Report #6608 check_circle

  • Creation Date: Feb. 18, 2020, 1:19 p.m.
  • Last Update: Feb. 18, 2020, 3:32 p.m.
  • File: Hedg.exe
  • Results:
Binary
DLL
False cancel
Size
2.68MB
trid
49.2% Win32 EXE PECompact compressed
34.6% Win32 EXE PECompact compressed
5.4% Win32 Dynamic Link Library
3.7% Win32 Executable
1.7% Win16/32 Executable Delphi generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
2128d74eb5b82873f7b5be1254645d04
sha1
e9e04616290d21032f361e2275fb4cfd71d09869
crc32
0x3d8e5ca6
sha224
a989ac631266d96e753a60a369c0059ee8bba2458a4d1f308915fa2c
sha256
b2426000a4e49a406cb051a68f5ca78e4b6149ecb9deb987f49b8f0a32fcd464
sha384
8b7ae671df682935b854f7f6342b917a08283d7da49a4c3cefab31bdf03ec32c9455e28bf0d71e3cc30a07fca8e6d2d6
sha512
6d1e3c36d66be76cdc06d26e6ece06839465d8dae2fa0bb7c8bf25418347ab84fff27fcfbbe312cb824a0de498dd334daddeb82d9bfa6ef9697b04f60e2517ec
ssdeep
49152:/0NNjZZvdajgqm9pYQc3zQ1alGDzDxRA3KIFcS0hVsr3trct7kthAWG33fvAc0Y2:KlZCjgqm9uQ2zQftwcS0X4pctmhkwc0n
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, PECompact_2x_Jeremy_Collake, PECompact_v20_additional, PECompact_v20, PECompact_V2X_Bitsum_Technologies_additional, PECompact_20x_Heuristic_Mode_Jeremy_Collake, HasOverlay, PECompact_v2xx_additional, PECompactv2xx, IsPE32, PeCompact_v208_Bitsum_Technologiessignature_by_loveboom, PECompact2xxBitSumTechnologies, PECompact_v2xx, PeCompact_2xx_BitSum_Technologies, contentis_base64, IsPacked, PeCompact_253_DLL_BitSum_Technologies_additional, IsWindowsGUI, PECompactV2XBitsumTechnologies, HasDigitalSignature, PECompact_2xx_BitSum_Technologies, android_meterpreter, PeCompact_253_DLL_BitSum_Technologies, pecompact2, url, PECompact_V2X_Bitsum_Technologies

Suspicious
True check_circle

Strings
List
Nhttp://icp-brasil2.validcertificadora.com.br/ac-validrfb/lcr-ac-validrfbv2.crl0I
Mhttp://icp-brasil.validcertificadora.com.br/ac-validrfb/lcr-ac-validrfbv2.crl0T
Ihttp://icp-brasil.validcertificadora.com.br/ac-validrfb/ac-validrfbv2.p7b01
Khttp://icp-brasil.validcertificadora.com.br/ac-validrfb/dpc-ac-validrfb.pdf0
Chttp://repositorio.icpbrasil.gov.br/lcr/VALID/lcr-ac-validrfbv2.crl0
%http://ocsp.validcertificadora.com.br0
sales.4@hotmail.com
1http://crl.usertrust.com/UTN-USERFirst-Object.crl05
D.CAt
aU.Im
Nl.Gu
J.iO
1.PN
y.mG
Y.Ru
5.ME
3.lB
4.gY
d.gs
Z.Ms
,Bp*6.DE
http://www.usertrust.com1
http://www.usertrust.com1
S.gq
K.mX
x.NF
R.sZ
Fh.Mw
H4.aZ
GXz.RW
F.pW
Q.TT
e_.pS%
http://ocsp.usertrust.com0
At.MC]h
sSLXI)%c
wsock32.dll
Il.zta
winspool.drv
comctl32.dll
msimg32.dll
version.dll
ntdll.dll
(i.AU(\
cI:4d
!I:RY
!,&ooEB
I:TY
Hed.
Fi&o
eb>o
he's
V&oAR
fDRG\
g|SWl
n83H
HFt8
%FI#8{[A
IbI:ESZ
(%AHt
2l^ryk%eP
%E!ohzoJ9L-r
cW%BVun%E5
%d@9U`E
%tA;7M6
i2A%1|%
E%%7mD
/Of%e'
7o%pR
D%c-%'BTd
D%nI&~{v
0D%Em
pT0%e
YLgTu2
~%i{nbY
h{%ec"
%nBt$w
R%%:hg
rA%E`
G%+en
%E]?(
NUm%8s
QLF2T%cO)GB
TNM%Ao3O
dEted
moSc
geBs
O%shv
%nbFOy
%eYcDS
xruLcI%G
%GD N{N
!COMODO SHA-1 Time Stamping Signer0
.nsSh
GetProcAddress
d+7 J.Mo
!p?7.BN
;.8.DK
PECompact2
/f.CN

Foremost
Matches
0.exe, 2 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://www.usertrust.com1, http://icp-brasil.validcertificadora.com.br/ac-validrfb/ac-validrfbv2.p7b01, http://icp-brasil.validcertificadora.com.br/ac-validrfb/dpc-ac-validrfb.pdf0, http://crl.usertrust.com/utn-userfirst-object.crl05, http://icp-brasil.validcertificadora.com.br/ac-validrfb/lcr-ac-validrfbv2.crl0t, http://icp-brasil2.validcertificadora.com.br/ac-validrfb/lcr-ac-validrfbv2.crl0i, http://repositorio.icpbrasil.gov.br/lcr/valid/lcr-ac-validrfbv2.crl0, http://ocsp.usertrust.com0, http://ocsp.validcertificadora.com.br0
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: oleaut32.dll, ntdll.dll, msimg32.dll, shell32.dll, user32.dll, comctl32.dll, advapi32.dll, wsock32.dll, kernel32.dll, version.dll, ole32.dll, gdi32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 2642432
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 2847203
Suspicous: False cancel

Sections
Allowed: .text, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 1442384
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: oleaut32.dll, ntdll.dll, msimg32.dll, shell32.dll, user32.dll, comctl32.dll, advapi32.dll, wsock32.dll, kernel32.dll, version.dll, ole32.dll, gdi32.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2017-06-05 13:57:06
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: PECompact 2.x -> Jeremy Collake, PECompact v2.0, PeCompact 2.53 DLL --> BitSum Technologies, PECompact 2.0x Heuristic Mode -> Jeremy Collake
Compiled: False cancel
Compilers
MainPacker: PECompact 2.xx --> BitSum Technologies

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.rsrc: 3
.text: 1449

pushpopmath
.rsrc: 3
.text: 785

ss register
.text: 23

garbagebytes
.rsrc: 1
.text: 514

hookdetection
.text: 48

software breakpoint
.text: 48

fakeconditionaljumps
.text: 40

programcontrolflowchange
.rsrc: 1
.text: 478

cpuinstructionsresultscomparison
.rsrc: 9
.text: 1

AVclass
banload
1
VirusTotal
md5
2128d74eb5b82873f7b5be1254645d04
sha1
e9e04616290d21032f361e2275fb4cfd71d09869
SCANS (DETECTION RATE = 61.97%)
AVG
result: FileRepMetagen [Malware]
update: 20200121
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20200121
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20200119
version: 5.107
detected: True check_circle

Bkav
update: 20200117
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20200121
version: 11.87.33095
detected: False cancel

ALYac
result: Trojan.GenericKD.5273820
update: 20200121
version: 1.1.1.5
detected: True check_circle

Avast
update: 20200121
version: 18.4.3895.0
detected: False cancel

Avira
result: HEUR/AGEN.1028060
update: 20200121
version: 8.3.3.8
detected: True check_circle

Baidu
update: 20190318
version: 1.0.0.2
detected: False cancel

Cyren
update: 20200121
version: 6.2.2.2
detected: False cancel

DrWeb
update: 20200121
version: 7.0.44.12030
detected: False cancel

GData
result: Trojan.GenericKD.5273820
update: 20200121
version: A:25.24648B:26.17434
detected: True check_circle

Panda
result: Trj/CI.A
update: 20200120
version: 4.6.4.2
detected: True check_circle

VBA32
result: TScope.Malware-Cryptor.SB
update: 20200120
version: 4.3.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20200121
version: 80936
detected: True check_circle

Zoner
update: 20200120
version: 1.0.0.1
detected: False cancel

ClamAV
update: 20200120
version: 0.102.1.0
detected: False cancel

Comodo
result: Malware@#87pn2ms7snoz
update: 20200119
version: 31983
detected: True check_circle

F-Prot
update: 20200121
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan-Spy.Agent
update: 20200120
version: 0.1.5.2
detected: True check_circle

McAfee
result: Artemis!2128D74EB5B8
update: 20200121
version: 6.0.6.653
detected: True check_circle

Rising
result: Spyware.Banker!8.8D (CLOUD)
update: 20200121
version: 25.0.0.24
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20200121
version: 4.98.0
detected: True check_circle

Yandex
result: TrojanSpy.Banker!mF9uwcrkf1A
update: 20200120
version: 5.5.2.24
detected: True check_circle

Zillya
result: Trojan.Banker.Win32.117297
update: 20200120
version: 2.0.0.4000
detected: True check_circle

Acronis
update: 20200113
version: 1.1.1.58
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
result: Trojan.Generic.D5078DC
update: 20200121
version: 1.0.0.869
detected: True check_circle

Cylance
result: Unsafe
update: 20200121
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20190918
version: 3.0.15
detected: True check_circle

FireEye
result: Generic.mg.2128d74eb5b82873
update: 20200121
version: 29.7.0.0
detected: True check_circle

Sangfor
update: 20200114
version: 1.0
detected: False cancel

TACHYON
update: 20200121
version: 2020-01-21.02
detected: False cancel

Tencent
result: Win32.Trojan.Falsesign.Hnbc
update: 20200121
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20200121
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20200121
version: 1.0.0.403
detected: False cancel

eGambit
result: Unsafe.AI_Score_96%
update: 20200121
detected: True check_circle

Ad-Aware
result: Trojan.GenericKD.5273820
update: 20200121
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Trojan.Multi.Generic.4!c
update: 20200121
version: 4.2
detected: True check_circle

Emsisoft
result: Trojan.GenericKD.5273820 (B)
update: 20200121
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Heuristic.HEUR/AGEN.1028060
update: 20200121
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/Banker.ADGI!tr
update: 20200121
version: 6.2.137.0
detected: True check_circle

Invincea
result: heuristic
update: 20191211
version: 6.3.6.26157
detected: True check_circle

Jiangmin
update: 20200121
version: 16.0.100
detected: False cancel

Kingsoft
update: 20200121
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20200121
version: 1.0
detected: False cancel

Symantec
result: ML.Attribute.HighConfidence
update: 20200121
version: 1.11.0.0
detected: True check_circle

AhnLab-V3
result: Malware/Win32.Generic.C1926735
update: 20200121
version: 3.17.0.26111
detected: True check_circle

Antiy-AVL
update: 20200119
version: 3.0.0.1
detected: False cancel

Kaspersky
result: UDS:DangerousObject.Multi.Generic
update: 20200121
version: 15.0.1.13
detected: True check_circle

MaxSecure
result: Trojan.Malware.11012064.susgen
update: 20200117
version: 1.0.0.1
detected: True check_circle

Microsoft
result: TrojanDownloader:Win32/Banload.ZFQ!bit
update: 20200121
version: 1.1.16600.7
detected: True check_circle

Qihoo-360
result: Win32/Trojan.25a
update: 20200121
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: UDS:DangerousObject.Multi.Generic
update: 20200121
version: 1.0
detected: True check_circle

Cybereason
result: malicious.eb5b82
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: a variant of Win32/Spy.Zumanek.BS
update: 20200121
version: 20705
detected: True check_circle

TrendMicro
update: 20200121
version: 11.0.0.1006
detected: False cancel

BitDefender
result: Trojan.GenericKD.5273820
update: 20200121
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_60% (D)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
update: 20200121
version: 11.87.33095
detected: False cancel

SentinelOne
result: DFI - Suspicious PE
update: 20191218
version: 1.12.1.57
detected: True check_circle

Avast-Mobile
update: 20200120
version: 200120-00
detected: False cancel

Malwarebytes
update: 20200121
version: 3.6.4.330
detected: False cancel

TotalDefense
update: 20200121
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
update: 20200120
version: 14.00
detected: False cancel

NANO-Antivirus
result: Trojan.Win32.Banload.eptewo
update: 20200121
version: 1.0.134.25031
detected: True check_circle

BitDefenderTheta
result: Gen:NN.ZelphiF.34084.RkXfa4gb9EgO
update: 20200120
version: 7.2.37796.0
detected: True check_circle

MicroWorld-eScan
result: Trojan.GenericKD.5273820
update: 20200116
version: 14.0.297.0
detected: True check_circle

McAfee-GW-Edition
result: GenericRXBX-PN!E30E53631AC4
update: 20200121
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
update: 20200121
version: 10.0.0.1040
detected: False cancel

total
71
sha256
b2426000a4e49a406cb051a68f5ca78e4b6149ecb9deb987f49b8f0a32fcd464
scan_id
b2426000a4e49a406cb051a68f5ca78e4b6149ecb9deb987f49b8f0a32fcd464-1579646485
resource
2128d74eb5b82873f7b5be1254645d04
positives
44
scan_date
2020-01-21 22:41:25
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\dwmapi.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\dwmapi.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\Fonts\StaticCache.dat
18/2/2020 - 14:45:44.247Read1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
18/2/2020 - 14:45:44.247Unknown1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\
18/2/2020 - 14:45:44.247Unknown1480C:\malware.exeC:\
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\ntmarta.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\ntmarta.dll
18/2/2020 - 14:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\ntmarta.dll
18/2/2020 - 14:45:44.309Open1480C:\malware.exeC:\Windows\Fonts\sserife.fon
18/2/2020 - 14:45:44.309Open1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:45:44.325Unknown1480C:\malware.exeC:\Monitor\Malware
18/2/2020 - 14:46:44.825Open1480C:\malware.exeC:\mlang.dat
18/2/2020 - 14:46:44.825Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
18/2/2020 - 14:46:44.872Open1480C:\malware.exeC:\Windows\SysWOW64\explorer.exe
18/2/2020 - 14:46:44.918Open1480C:\malware.exeC:\Program Files (x86)
18/2/2020 - 14:46:44.918Unknown1480C:\malware.exeC:\Program Files (x86)
18/2/2020 - 14:46:44.918Open1480C:\malware.exeC:\Program Files (x86)\GbPlugin
18/2/2020 - 14:46:44.918Open1480C:\malware.exeC:\Program Files (x86)\Scpad
18/2/2020 - 14:46:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll
18/2/2020 - 14:46:44.965Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll
18/2/2020 - 14:46:45.247Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemcomn.dll
18/2/2020 - 14:46:45.247Open1480C:\malware.exeC:\Windows\SysWOW64\wbemcomn.dll
18/2/2020 - 14:46:45.293Open1480C:\malware.exeC:\Windows\SysWOW64\wbemcomn.dll
18/2/2020 - 14:46:45.856Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\Logs
18/2/2020 - 14:46:45.903Unknown1480C:\malware.exeC:\Windows\SysWOW64\wbem\Logs
18/2/2020 - 14:46:45.903Open1480C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
18/2/2020 - 14:46:45.903Open1480C:\malware.exeC:\Windows\SysWOW64\advapi32.dll
18/2/2020 - 14:46:45.903Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemprox.dll
18/2/2020 - 14:46:45.903Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemprox.dll
18/2/2020 - 14:46:46.137Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wmiutils.dll
18/2/2020 - 14:46:46.137Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wmiutils.dll
18/2/2020 - 14:46:46.559Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
18/2/2020 - 14:46:46.559Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
18/2/2020 - 14:46:46.559Open1480C:\malware.exeC:\Windows\SysWOW64\NapiNSP.dll
18/2/2020 - 14:46:46.559Open1480C:\malware.exeC:\Windows\SysWOW64\NapiNSP.dll
18/2/2020 - 14:46:46.887Open1480C:\malware.exeC:\mlang.dat
18/2/2020 - 14:46:46.887Open1480C:\malware.exeC:\Windows\SysWOW64\pnrpnsp.dll
18/2/2020 - 14:46:46.887Open1480C:\malware.exeC:\Windows\SysWOW64\pnrpnsp.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\DNSAPI.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\Windows\SysWOW64\winrnr.dll
18/2/2020 - 14:46:47.215Open1480C:\malware.exeC:\Windows\SysWOW64\winrnr.dll
18/2/2020 - 14:46:47.450Open1480C:\malware.exeC:\IPHLPAPI.DLL
18/2/2020 - 14:46:47.450Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
18/2/2020 - 14:46:47.450Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
18/2/2020 - 14:46:47.450Open1480C:\malware.exeC:\WINNSI.DLL
18/2/2020 - 14:46:47.450Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
18/2/2020 - 14:46:47.450Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
18/2/2020 - 14:46:47.497Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
18/2/2020 - 14:46:47.497Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
18/2/2020 - 14:46:47.590Open1480C:\malware.exeC:\rasadhlp.dll
18/2/2020 - 14:46:47.590Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
18/2/2020 - 14:46:47.590Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\CRYPTSP.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\RpcRtRemote.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
18/2/2020 - 14:46:47.684Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
18/2/2020 - 14:46:47.684Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
18/2/2020 - 14:46:47.684Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
18/2/2020 - 14:46:47.872Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll
18/2/2020 - 14:46:47.872Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll
18/2/2020 - 14:46:48.293Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\fastprox.dll
18/2/2020 - 14:46:48.293Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\fastprox.dll
18/2/2020 - 14:46:48.293Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\NTDSAPI.dll
18/2/2020 - 14:46:48.293Open1480C:\malware.exeC:\Windows\SysWOW64\ntdsapi.dll
18/2/2020 - 14:46:48.293Open1480C:\malware.exeC:\Windows\SysWOW64\ntdsapi.dll
18/2/2020 - 14:46:48.715Open1480C:\malware.exeC:\SXS.DLL
18/2/2020 - 14:46:48.715Open1480C:\malware.exeC:\Windows\SysWOW64\sxs.dll
18/2/2020 - 14:46:48.715Open1480C:\malware.exeC:\Windows\SysWOW64\sxs.dll
18/2/2020 - 14:46:48.715Open1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:48.715Read1480C:\malware.exeC:\Windows\SysWOW64\wbem\wbemdisp.tlb
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\
18/2/2020 - 14:46:49.918Unknown1480C:\malware.exeC:\
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\credssp.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\credssp.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\credssp.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
18/2/2020 - 14:46:49.918Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
18/2/2020 - 14:46:51.715Open1480C:\malware.exeC:\mlang.dat
18/2/2020 - 14:46:51.715Open1480C:\malware.exeC:\schtasks.exe
18/2/2020 - 14:46:51.715Open1480C:\malware.exeC:\Monitor\schtasks.exe
18/2/2020 - 14:46:51.715Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.731Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.731Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\Prefetch\SCHTASKS.EXE-AD598958.pf
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64log.dll
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:51.747Unknown2608C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:51.747Open2608C:\Windows\SysWOW64\schtasks.exeC:\Monitor
18/2/2020 - 14:46:51.950Read2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.950Read2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:51.950Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:51.965Read2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.965Read2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.965Read2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nls
18/2/2020 - 14:46:51.965Unknown2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:51.965Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:52.12Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
18/2/2020 - 14:46:52.12Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
18/2/2020 - 14:46:52.12Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:52.12Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:52.153Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:52.153Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:52.247Open2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
18/2/2020 - 14:46:52.247Unknown2608C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:52.247Unknown2608C:\Windows\SysWOW64\schtasks.exeC:\Monitor
18/2/2020 - 14:46:52.247Unknown2608C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.muiKernelBase.dll.mui
18/2/2020 - 14:46:53.731Open1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:53.731Write1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:53.731Unknown1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:55.747Open1480C:\malware.exeC:\schtasks.exe
18/2/2020 - 14:46:55.747Open1480C:\malware.exeC:\Monitor\schtasks.exe
18/2/2020 - 14:46:55.747Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.747Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.747Open1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.747Unknown1480C:\malware.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Prefetch\SCHTASKS.EXE-AD598958.pf
18/2/2020 - 14:46:55.793Read2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Prefetch\SCHTASKS.EXE-AD598958.pfSCHTASKS.EXE-AD598958.pf
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exe\Device\HarddiskVolume2
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\ntdll.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\ntdll.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\kernel32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\kernel32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\kernel32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\kernel32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\user32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\user32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ntdll.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ntdll.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\apisetschema.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\KernelBase.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\locale.nls
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\locale.nls
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msvcrt.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msvcrt.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\user32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\user32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\gdi32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\gdi32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\lpk.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\lpk.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\usp10.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\usp10.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\advapi32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\advapi32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcrt4.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcrt4.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sspicli.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sspicli.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\cryptbase.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ole32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ole32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\oleaut32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\oleaut32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\shlwapi.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\shlwapi.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msctf.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msctf.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nls
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\clbcatq.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\clbcatq.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:55.793Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:55.793Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.muiKernelBase.dll.mui
18/2/2020 - 14:46:55.809Read2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.809Read2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:55.809Read2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\locale.nls
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.muiKernelBase.dll.mui
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\ntdll.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\kernel32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\kernel32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\user32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ntdll.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msvcrt.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\user32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\gdi32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\lpk.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\usp10.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\advapi32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcrt4.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sspicli.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ole32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\oleaut32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\shlwapi.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\msctf.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\clbcatq.dll
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exe\Device\HarddiskVolume2
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64win.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64cpu.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\System32\wow64log.dll
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:55.809Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:55.809Open2860C:\Windows\SysWOW64\schtasks.exeC:\Monitor
18/2/2020 - 14:46:56.28Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:56.28Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\sechost.dll
18/2/2020 - 14:46:56.28Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:56.28Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\ktmw32.dll
18/2/2020 - 14:46:56.28Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:56.28Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\imm32.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\version.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nls
18/2/2020 - 14:46:56.43Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\rpcss.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:56.43Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\uxtheme.dll
18/2/2020 - 14:46:56.231Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:56.231Open2860C:\Windows\SysWOW64\schtasks.exeC:\Windows\SysWOW64\taskschd.dll
18/2/2020 - 14:46:56.278Open2860C:\Windows\SysWOW64\schtasks.exeC:\Behemot.XML
18/2/2020 - 14:46:56.278Read2860C:\Windows\SysWOW64\schtasks.exeC:\Behemot.XML
18/2/2020 - 14:46:56.278Read2860C:\Windows\SysWOW64\schtasks.exeC:\Behemot.XML
18/2/2020 - 14:46:56.715Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Windows
18/2/2020 - 14:46:56.715Unknown2860C:\Windows\SysWOW64\schtasks.exeC:\Monitor
18/2/2020 - 14:46:57.747Open1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:57.747Unknown1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:57.747Open1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:57.747Open1480C:\malware.exeC:\Monitor\Files\DeletedFiles
18/2/2020 - 14:46:57.747Delete1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:57.747Unknown1480C:\malware.exeC:\Behemot.XML
18/2/2020 - 14:46:57.747Open1480C:\malware.exeC:\Behemot.XML

Process
Trace
18/2/2020 - 14:46:51.731Create1480C:\malware.exe2608C:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:52.247Terminate1480C:\malware.exe2608C:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:55.747Create1480C:\malware.exe2860C:\Windows\SysWOW64\schtasks.exe
18/2/2020 - 14:46:56.715Terminate1480C:\malware.exe2860C:\Windows\SysWOW64\schtasks.exe

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace

File Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Process Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: False cancel

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code www.aura.krakow.pl.
computer localhost arrow_forward computer gateway:50273 code www.aura.krakow.pl.

Response
computer gateway:DNS arrow_forward computer localhost code www.aura.krakow.pl. reply_all 193.105.32.185


TCP
Info
computer localhost:65191 arrow_forward 193.105.32.185:80
193.105.32.185:80 arrow_forward computer localhost:65191

UDP
Info
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273

HTTP
Info
computer localhost send POST www.aura.krakow.pl attach_file /wp-content/uploads/2009/08/imagem07/index.php

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 97.71%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 97.76%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 83.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 79.63%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 36.76%
suspicious: False cancel

Add to Collection
Download