Report #725 check_circle

  • Creation Date: Oct. 19, 2019, 2:57 a.m.
  • Last Update: Oct. 19, 2019, 8:45 a.m.
  • File: 033
  • Results:
Binary
DLL
False cancel
Size
1.12MB
trid
41.0% Win32 Executable MS Visual C++
36.3% Win64 Executable
8.6% Win32 Dynamic Link Library
5.9% Win32 Executable
2.6% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
5f4630033ddf3462183589e996d055a9
sha1
0f7196a2ee50dc0e485345f5c9301c30fadbc948
crc32
0xb81bc161
sha224
44f8dda9f40a946e5c609b4b0a59ddc30d5821856422cf27581f7eae
sha256
a3a67f81c53b16de1e921e3cc7b3bf5315ca2bb7141bd952c353f6d5765a145e
sha384
f530ccf723837dc98159030df733048eb3bba9039cad03bc5e89e097359cab9c789c8117357219275620062297c5ac64
sha512
0f258fbaaad0afbf7bcd561304e628a7f648893195af8707dce737cab22a12d6082a30c470da025fd2ae345d1d82bb766e71f81d828505e54912a108a1caac87
ssdeep
24576:F31SZSaMidm23AzTOAV4xhFIaSV5VZZGSDNVwftoJNDBki+4K4zI4VX9ImOfj:FwZSTidmvuAGhFA54qVwfoNDBkirJzIP
Community
Google
True check_circle
HashLib
False cancel
YARA
Matches
maldoc_getEIP_method_1, domain, IP, Dropper_Strings, HasDebugData, network_dropper, escalate_priv, XMRIG_Miner, HasRichSignature, DebuggerException__SetConsoleCtrl, Microsoft_Visual_Cpp_v50v60_MFC, create_service, network_dns, win_files_operation, IsPE32, RijnDael_AES_CHAR, contentis_base64, network_tcp_socket, win_token, win_mutex, keylogger, maldoc_find_kernel32_base_method_1, IsWindowsGUI, inject_thread, network_udp_sock, anti_dbg, network_tcp_listen, DebuggerCheck__QueryInfo, WMI_strings, win_registry, RijnDael_AES_LONG, System_Tools

Suspicious
True check_circle

Strings
List
.minergate.com
.minergate.com
SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'taskmgr.exe'
.nicehash.com
.nicehash.com
E:\Conding\xmrig\back\Monero_Loader\Release\xmrig.pdb
Software\Microsoft\Windows\CurrentVersion\Uninstall\{A16390FC-9D81-43B1-8A3C-82802F608193}
%stmp%d.exe
WINHTTP.dll
ROOT\CIMV2
ROOT\CIMV2
svchost.exe
svchost.exe
taskmgr.exe
\svchost.exe
Z.zw
z.yT
[%s:%u] DNS error: "%s"
[%s:%u] DNS error: "%s"
config.json
config.json
WS2_32.dll
WS2_32.dll
WS2_32.dll
SYSTEMROOT=
SYSTEMROOT=
powrprof.dll
powrprof.dll
0.0.0.0
0.0.0.0
ntdll.dll
ntdll.dll
urlmon.dll
ntdll.dll
ntdll.dll
[%s:%u] DNS error: "No IPv4 (A) or IPv6 (AAAA) records found"
[%s:%u] DNS error: "No IPv4 (A) or IPv6 (AAAA) records found"
Error %u in WinHttpReadData.
network is down
network is down
machine is not on the network
machine is not on the network
socket is not connected
host is down
socket is not connected
host is down
Command for %d
kill process %ls
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
kill service %ls
SeDebugPrivilege
[0m (%lld/%lld) diff
[0m (%lld/%lld) diff
[0m (%lld/%lld) diff
[0m (%lld/%lld) diff
fD>r+I
""fD**~T
""fD**~T
[0m from
[0m from
__InstanceDeletionEvent
t/fD
Comments must start with /
oA@fD
oA@fD
HVIM"
fr-ch
fr-ca
fr-be
fr-be
fr-ca
fr-ch
operator ""
operator ""
fD90t
%s/%s (Windows NT %lu.%lu
%s/%s (Windows NT %lu.%lu
donate-level
donate-level
donate-level
donate-level
@E%O%O%uR
9%9F9L9p9t9y9
R%-a%
fO%A;
/c @ping -n 5 127.0.0.1&del
no space on device
no space on device
no such process
No such process
no such process
%d process kill sec! by: %d
msvc/%d
msvc/%d
MSVC/%d
MSVC/%d
CreateProcessW szCommand = %ls ok!
resource deadlock would occur
resource deadlock would occur
libuv/%s

Foremost
Matches
0.exe, 1 MB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed: 127.0.0.1, 1, localhost.
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: Kernel32.dll, WUSER32.DLL, Aapi-ms-win-core-synch-l1-2-0.dll, nKERNEL32.DLL, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, mscoree.dll, ADVAPI32.dll, OLEAUT32.dll, urlmon.dll, shlwapi.dll, user32.dll, SHELL32.dll, WINHTTP.dll, WS2_32.dll, PSAPI.DLL, msvcrt.dll, ole32.dll, powrprof.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 1029632
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .text, .rdata, .data, .rsrc, .reloc, p
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 10.0
Suspicious: False cancel
Subsystem
Version: 5.1
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 1179648
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: kernel32.dll, ntdll.dll, api-ms-win-core-synch-l1-2-0.dll, mscoree.dll, advapi32.dll, oleaut32.dll, urlmon.dll, shlwapi.dll, user32.dll, shell32.dll, winhttp.dll, ws2_32.dll, psapi.dll, msvcrt.dll, ole32.dll, powrprof.dll
hasLibs: True check_circle
Suspicious: wuser32.dll, aapi-ms-win-core-synch-l1-2-0.dll, nkernel32.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2018-05-18 01:51:21
Future: False cancel

Compilation
Packed: False cancel
Missing: True check_circle
Packers
Compiled: False cancel
Compilers

Obfuscation
XOR: True check_circle
Fuzzing: True check_circle

PEDetector
Matches
1156209
Suspicious
True check_circle
Disassembly
hasTricks
True check_circle
Tricks
ldr
.data: 2
.reloc: 1

pushret
.data: 123
.text: 2
.reloc: 8

nopsequence
.data: 15

pushpopmath
.data: 155
.text: 5
.rdata: 5
.reloc: 11

sizeofimage
.data: 1
.reloc: 1

ss register
.data: 2

garbagebytes
.data: 43
.text: 2
.reloc: 2

hookdetection
.data: 6
.reloc: 1

stealthimport
.data: 3
.text: 1

peb ntglobalflag
.data: 1

isdebbugerpresent
.data: 1

software breakpoint
.data: 20

fakeconditionaljumps
.data: 4

programcontrolflowchange
.data: 39
.text: 2
.reloc: 2

cpuinstructionsresultscomparison
.data: 20

AVclass
wapomi
1
VirusTotal
md5
5f4630033ddf3462183589e996d055a9
sha1
0f7196a2ee50dc0e485345f5c9301c30fadbc948
SCANS (DETECTION RATE = 90.00%)
AVG
result: Win32:Rootkit-gen [Rtk]
update: 20191019
version: 18.4.3895.0
detected: True check_circle

CMC
update: 20190321
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=100)
update: 20191019
version: 2019.9.16.1
detected: True check_circle

APEX
result: Malicious
update: 20191019
version: 5.75
detected: True check_circle

Bkav
result: W32.FamVT.DumpModuleInfectiousNME.PE
update: 20191018
version: 1.3.0.10239
detected: True check_circle

K7GW
result: Virus ( 0040f7441 )
update: 20191010
version: 11.72.32236
detected: True check_circle

ALYac
result: Win32.VJadtre.3
update: 20191019
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Rootkit-gen [Rtk]
update: 20191019
version: 18.4.3895.0
detected: True check_circle

Avira
result: W32/Jadtre.B
update: 20191019
version: 8.3.3.8
detected: True check_circle

Baidu
result: Win32.Virus.Otwycal.d
update: 20190318
version: 1.0.0.2
detected: True check_circle

Cyren
result: W32/PatchLoad.E
update: 20191019
version: 6.2.2.2
detected: True check_circle

DrWeb
result: BackDoor.Darkshell.246
update: 20191019
version: 7.0.41.7240
detected: True check_circle

GData
result: Win32.Virus.Wapomi.A
update: 20191019
version: A:25.23719B:26.16341
detected: True check_circle

Panda
result: W32/Pcarrier.A
update: 20191018
version: 4.6.4.2
detected: True check_circle

VBA32
result: Virus.Nimnul.19209
update: 20191018
version: 4.2.0
detected: True check_circle

VIPRE
result: Virus.Win32.Small.acea (v)
update: 20191019
version: 78688
detected: True check_circle

Zoner
result: Virus.Win32.23755
update: 20191019
version: 1.0.0.1
detected: True check_circle

ClamAV
result: Win.Trojan.Coinminer-6443183-1
update: 20191018
version: 0.102.0.0
detected: True check_circle

Comodo
result: Virus.Win32.Wali.KA@558nxg
update: 20191019
version: 31619
detected: True check_circle

F-Prot
result: W32/PatchLoad.E
update: 20191019
version: 4.7.1.166
detected: True check_circle

Ikarus
result: Generic.Application
update: 20191018
version: 0.1.5.2
detected: True check_circle

McAfee
result: W32/Kudj
update: 20191019
version: 6.0.6.653
detected: True check_circle

Rising
result: PUF.CoinMiner!1.B033 (CLASSIC)
update: 20191019
version: 25.0.0.24
detected: True check_circle

Sophos
result: W32/Nimnul-A
update: 20191019
version: 4.98.0
detected: True check_circle

Yandex
update: 20191018
version: 5.5.2.24
detected: False cancel

Zillya
result: Virus.Nimnul.Win32.5
update: 20191018
version: 2.0.0.3929
detected: True check_circle

Acronis
result: suspicious
update: 20191018
version: 1.1.1.58
detected: True check_circle

Alibaba
result: Trojan:Win32/dark.ali1000040
update: 20190527
version: 0.3.0.5
detected: True check_circle

Arcabit
update: 20191019
version: 1.0.0.859
detected: False cancel

Cylance
result: Unsafe
update: 20191019
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20190918
version: 3.0.15
detected: True check_circle

FireEye
result: Generic.mg.5f4630033ddf3462
update: 20191019
version: 29.7.0.0
detected: True check_circle

TACHYON
result: Virus/W32.Ramnit.C
update: 20191019
version: 2019-10-19.01
detected: True check_circle

Tencent
result: Virus.Win32.Loader.aab
update: 20191019
version: 1.0.0.1
detected: True check_circle

ViRobot
result: Win32.Ramnit.F
update: 20191018
version: 2014.3.20.0
detected: True check_circle

Webroot
result: W32.Small.Acea
update: 20191019
version: 1.0.0.403
detected: True check_circle

eGambit
result: Unsafe.AI_Score_99%
update: 20191019
version: v5.0.6
detected: True check_circle

Ad-Aware
result: Win32.VJadtre.3
update: 20191019
version: 3.0.5.370
detected: True check_circle

AegisLab
result: Virus.Win32.Nimnul.m1R5
update: 20191019
version: 4.2
detected: True check_circle

Emsisoft
result: Win32.VJadtre.3 (B)
update: 20191019
version: 2018.12.0.1641
detected: True check_circle

F-Secure
result: Malware.W32/Jadtre.B
update: 20191019
version: 12.0.86.52
detected: True check_circle

Fortinet
result: W32/Nimnul.F
update: 20191019
version: 5.4.247.0
detected: True check_circle

Invincea
result: heuristic
update: 20190904
version: 6.3.6.26157
detected: True check_circle

Jiangmin
result: Win32/Nimnul.f
update: 20191019
version: 16.0.100
detected: True check_circle

Kingsoft
update: 20191019
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20191019
version: 1.0
detected: True check_circle

Symantec
result: W32.Wapomi.C!inf
update: 20191018
version: 1.11.0.0
detected: True check_circle

Trapmine
result: malicious.high.ml.score
update: 20190826
version: 3.1.81.800
detected: True check_circle

AhnLab-V3
result: Win32/VJadtre.Gen
update: 20191018
version: 3.16.3.25410
detected: True check_circle

Antiy-AVL
result: Virus/Win32.Nimnul.f
update: 20191019
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Virus.Win32.Nimnul.f
update: 20191019
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Trojan:Win32/CoinMiner.AC!bit
update: 20191019
version: 1.1.16500.1
detected: True check_circle

Qihoo-360
result: Virus.Win32.Agent.P
update: 20191019
version: 1.0.0.1120
detected: True check_circle

ZoneAlarm
result: Virus.Win32.Nimnul.f
update: 20191019
version: 1.0
detected: True check_circle

Cybereason
result: malicious.33ddf3
update: 20190616
version: 1.2.449
detected: True check_circle

ESET-NOD32
result: Win32/Wapomi.BA
update: 20191019
version: 20205
detected: True check_circle

TrendMicro
result: PE_WAPOMI.BM
update: 20191019
version: 11.0.0.1006
detected: True check_circle

BitDefender
result: Win32.VJadtre.3
update: 20191019
version: 7.2
detected: True check_circle

CrowdStrike
result: win/malicious_confidence_90% (W)
update: 20190702
version: 1.0
detected: True check_circle

K7AntiVirus
result: Virus ( 0040f7441 )
update: 20191018
version: 11.73.32315
detected: True check_circle

SentinelOne
result: DFI - Malicious PE
update: 20190807
version: 1.0.31.22
detected: True check_circle

Avast-Mobile
update: 20191012
version: 191012-04
detected: False cancel

Malwarebytes
update: 20191019
version: 2.1.1.1115
detected: False cancel

TotalDefense
result: Win32/Nimnul.A
update: 20191018
version: 37.1.62.1
detected: True check_circle

CAT-QuickHeal
result: W32.Nimnul.F1
update: 20191018
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Banload.cstqaj
update: 20191019
version: 1.0.134.24859
detected: True check_circle

MicroWorld-eScan
result: Win32.VJadtre.3
update: 20191019
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20191019
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Kudj.th
update: 20191018
version: v2017.3010
detected: True check_circle

TrendMicro-HouseCall
result: PE_WAPOMI.BM
update: 20191019
version: 10.0.0.1040
detected: True check_circle

total
70
sha256
a3a67f81c53b16de1e921e3cc7b3bf5315ca2bb7141bd952c353f6d5765a145e
scan_id
a3a67f81c53b16de1e921e3cc7b3bf5315ca2bb7141bd952c353f6d5765a145e-1571461252
resource
5f4630033ddf3462183589e996d055a9
positives
63
scan_date
2019-10-19 05:00:52
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
19/10/2019 - 7:45:43.168Open1480C:\malware.exeC:\ProgramData
19/10/2019 - 7:45:43.168Open1480C:\malware.exeC:\ProgramData
19/10/2019 - 7:45:43.168Unknown1480C:\malware.exeC:\ProgramData
19/10/2019 - 7:45:43.168Open1480C:\malware.exeC:\ProgramData\National
19/10/2019 - 7:45:43.168Open1480C:\malware.exeC:\ProgramData\National
19/10/2019 - 7:45:43.168Unknown1480C:\malware.exeC:\ProgramData\National
19/10/2019 - 7:45:43.231Open1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Unknown1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Open1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Open1480C:\malware.exeC:\ProgramData\National\loader_xmr.exe
19/10/2019 - 7:45:43.231Unknown1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Open1480C:\malware.exeC:\ProgramData\National\loader_xmr.exe
19/10/2019 - 7:45:43.231Unknown1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Read1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Read1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Read1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Read1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Read1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Write1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:43.231Unknown1480C:\malware.exeC:\ProgramData\National\loader_xmr.exeloader_xmr.exe
19/10/2019 - 7:45:44.28Open1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:44.28Unknown1480C:\malware.exeC:\malware.exe
19/10/2019 - 7:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\AppPatch\sysmain.sdb
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.59Unknown1480C:\malware.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\
19/10/2019 - 7:45:44.59Unknown1480C:\malware.exeC:\
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows
19/10/2019 - 7:45:44.59Unknown1480C:\malware.exeC:\Windows
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.59Unknown1480C:\malware.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.59Unknown1480C:\malware.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.59Read1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.59Read1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.59Read1480C:\malware.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.59Open1480C:\malware.exeC:\Windows\SysWOW64\ui\SwDRM.dll
19/10/2019 - 7:45:44.90Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Prefetch\CMD.EXE-AC113AA8.pf
19/10/2019 - 7:45:44.90Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\Prefetch\CMD.EXE-AC113AA8.pfCMD.EXE-AC113AA8.pf
19/10/2019 - 7:45:44.90Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\Prefetch\CMD.EXE-AC113AA8.pfCMD.EXE-AC113AA8.pf
19/10/2019 - 7:45:44.90Unknown1480C:\malware.exeC:\Windows
19/10/2019 - 7:45:44.90Unknown1480C:\malware.exeC:\Monitor
19/10/2019 - 7:45:44.90Open952C:\Windows\SysWOW64\cmd.exe\Device\HarddiskVolume2
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\apisetschema.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\locale.nls
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\locale.nls
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\user32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\user32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\gdi32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\gdi32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\lpk.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\lpk.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\usp10.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\usp10.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\advapi32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\advapi32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\rpcrt4.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\rpcrt4.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sspicli.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sspicli.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cryptbase.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msctf.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msctf.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nls
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\BOOTSECT.EXE
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
19/10/2019 - 7:45:44.106Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
19/10/2019 - 7:45:44.106Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp\TMP000000032EDF9B37C5E17B29
19/10/2019 - 7:45:44.106Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.106Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\locale.nls
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
19/10/2019 - 7:45:44.122Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\BOOTSECT.EXE
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Temp\TMP000000032EDF9B37C5E17B29
19/10/2019 - 7:45:44.122Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.122Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.122Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.122Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.122Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\ntdll.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\kernel32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\kernel32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\user32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ntdll.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\apisetschema.dllapisetschema.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\KernelBase.dllKernelBase.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msvcrt.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\user32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\gdi32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\lpk.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\usp10.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\advapi32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\rpcrt4.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sspicli.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cryptbase.dllcryptbase.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\msctf.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
19/10/2019 - 7:45:44.122Unknown952C:\Windows\SysWOW64\cmd.exe\Device\HarddiskVolume2
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.122Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.137Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.137Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.137Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\System32\wow64log.dll
19/10/2019 - 7:45:44.137Open952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.137Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.137Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.528Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nls
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:45:44.528Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\apphelp.dll
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\AppPatch\sysmain.sdb
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.543Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:45:44.543Unknown952C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.543Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.543Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.543Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:44.543Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:44.543Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:44.543Open952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\ui\SwDRM.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\Prefetch\PING.EXE-371F41E2.pf
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64win.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64cpu.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\System32\wow64log.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows
19/10/2019 - 7:45:44.606Unknown2940C:\Windows\SysWOW64\PING.EXEC:\Windows
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Monitor
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\IPHLPAPI.DLL
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\IPHLPAPI.DLL
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\winnsi.dll
19/10/2019 - 7:45:44.606Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\winnsi.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:45:44.622Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\pt-BR\ping.exe.mui
19/10/2019 - 7:45:44.622Read2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\pt-BR\ping.exe.muiping.exe.mui
19/10/2019 - 7:45:44.637Read2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:44.684Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\Globalization\Sorting\SortDefault.nls
19/10/2019 - 7:45:44.684Unknown2940C:\Windows\SysWOW64\PING.EXEC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
19/10/2019 - 7:45:45.200Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\mswsock.dll
19/10/2019 - 7:45:45.200Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\mswsock.dll
19/10/2019 - 7:45:45.200Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\WSHTCPIP.DLL
19/10/2019 - 7:45:45.200Open2940C:\Windows\SysWOW64\PING.EXEC:\Windows\SysWOW64\WSHTCPIP.DLL
19/10/2019 - 7:45:49.981Unknown2940C:\Windows\SysWOW64\PING.EXEC:\Windows
19/10/2019 - 7:45:49.981Unknown2940C:\Windows\SysWOW64\PING.EXEC:\Monitor
19/10/2019 - 7:45:50.28Read952C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:45:50.28Unknown952C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.28Unknown952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor\Malware
19/10/2019 - 7:45:50.28Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor\Malware
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.28Unknown952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor\Malware
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.28Open952C:\Windows\SysWOW64\cmd.exeC:\Monitor\Files\DeletedFiles
19/10/2019 - 7:45:50.28Delete952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.28Unknown952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.43Unknown952C:\Windows\SysWOW64\cmd.exeC:\malware.exe
19/10/2019 - 7:45:50.43Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor\Malware
19/10/2019 - 7:45:50.43Unknown952C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:45:50.43Unknown952C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Monitor
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Monitor
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Write2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\AppPatch\sysmain.sdb
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Read2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.153Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.168Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.168Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:47:30.168Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:47:30.168Open2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:47:30.168Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:47:30.168Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
19/10/2019 - 7:47:30.450Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows
19/10/2019 - 7:47:30.450Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Monitor
19/10/2019 - 7:47:30.450Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
19/10/2019 - 7:47:30.450Unknown2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\winbrand.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\sechost.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\imm32.dll
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Monitor
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Monitor\"C:\Users\Behemot\AppData\Local\Temp\2585638b.bat"
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.731Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Read948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Read948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Monitor\Files\DeletedFiles
19/10/2019 - 7:47:30.747Delete948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Read948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Read948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Monitor\Files\DeletedFiles
19/10/2019 - 7:47:30.747Delete948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.747Unknown948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp
19/10/2019 - 7:47:30.747Open948C:\Windows\SysWOW64\cmd.exeC:\Users\Behemot\AppData\Local\Temp\2585638b.bat
19/10/2019 - 7:47:30.762Unknown948C:\Windows\SysWOW64\cmd.exeC:\Windows
19/10/2019 - 7:47:30.762Unknown948C:\Windows\SysWOW64\cmd.exeC:\Monitor

Process
Trace
19/10/2019 - 7:45:44.59Create1480C:\malware.exe952C:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:45:44.543Create952C:\Windows\SysWOW64\cmd.exe2940C:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:49.981Terminate952C:\Windows\SysWOW64\cmd.exe2940C:\Windows\SysWOW64\PING.EXE
19/10/2019 - 7:45:50.43Terminate1480C:\malware.exe952C:\Windows\SysWOW64\cmd.exe
19/10/2019 - 7:47:30.450Terminate1480C:\malware.exe2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe
19/10/2019 - 7:47:30.747Terminate2108C:\Users\Behemot\AppData\Local\Temp\KLAUCV.exe948C:\Windows\SysWOW64\cmd.exe

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
19/10/2019 - 7:45:44.28Write1480C:\malware.exe\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NationalDescription

File Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Process Summary
Created
Identified: True check_circle

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:50273 code ddos.dnsnb8.net.
computer localhost arrow_forward computer gateway:DNS code xmr.crypto-pool.fr.
computer localhost arrow_forward computer gateway:DNS code ddos.dnsnb8.net.

Response
computer gateway:DNS arrow_forward computer localhost code xmr.crypto-pool.fr. reply_all 195.154.62.247

computer gateway:DNS arrow_forward computer localhost code ddos.dnsnb8.net. reply_all 185.87.187.198


TCP
Info
computer localhost:65194 arrow_forward 185.87.187.198:799
computer localhost:65200 arrow_forward 185.87.187.198:799
computer localhost:65192 arrow_forward 185.87.187.198:799
163.172.207.88:80 arrow_forward computer localhost:65201
computer localhost:65199 arrow_forward 185.87.187.198:799
computer localhost:65198 arrow_forward 185.87.187.198:799
computer localhost:65193 arrow_forward 185.87.187.198:799
computer localhost:65195 arrow_forward 185.87.187.198:799
computer localhost:65196 arrow_forward 185.87.187.198:799
computer localhost:65191 arrow_forward 185.87.187.198:799
computer localhost:65197 arrow_forward 185.87.187.198:799
computer localhost:65201 arrow_forward 163.172.207.88:80

UDP
Info
computer localhost:55394 arrow_forward computer localhost:53
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:53 arrow_forward computer localhost:55394
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
False cancel

Results
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel
Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle
SVC (Kernel=Linear, NFS-BRMalware)
confidence: 92.55%
suspicious: False cancel
Random Forest (100 estimators, NFS-BRMalware)
confidence: 63.33%
suspicious: False cancel
Add to Collection
Download