543Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.590Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:56.590Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:45:56.590Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.637Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.684Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.731Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.778Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.825Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\VERSION.dll
3/9/2020 - 14:45:56.825Open1480C:\malware.exeC:\VERSION.dll
3/9/2020 - 14:45:56.825Open1480C:\malware.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:45:56.825Open1480C:\malware.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:45:56.825Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.825Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.825Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.872Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:45:56.872Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.872Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:45:56.918Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:56.965Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.59Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.293Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.340Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.387Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.434Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.528Unknown1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:45:57.528Open1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
3/9/2020 - 14:45:57.528Open1480C:\malware.exeC:\bcrypt.dll
3/9/2020 - 14:45:57.528Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:45:57.528Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:45:57.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\CRYPTSP.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:45:57.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.918Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:57.965Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.59Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.293Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.340Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.387Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.434Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.528Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:58.997Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.325Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.559Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:59.559Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:45:59.559Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.606Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.747Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.793Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.840Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:45:59.981Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.28Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.122Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.168Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.215Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.262Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.309Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
3/9/2020 - 14:46:0.309Open1480C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:46:0.309Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:0.309Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:0.309Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:0.309Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:0.356Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:0.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:0.356Open1480C:\malware.exeC:\WindowsCodecs.dll
3/9/2020 - 14:46:0.356Open1480C:\malware.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:0.356Unknown1480C:\malware.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:0.356Open1480C:\malware.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:0.356Unknown1480C:\malware.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:0.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:0.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.434Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:0.481Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.528Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.575Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.668Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.903Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:0.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.43Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.137Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.184Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.325Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.606Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.653Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.700Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.747Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.793Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:1.840Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:1.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:1.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:1.981Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.28Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.122Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.168Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.215Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.262Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.309Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.356Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.403Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.450Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.497Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.543Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.590Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.637Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.684Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.731Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.778Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.825Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:2.872Unknown1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:2.872Open1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
3/9/2020 - 14:46:3.12Open1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
3/9/2020 - 14:46:3.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.247Open1480C:\malware.exeC:\malware.exe.config
3/9/2020 - 14:46:3.247Open1480C:\malware.exeC:\pt-BR\ReZer0V2.resources.dll
3/9/2020 - 14:46:3.247Open1480C:\malware.exeC:\pt-BR\ReZer0V2.resources\ReZer0V2.resources.dll
3/9/2020 - 14:46:3.247Open1480C:\malware.exeC:\pt-BR\ReZer0V2.resources.exe
3/9/2020 - 14:46:3.247Open1480C:\malware.exeC:\pt-BR\ReZer0V2.resources\ReZer0V2.resources.exe
3/9/2020 - 14:46:3.293Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:3.293Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:3.481Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:3.481Open1480C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:46:3.481Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:3.481Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:3.481Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:3.481Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:3.481Unknown1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR
3/9/2020 - 14:46:3.481Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:3.528Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:3.622Open1480C:\malware.exeC:\Windows\Globalization\pt.nlp
3/9/2020 - 14:46:3.622Open1480C:\malware.exeC:\pt\ReZer0V2.resources.dll
3/9/2020 - 14:46:3.622Open1480C:\malware.exeC:\pt\ReZer0V2.resources\ReZer0V2.resources.dll
3/9/2020 - 14:46:3.622Open1480C:\malware.exeC:\pt\ReZer0V2.resources.exe
3/9/2020 - 14:46:3.622Open1480C:\malware.exeC:\pt\ReZer0V2.resources\ReZer0V2.resources.exe
3/9/2020 - 14:46:3.622Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:3.668Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:3.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:3.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.137Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:4.184Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:4.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:4.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:4.325Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:4.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:4.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.559Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.606Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.653Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.700Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.747Open1480C:\malware.exeC:\Windows\Globalization\en-us.nlp
3/9/2020 - 14:46:4.747Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:4.840Open1480C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:4.840Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:4.934Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:4.934Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:5.28Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.28Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:5.28Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.75Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.122Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.168Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.215Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.262Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:5.262Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:5.262Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:5.262Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:5.262Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.262Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:5.262Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.262Unknown1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:5.262Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:15.387Open1480C:\malware.exeC:\shfolder.dll
3/9/2020 - 14:46:15.387Open1480C:\malware.exeC:\Windows\SysWOW64\shfolder.dll
3/9/2020 - 14:46:15.387Open1480C:\malware.exeC:\Windows\SysWOW64\shfolder.dll
3/9/2020 - 14:46:15.622Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:15.622Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.668Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.715Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.762Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.809Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.856Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.903Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.950Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:15.997Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.43Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.137Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.184Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.278Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.325Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.418Open1480C:\malware.exeC:\ntmarta.dll
3/9/2020 - 14:46:16.418Open1480C:\malware.exeC:\Windows\SysWOW64\ntmarta.dll
3/9/2020 - 14:46:16.418Open1480C:\malware.exeC:\Windows\SysWOW64\ntmarta.dll
3/9/2020 - 14:46:16.418Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.418Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.418Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.465Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.512Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.559Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:16.606Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.653Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:16.700Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:16.700Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:16.700Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:16.700Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:16.700Write1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Write1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:16.700Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:16.700Write1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Write1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:16.700Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.747Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.793Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.840Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.887Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:16.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:17.28Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:17.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:17.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:17.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:17.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:17.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:17.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:17.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:17.75Write1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:17.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.75Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\shell32.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Monitor
3/9/2020 - 14:46:17.90Unknown1480C:\malware.exeC:\Monitor
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\PROPSYS.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:17.90Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\WindowsShell.Manifest
3/9/2020 - 14:46:17.90Unknown1480C:\malware.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\apphelp.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.90Open1480C:\malware.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.106Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\
3/9/2020 - 14:46:17.106Unknown1480C:\malware.exeC:\
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.106Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.106Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.106Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.106Read1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.168Unknown1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:17.168Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dllapi-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:17.168Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dllapi-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:17.168Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:17.168Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Monitor\schtasks.exe
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\
3/9/2020 - 14:46:17.184Unknown1480C:\malware.exeC:\
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.184Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.184Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:17.184Read1480C:\malware.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:17.184Open1480C:\malware.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\urlmon.dll
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\urlmon.dll
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Secur32.dll
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe:Zone.Identifier
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Monitor
3/9/2020 - 14:46:17.200Unknown1480C:\malware.exeC:\Monitor
3/9/2020 - 14:46:17.200Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.215Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\
3/9/2020 - 14:46:17.215Unknown1480C:\malware.exeC:\
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.215Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.215Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.215Unknown1480C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.215Read1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.215Read1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.215Open1480C:\malware.exeC:\Windows\SysWOW64\ui\SwDRM.dll
3/9/2020 - 14:46:17.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.231Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:17.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:17.309Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\Prefetch\SCHTASKS.EXE-AD598958.pf
3/9/2020 - 14:46:17.309Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:17.309Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:17.325Unknown2196C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:17.325Open2196C:\Windows\SysWOW64\schtasks.exeC:\Monitor
3/9/2020 - 14:46:17.387Open1480C:\malware.exeC:\RpcRtRemote.dll
3/9/2020 - 14:46:17.387Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
3/9/2020 - 14:46:17.387Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
3/9/2020 - 14:46:17.387Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
3/9/2020 - 14:46:17.387Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
3/9/2020 - 14:46:17.637Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:17.653Unknown2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:17.653Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:17.856Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:17.856Open2196C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:17.950Open2196C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:17.950Read2196C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:17.950Read2196C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:19.637Unknown2196C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:19.637Unknown2196C:\Windows\SysWOW64\schtasks.exeC:\Monitor
3/9/2020 - 14:46:19.684Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:19.684Open1480C:\malware.exeC:\Monitor\Files\DeletedFiles
3/9/2020 - 14:46:19.684Delete1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:19.684Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\tmp86C1.tmp
3/9/2020 - 14:46:19.684Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:19.731Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:19.825Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Open1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Read1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.825Unknown1480C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.872Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\Prefetch\MALWARE.EXE-20920919.pf
3/9/2020 - 14:46:19.872Read2332C:\malware.exeC:\Windows\Prefetch\MALWARE.EXE-20920919.pfMALWARE.EXE-20920919.pf
3/9/2020 - 14:46:19.872Open2332C:\malware.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Monitor\Malware
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:19.872Read2332C:\malware.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\GAC_32\mscorlib
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:19.872Read2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\Globalization
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Globalization
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Globalization
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\Microsoft.NET
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Microsoft.NET
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Microsoft.NET
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\Microsoft.NET\Framework
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework
3/9/2020 - 14:46:19.872Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework
3/9/2020 - 14:46:19.872Open2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\apisetschema.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\KernelBase.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\cryptbase.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\System32\mctres.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\System32\mctres.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8\QSML[7].XML
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\profapi.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\profapi.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8\QSML[8].XML
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:19.887Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:19.887Open2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\VXA84PRX.TXT
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\2JDK0WTG.TXT
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF\favicon[1].png
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF\favicon[1].pngfavicon[1].png
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\System32\mctres.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:19.903Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8\QSML[8].XML
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\VXA84PRX.TXT
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\2JDK0WTG.TXT
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF\favicon[1].pngfavicon[1].png
3/9/2020 - 14:46:19.903Read2332C:\malware.exeC:\Windows\System32\mctres.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\profapi.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\A6STR8JF\favicon[1].pngfavicon[1].png
3/9/2020 - 14:46:19.903Unknown2332C:\malware.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:19.903Open2332C:\malware.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:19.918Unknown2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\MSVCP60.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\msvcp60.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\msvcp60.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\WINMM.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\winmm.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\winmm.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\version.DLL
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:19.918Open2332C:\malware.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:19.934Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:19.934Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.934Unknown2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.934Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Read2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.950Write2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Write2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Read2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.950Read2332C:\malware.exeC:\malware.exe
3/9/2020 - 14:46:19.950Write2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Write2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:19.950Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:19.950Write2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:19.950Open2332C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:19.950Unknown2332C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:19.950Open2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:19.950Unknown2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:20.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:20.12Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.12Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\PROPSYS.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\malware.exe.Local
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:20.12Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\WindowsShell.Manifest
3/9/2020 - 14:46:20.12Unknown2332C:\malware.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:20.12Read2332C:\malware.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:20.12Open2332C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\desktop.ini
3/9/2020 - 14:46:20.28Read2332C:\malware.exeC:\Users\desktop.ini
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\Behemot\Searches\desktop.ini
3/9/2020 - 14:46:20.28Read2332C:\malware.exeC:\Users\Behemot\Searches\desktop.ini
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\Behemot\Videos\desktop.ini
3/9/2020 - 14:46:20.28Read2332C:\malware.exeC:\Users\Behemot\Videos\desktop.ini
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.28Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.28Open2332C:\malware.exeC:\Users\Behemot\Pictures\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Pictures\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Contacts\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Contacts\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Favorites\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Favorites\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Music\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Music\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Downloads\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Downloads\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Documents\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Documents\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Links\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Links\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Users\Behemot\Saved Games\desktop.ini
3/9/2020 - 14:46:20.43Read2332C:\malware.exeC:\Users\Behemot\Saved Games\desktop.ini
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\apphelp.dll
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.43Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.43Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:20.106Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:20.106Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.106Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.106Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:20.153Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:20.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:20.200Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:20.247Open1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
3/9/2020 - 14:46:20.247Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:20.247Read1480C:\malware.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Read2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Read2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shdocvw.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.293Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.293Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.293Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.293Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Secur32.dll
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users\Behemot
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Users
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\api-ms-win-downlevel-advapi32-l2-1-0.dll
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
3/9/2020 - 14:46:20.309Open2332C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
3/9/2020 - 14:46:20.309Unknown2332C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
3/9/2020 - 14:46:20.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:20.372Read1480C:\malware.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:20.372Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.1480.1116031
3/9/2020 - 14:46:20.372Open1480C:\malware.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.1480.1116031
3/9/2020 - 14:46:20.372Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.1480.1116031
3/9/2020 - 14:46:20.372Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:20.372Read1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:20.372Read1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:20.387Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs:Zone.Identifier
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Read2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Read2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Unknown2332C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.387Unknown1480C:\malware.exeC:\Windows
3/9/2020 - 14:46:20.387Unknown1480C:\malware.exeC:\Monitor
3/9/2020 - 14:46:20.387Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:20.387Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:20.387Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:20.387Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:20.387Unknown2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:20.387Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.403Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\
3/9/2020 - 14:46:20.403Unknown2332C:\malware.exeC:\
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:20.403Unknown2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.403Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.403Unknown2332C:\malware.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Read2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Read2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\ui\SwDRM.dll
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\en\WScript.exe.mui
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\System32\en\WScript.exe.mui
3/9/2020 - 14:46:20.403Open2332C:\malware.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.418Unknown2332C:\malware.exeC:\Windows
3/9/2020 - 14:46:20.418Unknown2332C:\malware.exeC:\Monitor
3/9/2020 - 14:46:20.418Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:20.418Unknown2332C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\Prefetch\WSCRIPT.EXE-9093C9D0.pf
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:20.465Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:20.465Open2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:20.481Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:20.497Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:20.497Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:20.497Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:20.497Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:20.637Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:20.637Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.637Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll
3/9/2020 - 14:46:20.637Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\sxs.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\dwmapi.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\vbscript.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.684Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.700Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:20.700Read2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.700Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\msisip.dll
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.715Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.715Read2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.715Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshext.dll
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\WScript.exe.Local
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
3/9/2020 - 14:46:20.715Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3/9/2020 - 14:46:20.715Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
3/9/2020 - 14:46:20.997Read2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:20.997Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll
3/9/2020 - 14:46:21.43Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrobj.dll
3/9/2020 - 14:46:21.418Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll
3/9/2020 - 14:46:21.418Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mlang.dll
3/9/2020 - 14:46:21.465Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:22.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:22.684Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\scrrun.dll
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\mpr.dll
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wshom.ocx
3/9/2020 - 14:46:23.12Open2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.12Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\WScript.exe.Local
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.75Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\WindowsShell.Manifest
3/9/2020 - 14:46:23.75Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:23.75Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dllapi-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:23.75Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dllapi-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\WScript.exe.Local
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.75Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.75Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.90Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.90Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:23.90Unknown2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.90Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.90Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:23.90Read2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\urlmon.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:23.90Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe:Zone.Identifier
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.153Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.153Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.340Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:23.340Unknown2924C:\Windows\SysWOW64\wscript.exeC:\
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.340Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.340Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.340Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.340Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.340Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.340Read2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.340Open2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\ui\SwDRM.dll
3/9/2020 - 14:46:23.356Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.356Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:23.356Open2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:23.356Open2924C:\Windows\SysWOW64\wscript.exeC:\Monitor\Files\DeletedFiles
3/9/2020 - 14:46:23.356Delete2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:23.356Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:23.356Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp\install.vbs
3/9/2020 - 14:46:23.356Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:23.356Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
3/9/2020 - 14:46:23.418Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Prefetch\CMD.EXE-AC113AA8.pfCMD.EXE-AC113AA8.pf
3/9/2020 - 14:46:23.418Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Prefetch\CMD.EXE-AC113AA8.pfCMD.EXE-AC113AA8.pf
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\apisetschema.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cryptbase.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\BOOTSECT.EXE
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:23.418Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp\TMP000000032EDF9B37C5E17B29
3/9/2020 - 14:46:23.418Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.418Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:23.418Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.434Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\BOOTSECT.EXE
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp\TMP000000032EDF9B37C5E17B29
3/9/2020 - 14:46:23.434Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.434Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.434Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.434Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.434Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:23.434Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:23.434Open2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.434Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows
3/9/2020 - 14:46:23.434Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Monitor
3/9/2020 - 14:46:23.434Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
3/9/2020 - 14:46:23.434Unknown2924C:\Windows\SysWOW64\wscript.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.653Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.668Read2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.668Read2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.668Read2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.668Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\ui\SwDRM.dll
3/9/2020 - 14:46:23.700Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Open2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Read2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.700Read2940C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Prefetch\REMCOS.EXE-473216CB.pf
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:23.747Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\MSCOREE.DLL.local
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:23.747Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\Upgrades.2.0.50727
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\Upgrades.2.0.50727
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.config
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.747Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.747Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:23.747Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:23.747Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:23.747Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:46:23.762Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.762Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.762Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.762Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.762Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.config
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\fusion.localgac
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\index164.dat
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
3/9/2020 - 14:46:23.762Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:23.762Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.778Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:23.778Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.config
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\pubpol4.dat
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC\PublisherPolicy.tme
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:46:23.903Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:23.903Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:23.903Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:23.918Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.918Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.918Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\uxtheme.dll
3/9/2020 - 14:46:23.918Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
3/9/2020 - 14:46:23.918Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:46:23.918Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\pt-br.nlp
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\VERSION.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\VERSION.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\bcrypt.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\bcrypt.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\CRYPTSP.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:23.997Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:24.12Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:24.12Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:24.12Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:24.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:24.75Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\WindowsCodecs.dll
3/9/2020 - 14:46:24.75Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:24.75Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:24.75Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:24.75Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.config
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt-BR\ReZer0V2.resources.dll
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt-BR\ReZer0V2.resources\ReZer0V2.resources.dll
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt-BR\ReZer0V2.resources.exe
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt-BR\ReZer0V2.resources\ReZer0V2.resources.exe
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:24.168Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:24.168Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:24.168Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\pt.nlp
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt\ReZer0V2.resources.dll
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt\ReZer0V2.resources\ReZer0V2.resources.dll
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt\ReZer0V2.resources.exe
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\pt\ReZer0V2.resources\ReZer0V2.resources.exe
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\en-us.nlp
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:24.184Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:24.184Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:24.184Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:24.184Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:24.247Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:24.247Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:24.247Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:24.247Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:24.247Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:34.247Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\shfolder.dll
3/9/2020 - 14:46:34.247Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shfolder.dll
3/9/2020 - 14:46:34.247Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shfolder.dll
3/9/2020 - 14:46:34.247Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:34.247Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\qYwLHUWK.exe
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:34.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.293Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\shell32.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:34.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\PROPSYS.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:34.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\WindowsShell.Manifest
3/9/2020 - 14:46:34.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\apphelp.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\apphelp.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:34.293Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:34.309Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:34.309Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dllapi-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:34.309Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:34.309Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shell32-l1-1-0.dllapi-ms-win-downlevel-shell32-l1-1-0.dll
3/9/2020 - 14:46:34.309Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ieframe.dll
3/9/2020 - 14:46:34.309Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:34.309Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:34.309Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:34.309Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\schtasks.exe
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:34.325Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.325Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.325Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:34.325Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\Desktop\desktop.ini
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\propsys.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\propsys.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\urlmon.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\urlmon.dll
3/9/2020 - 14:46:34.325Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\Secur32.dll
3/9/2020 - 14:46:34.340Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:34.340Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\secur32.dll
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe:Zone.Identifier
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\AppPatch\sysmain.sdb
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.356Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ui\SwDRM.dll
3/9/2020 - 14:46:34.387Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Prefetch\SCHTASKS.EXE-AD598958.pf
3/9/2020 - 14:46:34.434Read516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Prefetch\SCHTASKS.EXE-AD598958.pfSCHTASKS.EXE-AD598958.pf
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Users
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\apisetschema.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\KernelBase.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\cryptbase.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\oleaut32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\oleaut32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.434Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.434Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\clbcatq.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\clbcatq.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\TMP86C1.TMP
3/9/2020 - 14:46:34.450Read516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:34.450Read516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\oleaut32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\clbcatq.dll
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.450Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.450Open516C:\Windows\SysWOW64\schtasks.exeC:\Monitor
3/9/2020 - 14:46:34.512Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\RpcRtRemote.dll
3/9/2020 - 14:46:34.512Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\RpcRtRemote.dll
3/9/2020 - 14:46:34.512Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
3/9/2020 - 14:46:34.512Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\RpcRtRemote.dll
3/9/2020 - 14:46:34.512Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
3/9/2020 - 14:46:34.668Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:34.668Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:34.684Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:34.684Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:34.903Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:34.903Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
3/9/2020 - 14:46:34.950Open516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.950Read516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.950Read516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.950Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:34.950Open516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
3/9/2020 - 14:46:34.950Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows
3/9/2020 - 14:46:34.950Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Monitor
3/9/2020 - 14:46:34.950Unknown516C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.muiKernelBase.dll.mui
3/9/2020 - 14:46:35.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:35.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles
3/9/2020 - 14:46:35.12Delete2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:35.12Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:35.12Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Local\Temp\tmpCA04.tmp
3/9/2020 - 14:46:35.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.12Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.12Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.12Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.12Read2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.12Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Prefetch\REMCOS.EXE-473216CB.pf
3/9/2020 - 14:46:35.59Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Prefetch\REMCOS.EXE-473216CB.pfREMCOS.EXE-473216CB.pf
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Prefetch\REMCOS.EXE-473216CB.pfREMCOS.EXE-473216CB.pf
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:35.59Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL
3/9/2020 - 14:46:35.59Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL
3/9/2020 - 14:46:35.59Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL
3/9/2020 - 14:46:35.106Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\ntdll.dll
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:35.106Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.106Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\apisetschema.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\KernelBase.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptbase.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\profapi.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\profapi.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
3/9/2020 - 14:46:35.122Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
3/9/2020 - 14:46:35.122Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
3/9/2020 - 14:46:35.137Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
3/9/2020 - 14:46:35.137Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:35.137Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:35.137Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:35.137Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:35.137Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dll
3/9/2020 - 14:46:35.137Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:35.137Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dllSystem.Windows.Forms.dll
3/9/2020 - 14:46:35.137Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:35.137Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.137Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
3/9/2020 - 14:46:35.137Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:35.200Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch.2168.1155296
3/9/2020 - 14:46:35.200Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch.2168.1155296
3/9/2020 - 14:46:35.200Open2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2168.1155296
3/9/2020 - 14:46:35.200Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\locale.nls
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.configmachine.config
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\l_intl.nls
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\pt-BR\mscorrc.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\ntdll.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\kernel32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\kernel32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\user32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ntdll.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mscoree.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\advapi32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msvcrt.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rpcrt4.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sspicli.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shlwapi.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\gdi32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\user32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\lpk.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\usp10.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msctf.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\shell32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\ole32.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\profapi.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllmscorlib.ni.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System\67c97ffbe01458a63ecb518c7444c1f1\System.ni.dllSystem.ni.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\6f4f738362752c5d3a2c9234d604784d\System.Drawing.ni.dllSystem.Drawing.ni.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\c0f9cb97c68eb938bd0b36f7ee90e60f\System.Windows.Forms.ni.dllSystem.Windows.Forms.ni.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\bcrypt.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\cryptsp.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rsaenh.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe\Device\HarddiskVolume2
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64win.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64cpu.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\System32\wow64log.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.200Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:35.200Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\sechost.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\MSVCP60.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msvcp60.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\msvcp60.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\WINMM.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\winmm.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\winmm.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\version.DLL
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\version.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\remcos.exe.Local
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be\GdiPlus.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\imm32.dll
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.215Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:35.215Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.231Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:35.231Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.231Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.231Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.231Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nls
3/9/2020 - 14:46:35.231Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mswsock.dll
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\mswsock.dll
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\nlaapi.dll
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\nlaapi.dll
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\NapiNSP.dll
3/9/2020 - 14:46:35.231Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\NapiNSP.dll
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dllMicrosoft.VisualBasic.dll
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23407_none_5c02a2f5a011f9be
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\assembly\GAC_MSIL\mscorlib.resources\2.0.0.0_pt-BR_b77a5c561934e089\mscorlib.resources.dllmscorlib.resources.dll
3/9/2020 - 14:46:35.293Unknown2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\uxtheme.dll
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\pnrpnsp.dll
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\pnrpnsp.dll
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\DNSAPI.dll
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\dnsapi.dll
3/9/2020 - 14:46:35.293Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\dnsapi.dll
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\winrnr.dll
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\winrnr.dll
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\IPHLPAPI.DLL
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\WINNSI.DLL
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\winnsi.dll
3/9/2020 - 14:46:35.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\winnsi.dll
3/9/2020 - 14:46:35.356Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Windows
3/9/2020 - 14:46:35.356Unknown2940C:\Windows\SysWOW64\cmd.exeC:\Monitor
3/9/2020 - 14:46:35.356Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
3/9/2020 - 14:46:35.356Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\WindowsCodecs.dll
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:35.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:35.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dll
3/9/2020 - 14:46:35.418Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\WindowsCodecs.dllWindowsCodecs.dll
3/9/2020 - 14:46:35.418Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.png
3/9/2020 - 14:46:35.418Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.418Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.418Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.418Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.418Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.418Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.434Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.434Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.434Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.434Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.434Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\rasadhlp.dll
3/9/2020 - 14:46:35.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rasadhlp.dll
3/9/2020 - 14:46:35.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Windows\SysWOW64\rasadhlp.dll
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.png
3/9/2020 - 14:46:35.497Read2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.png
3/9/2020 - 14:46:35.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Monitor\Files\DeletedFiles\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Delete2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.497Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.pngtime_20180503_184635.png
3/9/2020 - 14:46:35.512Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.dat
3/9/2020 - 14:46:35.512Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.dattime_20180503_184635.dat
3/9/2020 - 14:46:35.512Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\Screenshots\time_20180503_184635.dattime_20180503_184635.dat
3/9/2020 - 14:46:45.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:46:45.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos
3/9/2020 - 14:46:45.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:46:45.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:46:45.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:46:45.309Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:46:55.309Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:46:55.309Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:5.340Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:5.340Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:15.372Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:15.372Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:25.403Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:25.403Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:35.434Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:35.434Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:45.434Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:45.434Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:55.465Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:47:55.465Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:5.497Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:5.497Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:15.528Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:15.528Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:25.559Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:25.559Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:35.590Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:35.590Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:45.622Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:45.622Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:55.653Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:48:55.653Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:5.684Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:5.684Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:15.715Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:15.715Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:25.747Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:25.747Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:35.747Open2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat
3/9/2020 - 14:49:35.747Unknown2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeC:\Users\Behemot\AppData\Roaming\remcos\logs.dat

Process
Trace
3/9/2020 - 14:46:17.200Create1480C:\malware.exe2196C:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:19.637Terminate1480C:\malware.exe2196C:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:19.825Create1480C:\malware.exe2332C:\malware.exe
3/9/2020 - 14:46:20.387Create2332C:\malware.exe2924C:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:20.418Terminate1480C:\malware.exe2332C:\malware.exe
3/9/2020 - 14:46:23.340Create2924C:\Windows\SysWOW64\wscript.exe2940C:\Windows\SysWOW64\cmd.exe
3/9/2020 - 14:46:23.434Terminate2332C:\malware.exe2924C:\Windows\SysWOW64\wscript.exe
3/9/2020 - 14:46:23.668Create2940C:\Windows\SysWOW64\cmd.exe2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:34.356Create2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe516C:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:34.950Terminate2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe516C:\Windows\SysWOW64\schtasks.exe
3/9/2020 - 14:46:35.12Create2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.293Terminate2940C:\Windows\SysWOW64\cmd.exe2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exe
3/9/2020 - 14:46:35.356Terminate2924C:\Windows\SysWOW64\wscript.exe2940C:\Windows\SysWOW64\cmd.exe

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:17.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:19.950Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Runremcos
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:20.309Write2332C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:23.153Write2924C:\Windows\SysWOW64\wscript.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:34.340Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:34.340Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:34.340Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:34.356Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:34.356Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
3/9/2020 - 14:46:34.356Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
3/9/2020 - 14:46:34.356Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
3/9/2020 - 14:46:34.356Write2168C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
3/9/2020 - 14:46:35.215Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Runremcos
3/9/2020 - 14:46:35.215Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Remcos-8CPBWMexepath
3/9/2020 - 14:46:35.215Write2220C:\Users\Behemot\AppData\Roaming\remcos\remcos.exeHKCU\Software\Remcos-8CPBWMlicence

File Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Process Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code mmiri1.ddns.net.
computer localhost arrow_forward computer gateway:50273 code mmiri1.ddns.net.

Response
computer gateway:DNS arrow_forward computer localhost code mmiri1.ddns.net. reply_all 0.0.0.0


TCP
Info

UDP
Info
computer localhost:53 arrow_forward computer localhost:55394
computer localhost:55394 arrow_forward computer localhost:53
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273

HTTP
Info

Summary
DNS
True check_circle

TCP
False cancel

UDP
True check_circle

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 53.75%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 98.10%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 57.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 56.59%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.98%
suspicious: True check_circle

Add to Collection
Download