Report #9589 check_circle

  • Creation Date: March 13, 2020, 12:33 p.m.
  • Last Update: March 13, 2020, 2:16 p.m.
  • File: Comprovante_NOTA_713.exe
  • Results:
Binary
DLL
False cancel
Size
371.50KB
trid
38.2% UPX compressed Win32 Executable
37.5% Win32 EXE Yoda's Crypter
9.2% Win32 Dynamic Link Library
6.3% Win32 Executable
2.8% OS/2 Executable
type
PE
wordsize
32
Subsystem
Windows GUI
Hashes
md5
4e0b784faf41e29f76770dbb4854a787
sha1
aeb611a3cc2812e8d026f23fc182134269177193
crc32
0x8f6e4c80
sha224
9e031e93822a679e701b0195671bb7b1a8285ff06b30b906a73d00e0
sha256
29189c0bb9182e69994d59247358a4ce5aa9e30b70399cba88a40481f3121b17
sha384
ea5724c5854b441aab3eeda5c17a0897e3cf24be676bf26ee2c03a1c0a6925600cf8e56ab10e43c3192aec2813851c24
sha512
c9fd3ae5cf42838d085cf26104ee294bb01a27c849b0294d20ffd95a56a9cde05375aaf11d141df5f0f913edd18b9ed032d39f50c2e07a3126fbfecc961875c1
ssdeep
6144:v4XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pz9:gXe9PPlowWX0t6mOQwg1Qd15CcYk0Wet
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
domain, UPX_wwwupxsourceforgenet, screenshot, UPX_wwwupxsourceforgenet_additional, url, HasRichSignature, contentis_base64, yodas_Protector_v1033_dllocx_Ashkbiz_Danehkar_h, UPX, UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser, UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay, CRC32_poly_Constant, IP, IsPE32, PackerUPX_CompresorGratuito_wwwupxsourceforgenet, IsWindowsGUI, UPX_v0896_v102_v105_v124_Markus_Laszlo_overlay_additional, IsPacked

Suspicious
True check_circle

Strings
List
http://www.autoitscript.com/autoit3/
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
1.0.9.0
WSOCK32.dll
COMCTL32.dll
USERENV.dll
VERSION.dll
WININET.dll
WINMM.dll
UxTheme.dll
MPR.dll
3.3.10.2
=t2aw
g`jNBG4>h%i
H%pwtV>wP%
%p_Sub%CR
't%A<DA
/%oh<
S" ! #%A
FtpOpenFileW
<requestedPrivileges>
K.saw
GetProcAddress
ExitProcess
mpil2AutoIt
FtpkI
VirtualAlloc
[+-]
VirtualProtect
85Dea
LoadLibraryA
DA8e
O_START_OPT)IMI
tT7^N
uHfD#
ar.fw)W
GetDC
OCmd
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
IcmpSendEcho
L.Sj&SFj
I#CxY4Ec0a
H}AU3!EA06M
IPHLPAPI.DLL
`[g0;2{TA
10&sinh?os
.ccWE7WO
UUT?Sr;99RRQoP
Uhpt4s.V;(/A.
RyP$(8<_I
aC6H)10
0oun.[W<
:0@PSSA>K
RECURSION'CRRL
j.YTEGH8I
stFHt<ht7Nt+
&veWindow
/fngPi1L0cP
HIJKLM\OP
tX(:0tDa'
^~';_t|%+P+Ew
<dependentAssembly>
.vE&tTA
SI)&}.tC
</compatibility>
@@7/Eam
&seBerPp
Dec_uTygr
B6@ttRRL
rVu6am`
</dependentAssembly>
\>H~CAC
=GADcS+?
"lf=-ReT
,m'HDhe@
vovuttNNNn?srqq
<application>
b:?miss(
`tyRof$&lo( s
B#On'$_
TRr{7c?,]
<dependency>
fbSeu*bRWm
</dependency>
>DWSuBwM
vrrPON?M
NFaTVkB{
INiG@:$
Fi_t@.O
</application>
Npooon99
%hNmi4H
7TnOBS;
c\E%`KD
L@gM/[A
w/lI-R/

Foremost
Matches
0.exe, 371 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: True check_circle
Allowed
Suspicious: 3.3.10.2, 0, Unknown
hasAllowed: False cancel
hasSuspicious: True check_circle

URLs
Allowed
hasURLs: True check_circle
Suspicious: http://www.autoitscript.com/autoit3/
hasAllowed: False cancel
hasSuspicious: True check_circle

Files
Allowed: ADVAPI32.dll, OLEAUT32.dll, VERSION.dll, WSOCK32.dll, SHELL32.dll, UxTheme.dll, PSAPI.DLL, COMCTL32.dll, ole32.dll, IPHLPAPI.DLL, USER32.dll, USERENV.dll, WININET.dll, GDI32.dll, WINMM.dll, KERNEL32.DLL, COMDLG32.dll, MPR.dll
hasFiles: True check_circle
Suspicious
hasAllowed: True check_circle
hasSuspicious: False cancel

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 36864
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 4096
Suspicious: False cancel
Headers
Headers: 4096
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 0
Suspicous: True check_circle

Sections
Allowed: .rsrc
Suspicious: upx0, upx1
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: True check_circle

Versions
OS
Version: 5
Suspicious: False cancel
Image
Version: True check_circle
Suspicious: 5
Linker
Version: 11.0
Suspicious: False cancel
Subsystem
Version: 5.1
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 921552
Suspicious: False cancel

Anomalies
Anomalies: The header checksum and the calculated checksum do not match.
hasAnomalies: True check_circle

Libraries
Allowed: advapi32.dll, oleaut32.dll, version.dll, wsock32.dll, shell32.dll, uxtheme.dll, psapi.dll, comctl32.dll, ole32.dll, user32.dll, userenv.dll, wininet.dll, gdi32.dll, winmm.dll, kernel32.dll, comdlg32.dll, mpr.dll
hasLibs: True check_circle
Suspicious: iphlpapi.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: False cancel
Valid: True check_circle
Value: 2014-05-13 18:32:21
Future: False cancel

Compilation
Packed: True check_circle
Missing: False cancel
Packers: UPX -> www.upx.sourceforge.net
Compiled: False cancel
Compilers

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
none: 369
.rsrc: 11

pushpopmath
none: 264
.rsrc: 6

ss register
none: 2

garbagebytes
none: 169
.rsrc: 5

hookdetection
none: 2

software breakpoint
none: 12

fakeconditionaljumps
none: 5
.rsrc: 1

programcontrolflowchange
none: 166
.rsrc: 4

cpuinstructionsresultscomparison
none: 6

AVclass
banload
1
VirusTotal
md5
4e0b784faf41e29f76770dbb4854a787
sha1
aeb611a3cc2812e8d026f23fc182134269177193
SCANS (DETECTION RATE = 64.62%)
AVG
result: FileRepMetagen [Malware]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

CMC
update: 20180323
version: 1.1.0.977
detected: False cancel

MAX
result: malware (ai score=80)
update: 20180323
version: 2017.11.15.1
detected: True check_circle

Bkav
update: 20180322
version: 1.3.0.9466
detected: False cancel

K7GW
result: Trojan-Downloader ( 00499a0d1 )
update: 20180323
version: 10.42.26598
detected: True check_circle

ALYac
result: Trojan.GenericKD.1679731
update: 20180323
version: 1.1.1.5
detected: True check_circle

Avast
result: FileRepMetagen [Malware]
update: 20180323
version: 18.2.3827.0
detected: True check_circle

Avira
result: TR/Dldr.Banload.tln.15
update: 20180323
version: 8.3.3.6
detected: True check_circle

Baidu
update: 20180323
version: 1.0.0.2
detected: False cancel

Cyren
result: W32/GenBl.4E0B784F!Olympus
update: 20180323
version: 5.4.30.7
detected: True check_circle

DrWeb
update: 20180323
version: 7.0.28.2020
detected: False cancel

GData
result: Trojan.GenericKD.1679731
update: 20180323
version: A:25.16481B:25.11861
detected: True check_circle

Panda
result: Trj/CI.A
update: 20180323
version: 4.6.4.2
detected: True check_circle

VBA32
result: Trojan-Downloader.Autoit.gen
update: 20180323
version: 3.12.28.0
detected: True check_circle

VIPRE
result: Trojan.Win32.Generic.pak!cobra
update: 20180323
version: 65478
detected: True check_circle

Zoner
update: 20180323
version: 1.0
detected: False cancel

AVware
result: Trojan.Win32.Generic.pak!cobra
update: 20180323
version: 1.5.0.42
detected: True check_circle

ClamAV
update: 20180323
version: 0.99.2.0
detected: False cancel

Comodo
result: .UnclassifiedMalware
update: 20180323
version: 28733
detected: True check_circle

F-Prot
update: 20180323
version: 4.7.1.166
detected: False cancel

Ikarus
result: Trojan.SuspectCRC
update: 20180323
version: 0.1.5.2
detected: True check_circle

McAfee
result: Artemis!4E0B784FAF41
update: 20180323
version: 6.0.6.653
detected: True check_circle

Rising
update: 20180323
version: 25.0.0.1
detected: False cancel

Sophos
result: Mal/Autoit-U
update: 20180323
version: 4.98.0
detected: True check_circle

Yandex
update: 20180323
version: 5.5.1.3
detected: False cancel

Zillya
result: Downloader.Genome.Win32.51464
update: 20180323
version: 2.0.0.3519
detected: True check_circle

Arcabit
result: Trojan.Generic.D19A173
update: 20180323
version: 1.0.0.831
detected: True check_circle

Cylance
result: Unsafe
update: 20180323
version: 2.3.1.101
detected: True check_circle

Endgame
update: 20180316
version: 2.0.5
detected: False cancel

Tencent
result: Win32.Trojan-downloader.Genome.Pdct
update: 20180323
version: 1.0.0.1
detected: True check_circle

ViRobot
update: 20180323
version: 2014.3.20.0
detected: False cancel

eGambit
update: 20180323
version: v4.3.5
detected: False cancel

Ad-Aware
result: Trojan.GenericKD.1679731
update: 20180323
version: 3.0.3.1010
detected: True check_circle

AegisLab
result: Troj.Downloader.W32.Genome.gwyg!c
update: 20180323
version: 4.2
detected: True check_circle

Emsisoft
result: Trojan.GenericKD.1679731 (B)
update: 20180323
version: 4.0.2.899
detected: True check_circle

F-Secure
result: Trojan.GenericKD.1679731
update: 20180323
version: 11.0.19100.45
detected: True check_circle

Fortinet
result: W32/Banload.TLN!tr.dldr
update: 20180323
version: 5.4.247.0
detected: True check_circle

Invincea
update: 20180121
version: 6.3.4.26036
detected: False cancel

Jiangmin
update: 20180323
version: 16.0.100
detected: False cancel

Kingsoft
update: 20180323
version: 2013.8.14.323
detected: False cancel

Paloalto
result: generic.ml
update: 20180323
version: 1.0
detected: True check_circle

Symantec
result: Trojan Horse
update: 20180323
version: 1.5.0.0
detected: True check_circle

nProtect
update: 20180323
version: 2018-03-23.02
detected: False cancel

AhnLab-V3
update: 20180323
version: 3.12.0.20130
detected: False cancel

Antiy-AVL
result: Trojan/Win32.Inject
update: 20180323
version: 3.0.0.1
detected: True check_circle

Kaspersky
result: Trojan-Downloader.Win32.Genome.gwyg
update: 20180323
version: 15.0.1.13
detected: True check_circle

Microsoft
update: 20180323
version: 1.1.14600.4
detected: False cancel

Qihoo-360
result: HEUR/Malware.QVM11.Gen
update: 20180323
version: 1.0.0.1120
detected: True check_circle

TheHacker
update: 20180319
version: 6.8.0.5.2551
detected: False cancel

ZoneAlarm
result: Trojan-Downloader.Win32.Genome.gwyg
update: 20180323
version: 1.0
detected: True check_circle

ESET-NOD32
result: a variant of Win32/TrojanDownloader.Banload.TLN
update: 20180323
version: 17107
detected: True check_circle

TrendMicro
result: TROJ_BANLOAD.ZAA
update: 20180323
version: 9.862.0.1074
detected: True check_circle

BitDefender
result: Trojan.GenericKD.1679731
update: 20180323
version: 7.2
detected: True check_circle

CrowdStrike
result: malicious_confidence_60% (W)
update: 20170201
version: 1.0
detected: True check_circle

K7AntiVirus
result: Trojan-Downloader ( 00499a0d1 )
update: 20180323
version: 10.42.26598
detected: True check_circle

SentinelOne
result: static engine - malicious
update: 20180225
version: 1.0.15.206
detected: True check_circle

Avast-Mobile
update: 20180323
version: 180323-04
detected: False cancel

Malwarebytes
update: 20180323
version: 2.1.1.1115
detected: False cancel

TotalDefense
update: 20180323
version: 37.1.62.1
detected: False cancel

CAT-QuickHeal
result: Trojan.Sisproc
update: 20180323
version: 14.00
detected: True check_circle

NANO-Antivirus
result: Trojan.Win32.TrjGen.cywlch
update: 20180323
version: 1.0.100.22043
detected: True check_circle

MicroWorld-eScan
result: Trojan.GenericKD.1679731
update: 20180323
version: 14.0.297.0
detected: True check_circle

SUPERAntiSpyware
update: 20180323
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
result: BehavesLike.Win32.ZvuZona.fc
update: 20180323
version: v2015
detected: True check_circle

TrendMicro-HouseCall
result: TROJ_BANLOAD.ZAA
update: 20180323
version: 9.950.0.1006
detected: True check_circle

total
65
sha256
29189c0bb9182e69994d59247358a4ce5aa9e30b70399cba88a40481f3121b17
scan_id
29189c0bb9182e69994d59247358a4ce5aa9e30b70399cba88a40481f3121b17-1521845507
resource
4e0b784faf41e29f76770dbb4854a787
positives
42
scan_date
2018-03-23 22:51:47
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\api-ms-win-downlevel-shlwapi-l2-1-0.dll
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dll
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1-0.dllapi-ms-win-downlevel-shlwapi-l2-1-0.dll
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
13/3/2020 - 13:45:43.715Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Windows\SysWOW64\mswsock.dll
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
13/3/2020 - 13:45:43.715Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
13/3/2020 - 13:45:43.887Open1480C:\malware.exeC:\DNSAPI.dll
13/3/2020 - 13:45:43.887Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
13/3/2020 - 13:45:43.887Open1480C:\malware.exeC:\Windows\SysWOW64\dnsapi.dll
13/3/2020 - 13:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
13/3/2020 - 13:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\netprofm.dll
13/3/2020 - 13:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
13/3/2020 - 13:45:44.28Open1480C:\malware.exeC:\Windows\SysWOW64\nlaapi.dll
13/3/2020 - 13:45:44.75Open1480C:\malware.exeC:\dhcpcsvc6.DLL
13/3/2020 - 13:45:44.75Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
13/3/2020 - 13:45:44.75Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
13/3/2020 - 13:45:44.75Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dll
13/3/2020 - 13:45:44.75Unknown1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc6.dlldhcpcsvc6.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\CRYPTSP.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\cryptsp.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\rsaenh.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\RpcRtRemote.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
13/3/2020 - 13:45:44.122Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dll
13/3/2020 - 13:45:44.122Unknown1480C:\malware.exeC:\Windows\SysWOW64\RpcRtRemote.dllRpcRtRemote.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\dhcpcsvc.DLL
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\dhcpcsvc.dll
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
13/3/2020 - 13:45:44.122Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
13/3/2020 - 13:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
13/3/2020 - 13:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\npmproxy.dll
13/3/2020 - 13:45:44.200Open1480C:\malware.exeC:\rasadhlp.dll
13/3/2020 - 13:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
13/3/2020 - 13:45:44.200Open1480C:\malware.exeC:\Windows\SysWOW64\rasadhlp.dll
13/3/2020 - 13:45:44.653Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
13/3/2020 - 13:45:44.653Open1480C:\malware.exeC:\Windows\SysWOW64\FWPUCLNT.DLL
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\malware.exe.Local
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
13/3/2020 - 13:45:44.715Unknown1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\ws2_32.dll
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
13/3/2020 - 13:45:44.715Open1480C:\malware.exeC:\Windows\SysWOW64\WSHTCPIP.DLL
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wship6.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:44.731Open1480C:\malware.exeC:\Windows\SysWOW64\wshqos.dll
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
13/3/2020 - 13:45:45.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\catoco\uwinmag.exe
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwinmag.exe
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\catoco
13/3/2020 - 13:45:45.75Unknown1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\catoco
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Monitor
13/3/2020 - 13:45:45.75Unknown1480C:\malware.exeC:\Monitor
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\catoco\uwinmag.exe
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Users\Behemot\AppData\Local\Temp\catoco\uwinmag.exe.exe
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Windows\Fonts\StaticCache.dat
13/3/2020 - 13:45:45.75Read1480C:\malware.exeC:\Windows\Fonts\StaticCache.datStaticCache.dat
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
13/3/2020 - 13:45:45.75Open1480C:\malware.exeC:\Windows\SysWOW64\ole32.dll
13/3/2020 - 13:45:45.325Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll
13/3/2020 - 13:45:45.325Open1480C:\malware.exeC:\Windows\SysWOW64\wininet.dll

Process
Trace

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
13/3/2020 - 13:45:43.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyEnable
13/3/2020 - 13:45:43.715Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyServer
13/3/2020 - 13:45:43.715Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsProxyOverride
13/3/2020 - 13:45:43.715Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoConfigURL
13/3/2020 - 13:45:43.715Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet SettingsAutoDetect
13/3/2020 - 13:45:43.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectionsSavedLegacySettings
13/3/2020 - 13:45:43.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\ContentCachePrefix
13/3/2020 - 13:45:43.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\CookiesCachePrefix
13/3/2020 - 13:45:43.715Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\HistoryCachePrefix
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapProxyBypass
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapIntranetName
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapUNCAsIntranet
13/3/2020 - 13:45:44.122Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapAutoDetect
13/3/2020 - 13:45:44.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
13/3/2020 - 13:45:44.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
13/3/2020 - 13:45:44.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
13/3/2020 - 13:45:44.200Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionReason
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecisionTime
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDecision
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadNetworkName
13/3/2020 - 13:45:45.528Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}WpadDetectedUrl
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
13/3/2020 - 13:45:45.528Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionReason
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecisionTime
13/3/2020 - 13:45:45.528Write1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDecision
13/3/2020 - 13:45:45.528Delete1480C:\malware.exeHKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-83-08-f3WpadDetectedUrl

File Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: False cancel

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: True check_circle

Browsers
Identified: False cancel

Internet
Identified: True check_circle

Loading...

DNS
Query
computer localhost arrow_forward computer gateway:DNS code alimomoh.com.ng.
computer localhost arrow_forward computer gateway:50273 code alimomoh.com.ng.

Response
computer gateway:DNS arrow_forward computer localhost code alimomoh.com.ng. reply_all 192.185.119.91


TCP
Info
computer localhost:65191 arrow_forward 192.185.119.91:80
192.185.119.91:80 arrow_forward computer localhost:65191

UDP
Info
computer localhost:53 arrow_forward computer localhost:50273
computer localhost:50273 arrow_forward computer localhost:53
computer localhost:67 arrow_forward computer localhost:68
computer localhost:68 arrow_forward help_outline 255.255.255.255:67

HTTP
Info
computer localhost send GET alimomoh.com.ng attach_file /plugins/captcha/recaptcha/uwinmag.exe

Summary
DNS
True check_circle

TCP
True check_circle

UDP
True check_circle

HTTP
True check_circle

Results
BINARY
KNN (K=3, NFS-BRMalware)
confidence: 66.67%
suspicious: False cancel

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: True check_circle

SVC (Kernel=Linear, NFS-BRMalware)
confidence: 98.60%
suspicious: True check_circle

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 89.94%
suspicious: False cancel

Random Forest (100 estimators, NFS-BRMalware)
confidence: 62.00%
suspicious: True check_circle

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 69.52%
suspicious: True check_circle

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 60.29%
suspicious: False cancel

Add to Collection
Download