Report #9034 check_circle

Binary
DLL
False cancel
Size
467.50KB
trid
38.2% UPX compressed Win32 Executable
37.5% Win32 EXE Yoda's Crypter
9.2% Win32 Dynamic Link Library
6.3% Win32 Executable
2.8% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
d91f6dffbdae03efdabf2e7a2edd4ff3
sha1
7a4b970798200aa8fb82fc1a3a6d866d7b214fbe
crc32
0x8912c1f1
sha224
fae41c389a3081dbf245fb4ab5435989005c6dfd00a66641eb3fe1fc
sha256
aed491fdad1abfa34d24463d486d10267b3fca91fdd4b088854635d11c64cee2
sha384
988c713e8f81f38fe139c8b6a8f310d992f532621fa1c201f02c0d93c3a0e2de1d76d9d90abe0f46d9d1682caf9f6cd5
sha512
b8d2a874152b525333998de8c31504120a818b5e4820b63dfe03f575f70d47136f6c9f9df358aa6ea65c96dc03ddee7bb770f9072bb66f75753b90f41eb498ce
ssdeep
12288:8Xe9PPlowWX0t6mOQwg1Qd15CcYk0We1vt0nXZFGEi6zJA7cQ:ZhloDX0XOf4xx7cQ
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, UPX_wwwupxsourceforgenet, screenshot, UPX_wwwupxsourceforgenet_additional, url, HasRichSignature, contentis_base64, yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h, UPX, UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay, CRC32_poly_Constant, IP, IsPE32, PackerUPX_CompresorGratuito_wwwupxsourceforgenet, IsWindowsGUI, UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay_additional, IsPacked

Suspicious
True check_circle

Strings
List
http://www.autoitscript.com/autoit3/
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
WSOCK32.dll
COMCTL32.dll
USERENV.dll
VERSION.dll
WININET.dll
WINMM.dll
UxTheme.dll
MPR.dll
3.3.10.2
3.3.10.2
=t2aw
g`jNBG4>h%i
H%pwtV>wP%
't%A<DA
/%oh<
FtpOpenFileW
<requestedPrivileges>
K.saw
GetProcAddress
ExitProcess
mpil2AutoIt
FtpkI
VirtualAlloc
[+-]
VirtualProtect
LoadLibraryA
DA8e
O_START_OPT)IMI
tT7^N
Setup
uHfD#
ar.fw)W
GetDC
OCmd
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
1999-2013 Jonathan Bennett & AutoIt Team
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
IcmpSendEcho
L.Sj&SFj
]h.mk
I#CxY4Ec0a
H}AU3!EA06M
oAU3!EA06PAd\
IPHLPAPI.DLL
`[g0;2{TA
10&sinh?os
sOrKe0@I
olhelp32S:pho
UUT?Sr;99RRQoP
Uhpt4s.V;(/A.
RyP$(8<_I
aC6H)10
0oun.[W<
:0@PSSA>K
RECURSION'CRRL
j.YTEGH8I
stFHt<ht7Nt+
&veWindow
/fngPi1L0cP
HIJKLM\OP
tX(:0tDa'
^~';_t|%+P+Ew
<dependentAssembly>
.vE&tTA
SI)&}.tC
</compatibility>
@@7/Eam
&seBerPp
Dec_uTygr
B6@ttRRL
rVu6am`
</dependentAssembly>
\>H~CAC
,m'HDhe@
"lf=-ReT
=GADcS+?
vovuttNNNn?srqq
<application>
b:?miss(
`tyRof$&lo( s
B#On'$_
TRr{7c?,]
<dependency>
fbSeu*bRWm
</dependency>
vrrPON?M
lT|hxnep
NFaTVkB{
>DWSuBwM
Fi_t@.O
INiG@:$
</application>
Npooon99
7TnOBS;
%hNmi4H

Foremost
Matches
0.exe, 467 KB, 680.png, 23 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed
Suspicious: 3.3.10.2, 0, Unknown
hasAllowed: False cancel
hasSuspicious: True check_circle

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://www.autoitscript.com/autoit3/
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: ADVAPI32.dll, OLEAUT32.dll, VERSION.dll, WSOCK32.dll, SHELL32.dll, UxTheme.dll, PSAPI.DLL, COMCTL32.dll, ole32.dll, IPHLPAPI.DLL, WININET.dll, USER32.dll, USERENV.dll, GDI32.dll, WINMM.dll, KERNEL32.DLL, COMDLG32.dll, MPR.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 135168
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .rsrc
Suspicious: upx0, upx1
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: True check_circle

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 5.1
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 1015840
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: advapi32.dll, oleaut32.dll, version.dll, wsock32.dll, shell32.dll, uxtheme.dll, psapi.dll, comctl32.dll, ole32.dll, wininet.dll, user32.dll, userenv.dll, gdi32.dll, winmm.dll, kernel32.dll, comdlg32.dll, mpr.dll
hasLibs: True check_circle
Suspicious: iphlpapi.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2014-01-28 13:53:14
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: UPX -> www.upx.sourceforge.net
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 370
.rsrc: 10

pushpopmath
none: 264
.rsrc: 6

ss register
none: 2

garbagebytes
none: 171
.rsrc: 3

hookdetection
none: 2

software breakpoint
none: 13
.rsrc: 1

fakeconditionaljumps
none: 5
.rsrc: 1

programcontrolflowchange
none: 168
.rsrc: 2

cpuinstructionsresultscomparison
none: 14
.rsrc: 8

AVclass
autoit
1
VirusTotal
md5
d91f6dffbdae03efdabf2e7a2edd4ff3
sha1
7a4b970798200aa8fb82fc1a3a6d866d7b214fbe
SCANS (DETECTION RATE = 62.12%)
AVG
result: FileRepMetagen [DRP]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180323
version: 1.1.0.977
detected: False cancel

MAX
update: 20180323
version: 2017.11.15.1
detected: False cancel

Bkav
update: 20180322
version: 1.3.0.9466
detected: False cancel

K7GW
update: 20180323
version: 10.42.26597
detected: False cancel

ALYac
result: Adware.Generic.683547
update: 20180323
version: 1.1.1.5
detected: True check_circle

Avast
result: FileRepMetagen [DRP]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/Banload.SZC
update: 20180323
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180323
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/Trojan.UDUR-9334
update: 20180323
version: 5.4.30.7
detected: True check_circle

DrWeb
result: Trojan.DownLoad.64867
update: 20180323
version: 7.0.28.2020
detected: True check_circle

GData
result: Adware.Generic.683547
update: 20180323
version: A:25.16481B:25.11861
detected: True check_circle

Panda
result: Trj/CI.A
update: 20180323
version: 4.6.4.2
detected: True check_circle

VBA32
result: Trojan-Downloader.Autoit.gen
update: 20180323
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic!BT
update: 20180323
version: 65472
detected: True check_circle

Zoner
update: 20180323
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic!BT
update: 20180323
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180323
version: 0.99.2.0
detected: False cancel

Comodo
result: UnclassifiedMalware
update: 20180323
version: 28732
detected: True check_circle

F-Prot
update: 20180323
version: 4.7.1.166
detected: False cancel

Ikarus
result: Worm.Win32.AutoIt
update: 20180323
version: 0.1.5.2
detected: True check_circle

McAfee
result: Generic.dx!D91F6DFFBDAE
update: 20180323
version: 6.0.6.653
detected: True check_circle

Rising
update: 20180323
version: 25.0.0.1
detected: False cancel

Sophos
result: Troj/DwnLdr-LIM
update: 20180323
version: 4.98.0
detected: True check_circle

Yandex
update: 20180323
version: 5.5.1.3
detected: False cancel

Zillya
result: Trojan.Autoit.Win32.15796
update: 20180323
version: 2.0.0.3519
detected: True check_circle

Arcabit
result: Adware.Generic.DA6E1B
update: 20180323
version: 1.0.0.831
detected: True check_circle

Cylance
result: Unsafe
update: 20180323
version: 2.3.1.101
detected: True check_circle

Endgame
update: 20180316
version: 2.0.5
detected: False cancel

Tencent
result: Win32.Trojan.Autoit.Wqdb
update: 20180323
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180323
version: 2014.3.20.0
detected: False cancel

eGambit
update: 20180323
version: v4.3.5
detected: False cancel

Ad-Aware
result: Adware.Generic.683547
update: 20180323
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: Troj.W32.Autoit!c
update: 20180323
version: 4.2
detected: True check_circle

Emsisoft
result: Adware.Generic.683547 (B)
update: 20180323
version: 4.0.2.899
detected: True check_circle

F-Secure
update: 20180323
version: 11.0.19100.45
detected: False cancel

Fortinet
result: W32/Banload.SZC!tr.dldr
update: 20180323
version: 5.4.247.0
detected: True check_circle

Invincea
result: heuristic
update: 20180121
version: 6.3.4.26036
detected: True check_circle

Jiangmin
update: 20180323
version: 16.0.100
detected: False cancel

Kingsoft
update: 20180323
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20180323
version: 1.0
detected: True check_circle

Symantec
result: Trojan.Gen.2
update: 20180323
version: 1.5.0.0
detected: True check_circle

nProtect
update: 20180323
version: 2018-03-23.02
detected: False cancel

AhnLab-V3
result: Win-Trojan/Autoit.478720
update: 20180323
version: 3.12.0.20130
detected: True check_circle

Antiy-AVL
update: 20180323
version: 3.0.0.1
detected: False cancel

Kaspersky
result: Trojan.Win32.Autoit.cdd
update: 20180323
version: 15.0.1.13
detected: True check_circle

Microsoft
result: Trojan:Win32/Tiggre!rfn
update: 20180323
version: 1.1.14600.4
detected: True check_circle

Qihoo-360
result: Win32/Trojan.Dropper.c9f
update: 20180323
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: Trojan.Win32.Autoit.cdd
update: 20180323
version: 1.0
detected: True check_circle

ESET-NOD32
result: Win32/TrojanDownloader.Banload.SZC
update: 20180323
version: 17106
detected: True check_circle

TrendMicro
result: TROJ_DLOADER.A
update: 20180323
version: 9.862.0.1074
detected: True check_circle

WhiteArmor
update: 20180223
detected: False cancel

BitDefender
result: Adware.Generic.683547
update: 20180323
version: 7.2
detected: True check_circle

CrowdStrike
update: 20170201
version: 1.0
detected: False cancel

K7AntiVirus
update: 20180323
version: 10.42.26598
detected: False cancel

SentinelOne
result: static engine - malicious
update: 20180225
version: 1.0.15.206
detected: True check_circle

Avast-Mobile
update: 20180323
version: 180323-04
detected: False cancel

Malwarebytes
update: 20180323
version: 2.1.1.1115
detected: False cancel

TotalDefense
result: Win32/SillyDl.RPQFREC
update: 20180323
version: 37.1.62.1
detected: True check_circle

CAT-QuickHeal
result: Trojan.Autoit
update: 20180323
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Virus.Win32.Packed.delkgy
update: 20180323
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Adware.Generic.683547
update: 20180323
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180323
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.Spyware.gc
update: 20180323
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_DLOADER.A
update: 20180323
version: 9.950.0.1006
detected: True check_circle

total
66
sha256
aed491fdad1abfa34d24463d486d10267b3fca91fdd4b088854635d11c64cee2
scan_id
aed491fdad1abfa34d24463d486d10267b3fca91fdd4b088854635d11c64cee2-1521838305
resource
d91f6dffbdae03efdabf2e7a2edd4ff3
positives
41
scan_date
2018-03-23 20:51:45
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
10/3/2020 - 11:45:42.700Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
10/3/2020 - 11:45:42.715Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
10/3/2020 - 11:45:42.731Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
10/3/2020 - 11:45:42.731Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\api-ms-win-downlevel-shlwapi-l2-1-0.dll
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
10/3/2020 - 11:45:42.809Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
10/3/2020 - 11:45:42.809Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
10/3/2020 - 11:45:42.887Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
10/3/2020 - 11:45:42.887Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
10/3/2020 - 11:45:42.887Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
10/3/2020 - 11:45:42.887Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
10/3/2020 - 11:45:42.997Open1480C:\malware.exeC:\DNSAPI.dll
10/3/2020 - 11:45:42.997Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
10/3/2020 - 11:45:42.997Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
10/3/2020 - 11:45:43.137Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
10/3/2020 - 11:45:43.137Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
10/3/2020 - 11:45:43.137Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
10/3/2020 - 11:45:43.137Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
10/3/2020 - 11:45:43.184Open1480C:\malware.exeC:\dhcpcsvc6.DLL
10/3/2020 - 11:45:43.184Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
10/3/2020 - 11:45:43.184Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
10/3/2020 - 11:45:43.184Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
10/3/2020 - 11:45:43.184Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\CRYPTSP.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.231Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\RpcRtRemote.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
10/3/2020 - 11:45:43.247Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
10/3/2020 - 11:45:43.247Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\dhcpcsvc.DLL
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
10/3/2020 - 11:45:43.247Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
10/3/2020 - 11:45:43.325Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
10/3/2020 - 11:45:43.325Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
10/3/2020 - 11:45:43.340Open1480C:\malware.exeC:\rasadhlp.dll
10/3/2020 - 11:45:43.340Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
10/3/2020 - 11:45:43.340Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
10/3/2020 - 11:45:43.997Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
10/3/2020 - 11:45:43.997Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\malware.exe.Local
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 11:45:44.90Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.90Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
10/3/2020 - 11:45:44.200Open1480C:\malware.exeC:\credssp.dll
10/3/2020 - 11:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\credssp.dll
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Windows\SysWOW64\credssp.dll
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Windows\SysWOW64\schannel.dll
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Windows\SysWOW64\schannel.dll
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:44.215Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:44.215Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:44.215Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:44.215Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\ncrypt.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Windows\SysWOW64\ncrypt.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Windows\SysWOW64\ncrypt.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\bcrypt.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Windows\SysWOW64\bcrypt.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dll
10/3/2020 - 11:45:44.465Unknown1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dllbcryptprimitives.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dll
10/3/2020 - 11:45:44.465Unknown1480C:\malware.exeC:\Windows\SysWOW64\bcryptprimitives.dllbcryptprimitives.dll
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:44.465Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:44.465Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:44.465Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:44.465Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:44.481Open1480C:\malware.exeC:\GPAPI.dll
10/3/2020 - 11:45:44.481Open1480C:\malware.exeC:\Windows\SysWOW64\gpapi.dll
10/3/2020 - 11:45:44.481Open1480C:\malware.exeC:\Windows\SysWOW64\gpapi.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dll
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dllp2pcollab.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dll
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Windows\SysWOW64\p2pcollab.dllp2pcollab.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\qagentrt.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\cryptnet.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\cryptnet.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Windows\SysWOW64\cryptnet.dll
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.590Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:44.590Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
10/3/2020 - 11:45:44.606Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABEDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
10/3/2020 - 11:45:44.606Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABEDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
10/3/2020 - 11:45:44.606Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABEDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
10/3/2020 - 11:45:44.606Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABEDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_7EDEB7FFEAD641837ADD19522E5A0B8C
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BEC6224B02D155A396218A2504F3EE0B
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\739F2FF4259CDC6CBE7B90F1A95601EF
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\SensApi.dll
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Windows\SysWOW64\SensApi.dll
10/3/2020 - 11:45:44.606Open1480C:\malware.exeC:\Windows\SysWOW64\SensApi.dll
10/3/2020 - 11:45:44.668Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.668Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.668Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.668Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.668Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:44.668Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\WINHTTP.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\winhttp.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\webio.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\webio.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
10/3/2020 - 11:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
10/3/2020 - 11:45:44.840Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.840Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.840Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.840Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:44.840Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
10/3/2020 - 11:45:45.122Open1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Read1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Write1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.122Unknown1480C:\malware.exeC:\Users\Behemot\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E649235DDEDF268117918D1D277A171D8DF7B_AEBE2F2A3D3DA11E0CACF81FA46E6492
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Monitor
10/3/2020 - 11:45:45.840Unknown1480C:\malware.exeC:\Monitor
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\firefox.com
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\firefox.com.exe
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:45.840Unknown1480C:\malware.exeC:\Monitor
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\firefox.com
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:45.840Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Monitor
10/3/2020 - 11:45:45.840Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Monitor
10/3/2020 - 11:45:45.840Unknown1480C:\malware.exeC:\Monitor
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\install.exe
10/3/2020 - 11:45:45.840Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\install.exe.exe
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Windows
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\SystemCertificates\My
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Windows\SysWOW64\pt-BR\KernelBase.dll.muiKernelBase.dll.mui
10/3/2020 - 11:45:45.856Unknown1480C:\malware.exeC:\Monitor

Process
Trace

Analysis
Reason
Finished

Status
Sucessfully Executed

Results
1

Registry
Trace
10/3/2020 - 11:45:42.809Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnable
10/3/2020 - 11:45:42.809Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyServer
10/3/2020 - 11:45:42.809Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyOverride
10/3/2020 - 11:45:42.809Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigURL
10/3/2020 - 11:45:42.809Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoDetect
10/3/2020 - 11:45:42.809Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
10/3/2020 - 11:45:42.809Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentCachePrefix
10/3/2020 - 11:45:42.809Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CookiesCachePrefix
10/3/2020 - 11:45:42.809Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\HistoryCachePrefix
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
10/3/2020 - 11:45:43.247Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
10/3/2020 - 11:45:43.325Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
10/3/2020 - 11:45:43.325Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
10/3/2020 - 11:45:43.325Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
10/3/2020 - 11:45:43.325Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
10/3/2020 - 11:45:44.590Write1480C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
10/3/2020 - 11:45:44.590Write1480C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
10/3/2020 - 11:45:44.590Write1480C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
10/3/2020 - 11:45:44.590Write1480C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
10/3/2020 - 11:45:44.590Write1480C:\malware.exeHKCU\Local Settings\MuiCache\5\96383CDBLanguageList
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionReason
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionTime
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecision
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadNetworkName
10/3/2020 - 11:45:44.997Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDetectedUrl
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
10/3/2020 - 11:45:44.997Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
10/3/2020 - 11:45:44.997Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
10/3/2020 - 11:45:44.997Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code aihdownload.adobe.com.
computer localhost arrow_forward computer gateway:DNS code dl.dropboxusercontent.com.
computer localhost arrow_forward computer gateway:50273 code dl.dropboxusercontent.com.

Response
computer gateway:DNS arrow_forward computer localhost code dl.dropboxusercontent.com. reply_all 162.125.5.6


TCP
Info
computer localhost:65191 arrow_forward 162.125.5.6:443
computer localhost:65192 arrow_forward 192.16.58.8:80
192.16.58.8:80 arrow_forward computer localhost:65192
162.125.5.6:443 arrow_forward computer localhost:65191

UDP
Info
computer localhost:55394 arrow_forward computer localhost:53
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:53 arrow_forward computer localhost:55394
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info
computer localhost send GET ocsp.digicert.com attach_file /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAVjKs1LcjoWx51wu2cBcuE%3D

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 98.46%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 60.27%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 62.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 69.57%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 40.40%
suspicious: False cancel

Add to Collection
Download