Report #7758 check_circle

Binary
DLL
False cancel
Size
817.50KB
trid
38.9% Windows screen saver
29.7% DOS Borland compiled Executable
13.4% Win32 Executable
6.0% OS/2 Executable
5.9% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
860099a021b17248f6001b2fab80543c
sha1
d42e532711e36d685d6461eb708d8206587593b7
crc32
0xbc6186dc
sha224
6a094727660601922ab2fee1ca4edc69c01d66b70b6933a0efdd0def
sha256
c4a614358ed7f52924f55e4bf26dc0eb50040eee09f6b2cb916ae24b24adddb2
sha384
ec30a341b9de8da88692cbc9e30a201e0c81933f8cf7d9e02fc93c3ce5042d581863209a6ab3b050865769aad8c6fffe
sha512
1e69d8d5deeba6de116016d36bd8412ec34286ea1c08aa3037e2d2c0d95c533d7a67311b97641cf9e3d4c7c67762af11acabb1606975a1cd1b8a14a5b1c30ae2
ssdeep
12288:zacNe/8p6sCCNQrKRd/mYtckgijbE9wX4UvmafMPfohqrd:zro0VCCa0xpu2EuX4HUI
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, Borland, Borland_Delphi_30_, Delphi_DecodeDate, borland_delphi, Delphi_FormShow, BobSoftMiniDelphiBoBBobSoft, Microsoft_Visual_Cpp_v50v60_MFC, BobSoft_Mini_Delphi_BoB_BobSoft_additional, win_files_operation, IsPE32, win_hook, screenshot, Borland_Delphi_v40_v50, keylogger, contentis_base64, Borland_Delphi_40_additional, Borland_Delphi_40, Delphi_Random, Borland_Delphi_v60_v70, IsWindowsGUI, Delphi_Copy, Borland_Delphi_Setup_Module, Borland_Delphi_DLL, url, win_registry, Delphi_CompareCall, Delphi_StrToInt, Borland_Delphi_30_additional, Borland_Delphi_v30

Suspicious
True check_circle

Strings
List
http://www.alterna-danor.com/engine.z
t.Ht
Font.Style
Font.Name
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
P.rsrc
SOFTWARE\Borland\Delphi\RTL
Delphi%.8X
Software\Borland\Locales
Software\Borland\Delphi\Locales
comctl32.dll
olepro32.dll
comctl32.dll
comctl32.dll
comctl32.dll
comctl32.dll
version.dll
uxtheme.dll
wininet.dll
vcltest3.dll
SHFolder.dll
\sysmtem.exe
Username
Username
OnFetchCompleted
ControlOfs%.8X%.8X
WndProcPtr%.8X%.8X
Missing %s property(CommandText does not return a result set{Error creating object. Please verify that the Microsoft Data Access Components 2.1 (or later) have been properly installed=Events are not supported with server side TableDirect cursors'Unsupported field type (%s) in field %s;A connection component is required for async ExecuteOptions
fkCalculated
Calculated
TRecordsetReasonEvent
JumpID("","%s")
ecP%%M
e%FM7T
TEventReason
TEventReason
TEventReason
TEventReason
TEventReason
Apartment
AfterDelete
AfterDelete
Sub-menu is not in menu
ilReadCommitted
/Custom variant type (%s%.4x) already used by %s*Custom variant type (%s%.4x) is not usable2Too many custom variant types have been registered5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Division by zero
ToolWin
erDelete
BeforeDelete
TaskbarCreated
August September
RecordsAffected
Selected
paSigned
BeforeDelete
Rebuild
bsSizeToolWin
Recordset is not open
like
Record not found
Too many open files
Connected
Assertion failed
Connected
%tEXtdate:create
%tEXtdate:modify
COLUMN%d
ilReadUncommitted
%s (%s, line %d)
SQL not supported: %s
No help found for %s#No context-sensitive help installed$No topic-based help system installed
Error reading %s%s%s: %s
I/O error %d
List count out of bounds (%d)
Ancestor for '%s' not found
OnExecuteComplete
'%s' is not a valid date
Index '%s' not found
Cannot assign a %s to a %s
Class %s not found
Property %s does not exist
Resource %s not found
OnWillExecuteT
OnFetchProgressL
Execute not supported: %s1Operation not allowed on a unidirectional dataset
OnDestroy
ESafecallException
OnGetUsernameT
OnHideL
_Command
_Command
_CommandP
TADOCommand`
MSDASQL.1
ftParadoxOle
*ShellAPI
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
RDSServer.DataFactory
RDSServer.DataFactory

Foremost
Matches
0.exe, 817 KB, 1288.png, 59 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://www.alterna-danor.com/engine.z
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: MAPI32.DLL, mtxex.dll, wininet.dll, user32.dll, uxtheme.dll, ole32.dll, imm32.dll, advapi32.dll, olepro32.dll, comctl32.dll, SHFolder.dll, gdi32.dll, oleaut32.dll, kernel32.dll, vcltest3.dll, version.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 249344
Suspicious: False cancel
Image
Address: 884015104
Suspicious: False cancel
Stack
Stack: 16384
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: code, data, bss, .idata, .tls, .rdata, .reloc, .rsrc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 4
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 4
Linker
Version: 2.25
Suspicious: False cancel
Subsystem
Version: 4.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 590388
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: mapi32.dll, mtxex.dll, wininet.dll, user32.dll, uxtheme.dll, ole32.dll, imm32.dll, advapi32.dll, olepro32.dll, comctl32.dll, shfolder.dll, gdi32.dll, oleaut32.dll, kernel32.dll, version.dll
hasLibs: True check_circle
Suspicious: vcltest3.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: True check_circle
Valid: True check_circle
Value: 1992-06-19 19:22:17
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: BobSoft Mini Delphi -> BoB / BobSoft
Compiled: True check_circle
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.0, Borland Delphi v6.0 - v7.0
MainPacker: BobSoft Mini Delphi -> BoB / BobSoft

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
False cancel
Tricks
AVclass
banload
1
VirusTotal
md5
860099a021b17248f6001b2fab80543c
sha1
d42e532711e36d685d6461eb708d8206587593b7
SCANS (DETECTION RATE = 78.57%)
AVG
result: Win32:Banker-MIE [Trj]
update: 20180324
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180323
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=84)
update: 20180324
version: 2017.11.15.1
detected: True check_circle

K7GW
result: Trojan ( 7000000f1 )
update: 20180323
version: 10.42.26598
detected: True check_circle

ALYac
result: Gen:Variant.Symmi.57866
update: 20180323
version: 1.1.1.5
detected: True check_circle

Avast
result: Win32:Banker-MIE [Trj]
update: 20180324
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/Dldr.Delphi.692
update: 20180323
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180323
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Dapato.J.gen!Eldorado
update: 20180324
version: 5.4.30.7
detected: True check_circle

DrWeb
result: Trojan.DownLoader16.50174
update: 20180324
version: 7.0.28.2020
detected: True check_circle

GData
result: Gen:Variant.Symmi.57866
update: 20180324
version: A:25.16483B:25.11862
detected: True check_circle

Panda
result: Generic Suspicious
update: 20180323
version: 4.6.4.2
detected: True check_circle

VBA32
result: TrojanDownloader.Banload
update: 20180323
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180324
version: 65482
detected: True check_circle

AVware
result: Trojan.Win32.Generic!BT
update: 20180324
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180323
version: 0.99.2.0
detected: False cancel

Comodo
result: UnclassifiedMalware
update: 20180323
version: 28733
detected: True check_circle

F-Prot
result: W32/Dapato.J.gen!Eldorado
update: 20180324
version: 4.7.1.166
detected: True check_circle

McAfee
result: GenericR-EPI!860099A021B1
update: 20180324
version: 6.0.6.653
detected: True check_circle

Rising
result: Downloader.Banload!8.15B (TFE:5:ZNyaKuyD0UJ)
update: 20180324
version: 25.0.0.1
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20180323
version: 4.98.0
detected: True check_circle

Yandex
result: Trojan.DL.Banload!f35Id8Y5qeE
update: 20180323
version: 5.5.1.3
detected: True check_circle

Arcabit
result: Trojan.Symmi.DE20A
update: 20180324
version: 1.0.0.831
detected: True check_circle

Cylance
result: Unsafe
update: 20180324
version: 2.3.1.101
detected: True check_circle

Endgame
result: malicious (high confidence)
update: 20180316
version: 2.0.5
detected: True check_circle

Tencent
result: Win32.Trojan-downloader.Banload.Dxwa
update: 20180324
version: 1.0.0.1
detected: True check_circle

ViRobot
result: Trojan.Win32.Agent.837120.C
update: 20180323
version: 2014.3.20.0
detected: True check_circle

eGambit
update: 20180324
version: v4.3.5
detected: False cancel

AegisLab
result: Troj.Downloader.W32.Banload.cxbl!c
update: 20180323
version: 4.2
detected: True check_circle

Emsisoft
result: Gen:Variant.Symmi.57866 (B)
update: 20180324
version: 4.0.2.899
detected: True check_circle

Fortinet
result: W32/Banload.UKZ!tr.dldr
update: 20180324
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Kingsoft
update: 20180324
version: 2013.8.14.323
detected: False cancel

Paloalto
update: 20180324
version: 1.0
detected: False cancel

Symantec
result: Downloader
update: 20180323
version: 1.5.0.0
detected: True check_circle

nProtect
result: Trojan-Downloader/W32.Banload.837120.B
update: 20180323
version: 2018-03-23.02
detected: True check_circle

AhnLab-V3
result: Trojan/Win32.Banload.R165177
update: 20180323
version: 3.12.0.20130
detected: True check_circle

Antiy-AVL
result: Trojan[Downloader]/Win32.Banload
update: 20180323
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: UDS:DangerousObject.Multi.Generic
update: 20180323
version: 15.0.1.13
detected: True check_circle

Microsoft
result: TrojanDownloader:Win32/Tenomils.A
update: 20180324
version: 1.1.14600.4
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: UDS:DangerousObject.Multi.Generic
update: 20180324
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Win32/TrojanDownloader.Banload.WTY
update: 20180323
version: 17107
detected: True check_circle

TrendMicro
result: TROJ_FRS.0NA003IU15
update: 20180324
version: 9.862.0.1074
detected: True check_circle

BitDefender
result: Gen:Variant.Symmi.57866
update: 20180324
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_90% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan ( 7000000f1 )
update: 20180323
version: 10.42.26598
detected: True check_circle

SentinelOne
update: 20180225
version: 1.0.15.206
detected: False cancel

Avast-Mobile
update: 20180323
version: 180323-04
detected: False cancel

TotalDefense
update: 20180323
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: TrojanDownloader.Tenomils
update: 20180323
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Banload.dxjrhj
update: 20180324
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Gen:Variant.Symmi.57866
update: 20180324
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180323
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: GenericR-EPI!860099A021B1
update: 20180323
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_FRS.0NA003IU15
update: 20180324
version: 9.950.0.1006
detected: True check_circle

total
56
sha256
c4a614358ed7f52924f55e4bf26dc0eb50040eee09f6b2cb916ae24b24adddb2
scan_id
c4a614358ed7f52924f55e4bf26dc0eb50040eee09f6b2cb916ae24b24adddb2-1521853602
resource
860099a021b17248f6001b2fab80543c
positives
44
scan_date
2018-03-24 01:06:42
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
28/2/2020 - 13:45:43.778Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
28/2/2020 - 13:45:43.778Open1480C:\malware.exeC:\Windows\SysWOW64\rpcss.dll
28/2/2020 - 13:45:43.778Open1480C:\malware.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll
28/2/2020 - 13:45:43.825Open1480C:\malware.exeC:\Program Files (x86)\Common Files\System\ado\msado15.dll
28/2/2020 - 13:45:44.247Open1480C:\malware.exeC:\Program Files (x86)\Common Files\System\ado\MSDART.DLL
28/2/2020 - 13:45:44.247Open1480C:\malware.exeC:\Windows\SysWOW64\msdart.dll
28/2/2020 - 13:45:44.293Open1480C:\malware.exeC:\Windows\SysWOW64\msdart.dll
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll.Config
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\SysWOW64\uxtheme.dll
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\malware.exe.Local
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
28/2/2020 - 13:45:45.418Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32.dll
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\WindowsShell.Manifest
28/2/2020 - 13:45:45.418Unknown1480C:\malware.exeC:\Windows\WindowsShell.ManifestWindowsShell.Manifest
28/2/2020 - 13:45:45.418Open1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nls
28/2/2020 - 13:45:45.418Unknown1480C:\malware.exeC:\Windows\Globalization\Sorting\SortDefault.nlsSortDefault.nls
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.418Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Secur32.dll
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Windows\SysWOW64\secur32.dll
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
28/2/2020 - 13:46:0.418Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\api-ms-win-downlevel-advapi32-l2-1-0.dll
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
28/2/2020 - 13:46:0.418Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
28/2/2020 - 13:46:0.418Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dll
28/2/2020 - 13:46:0.418Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2-1-0.dllapi-ms-win-downlevel-advapi32-l2-1-0.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\IPHLPAPI.DLL
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\IPHLPAPI.DLL
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\WINNSI.DLL
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\winnsi.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\api-ms-win-downlevel-shlwapi-l2-1-0.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
28/2/2020 - 13:46:0.465Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
28/2/2020 - 13:46:0.465Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
28/2/2020 - 13:46:0.465Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
28/2/2020 - 13:46:0.481Open1480C:\malware.exeC:\DNSAPI.dll
28/2/2020 - 13:46:0.481Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
28/2/2020 - 13:46:0.481Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
28/2/2020 - 13:46:0.481Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
28/2/2020 - 13:46:0.481Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
28/2/2020 - 13:46:0.528Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
28/2/2020 - 13:46:0.528Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
28/2/2020 - 13:46:0.622Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
28/2/2020 - 13:46:0.622Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
28/2/2020 - 13:46:0.622Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
28/2/2020 - 13:46:0.622Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
28/2/2020 - 13:46:0.668Open1480C:\malware.exeC:\dhcpcsvc6.DLL
28/2/2020 - 13:46:0.668Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
28/2/2020 - 13:46:0.668Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
28/2/2020 - 13:46:0.668Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
28/2/2020 - 13:46:0.668Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
28/2/2020 - 13:46:0.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\dhcpcsvc.DLL
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\CRYPTSP.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.715Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.731Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.731Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
28/2/2020 - 13:46:0.731Open1480C:\malware.exeC:\RpcRtRemote.dll
28/2/2020 - 13:46:0.731Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
28/2/2020 - 13:46:0.731Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
28/2/2020 - 13:46:0.731Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
28/2/2020 - 13:46:0.731Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
28/2/2020 - 13:46:0.778Open1480C:\malware.exeC:\rasadhlp.dll
28/2/2020 - 13:46:0.778Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
28/2/2020 - 13:46:0.778Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
28/2/2020 - 13:46:0.825Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
28/2/2020 - 13:46:0.825Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
28/2/2020 - 13:46:1.106Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
28/2/2020 - 13:46:1.106Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\malware.exe.Local
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
28/2/2020 - 13:46:1.200Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.200Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
28/2/2020 - 13:46:1.872Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:1.872Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
28/2/2020 - 13:46:1.872Open1480C:\malware.exeC:\bcrypt.dll
28/2/2020 - 13:46:1.872Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
28/2/2020 - 13:46:1.872Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
28/2/2020 - 13:46:1.872Open1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dll
28/2/2020 - 13:46:1.887Unknown1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dllbcryptprimitives.dll
28/2/2020 - 13:46:1.887Open1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dll
28/2/2020 - 13:46:1.887Unknown1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dllbcryptprimitives.dll
28/2/2020 - 13:46:1.887Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.887Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.887Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.887Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.887Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.887Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.887Write1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\CACWTJU7.txt
28/2/2020 - 13:46:1.934Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8
28/2/2020 - 13:46:1.934Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8
28/2/2020 - 13:46:1.934Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8\engine[1].htm
28/2/2020 - 13:46:1.934Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\x.z
28/2/2020 - 13:46:1.934Write1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8\engine[1].htmengine[1].htm
28/2/2020 - 13:46:1.934Write1480C:\malware.exeC:\Users\Behemot\AppData\Local\x.z
28/2/2020 - 13:46:1.934Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EHQ10TF8\engine[1].htmengine[1].htm
28/2/2020 - 13:46:1.934Write1480C:\malware.exeC:\Users\Behemot\AppData\Local\x.z
28/2/2020 - 13:46:1.934Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
28/2/2020 - 13:46:1.934Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
28/2/2020 - 13:46:7.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:7.965Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
28/2/2020 - 13:46:7.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\x.z
28/2/2020 - 13:46:7.965Read1480C:\malware.exeC:\Users\Behemot\AppData\Local\x.z
28/2/2020 - 13:46:7.965Read1480C:\malware.exeC:\Users\Behemot\AppData\Local\x.z
28/2/2020 - 13:46:8.59Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
28/2/2020 - 13:46:8.59Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
28/2/2020 - 13:46:0.465Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnable
28/2/2020 - 13:46:0.481Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyServer
28/2/2020 - 13:46:0.481Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyOverride
28/2/2020 - 13:46:0.481Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigURL
28/2/2020 - 13:46:0.481Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoDetect
28/2/2020 - 13:46:0.481Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
28/2/2020 - 13:46:0.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentCachePrefix
28/2/2020 - 13:46:0.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CookiesCachePrefix
28/2/2020 - 13:46:0.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\HistoryCachePrefix
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
28/2/2020 - 13:46:0.872Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionReason
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionTime
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecision
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadNetworkName
28/2/2020 - 13:46:2.184Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDetectedUrl
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
28/2/2020 - 13:46:2.184Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
28/2/2020 - 13:46:2.184Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
28/2/2020 - 13:46:2.184Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:50273 code www.alterna-danor.com.
computer localhost arrow_forward computer gateway:DNS code www.alterna-danor.com.

Response
computer gateway:DNS arrow_forward computer localhost code www.alterna-danor.com. reply_all 204.11.56.48


TCP
Info
204.11.56.48:80 arrow_forward computer localhost:65191
computer localhost:65191 arrow_forward 204.11.56.48:80

UDP
Info
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info
computer localhost send GET www.alterna-danor.com attach_file /engine.z

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 84.33%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 75.86%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 60.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 80.00%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 99.97%
suspicious: True check_circle

Add to Collection
Download