Report #7943 check_circle

Binary
DLL
False cancel
Size
408.00KB
trid
42.1% UPX compressed Win32 Executable
41.4% Win32 EXE Yoda's Crypter
7.0% Win32 Executable
3.1% OS/2 Executable
3.1% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
de421d808a2ba864417a133b6dba8e9a
sha1
fa1a103883b7f59b83b3e63be948d7fe35090016
crc32
0x50716f3
sha224
a4d2aea24c24d095e1a87682389f211c9bc6b7916d3878e139bc4296
sha256
340a4f47e2bd42f7dd469f1aa608934db60c7f3a4731825441a0acf116cf92a1
sha384
61a0d233bd1be2bbc5c2851ecc7350d36cdd5c84ff4ac94b2457b0ddee8fc8eebb3d40278e3777849f80b7943048b94a
sha512
513511d0ffe6f439df8347a0c75848b889dd44a2c3706a7903283fc2e983ebe9b4c6165a86e2e6ec247c91eca5ac153d94211a5192a809470f8f4df84566216b
ssdeep
12288:hOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPik6yy44scg:hq5TfcdHj4fmbT6yy44scg
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, UPX_wwwupxsourceforgenet, screenshot, UPX_wwwupxsourceforgenet_additional, HasRichSignature, contentis_base64, yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h, UPX, UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay, CRC32_poly_Constant, IP, IsPE32, PackerUPX_CompresorGratuito_wwwupxsourceforgenet, IsWindowsGUI, UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay_additional, IsPacked

Suspicious
True check_circle

Strings
List
Lr.mc
N.py
7.SD
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
A.vE&
WSOCK32.dll
COMCTL32.dll
USERENV.dll
VERSION.dll
WININET.dll
WINMM.dll
UxTheme.dll
MPR.dll
YC.Dn,<
__based
AB,E
"T#`$l%G
S9r6%G2
FtpOpenFileW
<requestedPrivileges>
iK.sapx
k4%iPQRSTUVWv
GetProcAddress
ExitProcess
?`Lp.ls
v.Sh'
VirtualAlloc
[+-]
VirtualProtect
LoadLibraryA
AutoIt Yx
<!th<otd<]t`<[t\<\tX<
ar.fw)A
II<fD
GetDC
S%/E
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
de.hl
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
IcmpSendEcho
x.Ly,V
AU3!EA06PA
olhelp32S:6
r&o
H}AU3!EA06M
EFIN`UTF16)f
+t\HHtTN*
IPHLPAPI.DLL
|laU1dSo&+
RECURSION'CRRL
ModuleHandlx&6]
\?h@tA9r
"lG=-3eT
g[eW5poolTim
tt?srr;99qqpoo
!Or94LH
7mEssgY6'Hn
>5Cb:?miss(0
0B_OgnXr
d&MpiBy6
So7*-taG
0^DuE5,
<dependentAssembly>
ptr64Nrerict]X
8DP\ht<
</compatibility>
vooiOs?k
eAn+d2_
]3A:fCi
B6@ttRRL
phot2E$
</dependentAssembly>
't#It1m
tE3R}M/
_g/fnL0i
nT[r>f9U
LSIDFr{Y#}
vrronm?l
RfY).Du:
<application>
:ISub%CRL
)$tA\(B
?ZYXWrrr;WoVUU
<dependency>
</dependency>
a-.a=dB
idl,\}U
Aw@@h=E
@A)BA<d
00/@5n96H
_n''''[H5#r
NW?CRt0wL
</application>
`pdOfO%
$(,0''''4
<MP0sTI
g:Arc7C

Foremost
Matches
0.exe, 408 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: ADVAPI32.dll, UxTheme.dll, SHELL32.dll, OLEAUT32.dll, PSAPI.DLL, COMCTL32.dll, ole32.dll, IPHLPAPI.DLL, VERSION.dll, WSOCK32.dll, WININET.dll, USER32.dll, USERENV.dll, GDI32.dll, MPR.dll, WINMM.dll, kernel32.dll, COMDLG32.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 73728
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .rsrc
Suspicious: upx0, upx1
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: True check_circle

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 5.1
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 958208
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: advapi32.dll, uxtheme.dll, shell32.dll, oleaut32.dll, psapi.dll, comctl32.dll, ole32.dll, version.dll, wsock32.dll, wininet.dll, user32.dll, userenv.dll, gdi32.dll, mpr.dll, winmm.dll, kernel32.dll, comdlg32.dll
hasLibs: True check_circle
Suspicious: iphlpapi.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2015-03-12 11:13:51
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: UPX -> www.upx.sourceforge.net
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 364

pushpopmath
none: 265
.rsrc: 1

ss register
none: 10

garbagebytes
none: 152

hookdetection
none: 4

software breakpoint
none: 8

fakeconditionaljumps
none: 14

programcontrolflowchange
none: 140

cpuinstructionsresultscomparison
none: 45
.rsrc: 39

AVclass
autoit
1
VirusTotal
md5
de421d808a2ba864417a133b6dba8e9a
sha1
fa1a103883b7f59b83b3e63be948d7fe35090016
SCANS (DETECTION RATE = 64.29%)
AVG
result: Generic12_c.AKUW
update: 20151026
version: 16.0.0.4455
detected: True check_circle

CMC
update: 20151026
version: 1.1.0.977
detected: False cancel

Bkav
update: 20151026
version: 1.3.0.7383
detected: False cancel

K7GW
result: Trojan-Downloader ( 004b7fef1 )
update: 20151026
version: 9.212.17655
detected: True check_circle

ALYac
result: Trojan.Generic.12925657
update: 20151026
version: 1.0.1.4
detected: True check_circle

Avast
result: Win32:AutoIt-CSM [Trj]
update: 20151026
version: 8.0.1489.320
detected: True check_circle

Avira
result: TR/Downloader.A.14204
update: 20151026
version: 8.3.2.2
detected: True check_circle

Cyren
result: W32/GenBl.DE421D80!Olympus
update: 20151026
version: 5.4.16.7
detected: True check_circle

DrWeb
update: 20151026
version: 7.0.16.10090
detected: False cancel

GData
result: Trojan.Generic.12925657
update: 20151026
version: 25
detected: True check_circle

Panda
result: Trj/CI.A
update: 20151026
version: 4.6.4.2
detected: True check_circle

VBA32
update: 20151026
version: 3.12.26.4
detected: False cancel

VIPRE
result: Trojan.Win32.Generic!BT
update: 20151026
version: 44830
detected: True check_circle

Zoner
update: 20151026
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20151026
version: 1.5.0.21
detected: True check_circle

ClamAV
update: 20151026
version: 0.98.5.0
detected: False cancel

Comodo
result: UnclassifiedMalware
update: 20151026
version: 23478
detected: True check_circle

F-Prot
update: 20151026
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan-Downloader.Win32.AutoIt
update: 20151026
version: T3.1.9.5.0
detected: True check_circle

McAfee
result: Artemis!DE421D808A2B
update: 20151026
version: 6.0.6.653
detected: True check_circle

Rising
result: PE:Malware.Generic/QRS!1.9E2D [F]
update: 20151026
version: 25.0.0.17
detected: True check_circle

Sophos
result: Mal/Generic-S
update: 20151026
version: 4.98.0
detected: True check_circle

Zillya
update: 20151026
version: 2.0.0.2476
detected: False cancel

Agnitum
update: 20151026
version: 5.5.1.3
detected: False cancel

Alibaba
update: 20151026
version: 1.0
detected: False cancel

Arcabit
result: Trojan.Generic.DC53AD9
update: 20151026
version: 1.0.0.585
detected: True check_circle

Tencent
result: Win32.Trojan.Downloader.Wtdi
update: 20151026
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20151026
version: 2014.3.20.0
detected: False cancel

Ad-Aware
result: Trojan.Generic.12925657
update: 20151026
version: 12.0.163.0
detected: True check_circle

AegisLab
update: 20151026
version: 1.5
detected: False cancel

ByteHero
update: 20151026
version: 1.0.0.1
detected: False cancel

Emsisoft
result: Trojan.Generic.12925657 (B)
update: 20151026
version: 3.5.0.642
detected: True check_circle

F-Secure
result: Trojan.Generic.12925657
update: 20151026
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: W32/Autoit.NXS!tr.dldr
update: 20151026
version: 5.1.220.0
detected: True check_circle

Jiangmin
update: 20151026
version: 16.0.100
detected: False cancel

Symantec
result: Infostealer.Limitail
update: 20151026
version: 20141.2.0.56
detected: True check_circle

nProtect
result: Trojan.Generic.12925657
update: 20151026
version: 2015-10-26.01
detected: True check_circle

AhnLab-V3
result: Spyware/Win32.Limitail
update: 20151026
version: 2015.10.27.00
detected: True check_circle

Antiy-AVL
update: 20151026
version: 1.0.0.1
detected: False cancel

Kaspersky
result: HEUR:Trojan.Script.Generic
update: 20151026
version: 15.0.1.10
detected: True check_circle

Microsoft
result: TrojanDownloader:AutoIt/Banload.L
update: 20151026
version: 1.1.12205.0
detected: True check_circle

Qihoo-360
result: HEUR/QVM11.1.Malware.Gen
update: 20151026
version: 1.0.0.1015
detected: True check_circle

TheHacker
update: 20151026
version: 6.8.0.5.708
detected: False cancel

ESET-NOD32
result: Win32/TrojanDownloader.Autoit.NXS
update: 20151026
version: 12467
detected: True check_circle

TrendMicro
update: 20151026
version: 9.740.0.1012
detected: False cancel

BitDefender
result: Trojan.Generic.12925657
update: 20151026
version: 7.2
detected: True check_circle

K7AntiVirus
result: Trojan-Downloader ( 004b7fef1 )
update: 20151026
version: 9.212.17655
detected: True check_circle

Malwarebytes
result: Trojan.Banker.IMGen
update: 20151026
version: 2.1.1.1115
detected: True check_circle

TotalDefense
update: 20151026
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: TrojanDownloader.Banload.r3
update: 20151026
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.Autoit.dpmczv
update: 20151026
version: 0.30.26.3947
detected: True check_circle

MicroWorld-eScan
result: Trojan.Generic.12925657
update: 20151026
version: 12.0.250.0
detected: True check_circle

SUPERAntiSpyware
update: 20151026
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Ramnit.gc
update: 20151026
version: v2015
detected: True check_circle

Baidu-International
result: Trojan.Win32.Autoit.NXS
update: 20151026
version: 3.5.1.41473
detected: True check_circle

TrendMicro-HouseCall
update: 20151026
version: 9.800.0.1009
detected: False cancel

total
56
sha256
340a4f47e2bd42f7dd469f1aa608934db60c7f3a4731825441a0acf116cf92a1
scan_id
340a4f47e2bd42f7dd469f1aa608934db60c7f3a4731825441a0acf116cf92a1-1445863364
resource
de421d808a2ba864417a133b6dba8e9a
positives
36
scan_date
2015-10-26 12:42:44
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
29/2/2020 - 4:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
29/2/2020 - 4:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
29/2/2020 - 4:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
29/2/2020 - 4:45:43.700Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
29/2/2020 - 4:45:43.793Open1480C:\malware.exeC:\DNSAPI.dll
29/2/2020 - 4:45:43.793Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
29/2/2020 - 4:45:43.793Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
29/2/2020 - 4:45:43.934Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
29/2/2020 - 4:45:43.934Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
29/2/2020 - 4:45:43.934Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
29/2/2020 - 4:45:43.934Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
29/2/2020 - 4:45:43.981Open1480C:\malware.exeC:\dhcpcsvc6.DLL
29/2/2020 - 4:45:43.981Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
29/2/2020 - 4:45:43.981Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
29/2/2020 - 4:45:43.981Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
29/2/2020 - 4:45:43.981Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\CRYPTSP.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\RpcRtRemote.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
29/2/2020 - 4:45:44.28Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
29/2/2020 - 4:45:44.28Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\dhcpcsvc.DLL
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
29/2/2020 - 4:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
29/2/2020 - 4:45:44.106Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
29/2/2020 - 4:45:44.106Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
29/2/2020 - 4:45:44.106Open1480C:\malware.exeC:\rasadhlp.dll
29/2/2020 - 4:45:44.106Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
29/2/2020 - 4:45:44.106Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
29/2/2020 - 4:45:44.497Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
29/2/2020 - 4:45:44.497Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\malware.exe.Local
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:44.590Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
29/2/2020 - 4:45:44.918Open1480C:\malware.exeC:\Monitor
29/2/2020 - 4:45:44.918Unknown1480C:\malware.exeC:\Monitor
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\imadwm.exe
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\PROPSYS.dll
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\SysWOW64\propsys.dll
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\SysWOW64\shell32.dll
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\malware.exe.Local
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:44.965Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\
29/2/2020 - 4:45:44.965Unknown1480C:\malware.exeC:\
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000000.db
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\desktop.ini
29/2/2020 - 4:45:44.965Read1480C:\malware.exeC:\Users\desktop.ini
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users
29/2/2020 - 4:45:44.965Unknown1480C:\malware.exeC:\Users
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot
29/2/2020 - 4:45:44.965Unknown1480C:\malware.exeC:\Users\Behemot
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData
29/2/2020 - 4:45:44.965Unknown1480C:\malware.exeC:\Users\Behemot\AppData
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
29/2/2020 - 4:45:44.965Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\imadwm.exe
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\SysWOW64\ndfapi.dll
29/2/2020 - 4:45:44.965Open1480C:\malware.exeC:\Windows\SysWOW64\ndfapi.dll
29/2/2020 - 4:45:45.75Open1480C:\malware.exeC:\Windows\SysWOW64\ndfapi.dll
29/2/2020 - 4:45:45.90Open1480C:\malware.exeC:\Windows\SysWOW64\wdi.dll
29/2/2020 - 4:45:45.90Open1480C:\malware.exeC:\Windows\SysWOW64\wdi.dll
29/2/2020 - 4:45:45.106Open1480C:\malware.exeC:\malware.exe.Local
29/2/2020 - 4:45:45.106Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.106Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.106Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.106Open1480C:\malware.exeC:\Windows\SysWOW64\shlwapi.dll
29/2/2020 - 4:45:45.137Open1480C:\malware.exeC:\malware.exe.Local
29/2/2020 - 4:45:45.137Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.137Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.137Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.137Open1480C:\malware.exeC:\DUser.dll
29/2/2020 - 4:45:45.137Open1480C:\malware.exeC:\Windows\SysWOW64\duser.dll
29/2/2020 - 4:45:45.137Open1480C:\malware.exeC:\Windows\SysWOW64\duser.dll
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\SysWOW64\xmllite.dll
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\SysWOW64\xmllite.dll
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\malware.exe.Local
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.200Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\malware.exe.Local
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88
29/2/2020 - 4:45:45.200Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_pt-br_59b90943c4d9db88\comctl32.dll.mui
29/2/2020 - 4:45:45.200Open1480C:\malware.exeC:\imageres.dll
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\imageres.dll
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\imageres.dll
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\imageres.dll.mui
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\System32\pt-BR\imageres.dll.mui
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\pt\imageres.dll.mui
29/2/2020 - 4:45:45.215Unknown1480C:\malware.exeC:\Windows\SysWOW64\en-US
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.mui
29/2/2020 - 4:45:45.215Read1480C:\malware.exeC:\Windows\SysWOW64\en-US\imageres.dll.muiimageres.dll.mui
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\Fonts\StaticCache.dat
29/2/2020 - 4:45:45.215Read1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
29/2/2020 - 4:45:45.215Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
29/2/2020 - 4:45:45.340Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
29/2/2020 - 4:45:45.340Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
29/2/2020 - 4:45:44.28Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
29/2/2020 - 4:45:44.106Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
29/2/2020 - 4:45:44.106Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
29/2/2020 - 4:45:44.106Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
29/2/2020 - 4:45:44.106Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionReason
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionTime
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecision
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadNetworkName
29/2/2020 - 4:45:45.543Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDetectedUrl
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
29/2/2020 - 4:45:45.543Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
29/2/2020 - 4:45:45.543Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
29/2/2020 - 4:45:45.543Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code matrixservera.eu.
computer localhost arrow_forward computer gateway:50273 code matrixservera.eu.

Response
computer gateway:DNS arrow_forward computer localhost code matrixservera.eu. reply_all 23.253.126.58


TCP
Info
104.239.157.210:80 arrow_forward computer localhost:65191
computer localhost:65191 arrow_forward 104.239.157.210:80

UDP
Info
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info
computer localhost send GET matrixservera.eu attach_file /master/supreme.exe

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 98.62%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 54.21%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 63.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 91.41%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 95.13%
suspicious: True check_circle

Add to Collection
Download