Report #6637

(1)

Binary

DLL False

Size 2.08MB

trid 45.5% Win32 Executable Borland Delphi 7

30.9% Win32 Executable Borland Delphi 5 18.0% Win32 Executable Borland Delphi 6 2.9% InstallShield setup

0.9% Win32 Executable Delphi generic

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 cbc3f9685f0da01dfac0769f9fa42d53

sha1 e82283fd14ec769ba7d63e6c7a794c4187c564ad

crc32 0x19616b51

sha224 bdfb13d77986cd3750a4ac9d0e459ab78448d5230875cf7f691c383a

sha256 3375c73ca7ee0332ef120b0d7a373a6c7cae2e337ac4ffe4360b2c67c20afba f

sha384 6eb30fa77fc2bd31a47775fdd271d0688af5797379323e6042577dc55aeb7f 22724591628a376055db20af98f37fea5b

sha512 07bc4be7f3d2e59fc9e90bff6abde55cd8c311de036f14764332ea03ae94586 ff4a670e3e1b0114974657118a3247359a7b4dc638e0b3258429ca31fb875 1132

ssdeep 24576:/I7jAhA0Z8WDAXziERoKxgJ4eXjjVxtI8B7I7b4vkE3kp8Vxaf1+I5mPkr5 zYa/D:goJDEyKeJ4ezjZ5kE28Vxaf17B2TP4T

Report #6637

Creation Date: Feb. 18, 2020, 1:39 p.m.

Last Update: Feb. 18, 2020, 5:52 p.m.

File:

IMG_20131123_210522.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches domain, Borland, Borland_Delphi_30_, network_dropper, CRC32_poly_Const ant, BASE64_table, Delphi_DecodeDate, RIPEMD160_Constants, borland_de lphi, Delphi_FormShow, network_dns, network_tcp_listen, CRC32_table, Micr osoft_Visual_Cpp_v50v60_MFC, network_irc, win_files_operation, IsPE32, wi n_hook, RijnDael_AES_CHAR, contentis_base64, network_tcp_socket, screen shot, Borland_Delphi_v40_v50, keylogger, win_mutex, Borland_Delphi_40_a dditional, Borland_Delphi_40, Delphi_Random, IsWindowsGUI, network_udp_

sock, Delphi_Copy, anti_dbg, Borland_Delphi_Setup_Module, Borland_Delphi _DLL, url, SHA1_Constants, win_registry, Delphi_CompareCall, RijnDael_AES _LONG, Delphi_StrToInt, Borland_Delphi_30_additional, Borland_Delphi_v30

Suspicious True

Strings

List

the appropriate version of this product at http://www.componentace.com Web site: http://www.componentace.com

t.Ht

HoverFont.Name HoverFont.Style Uh.rS

Font.Style Font.Name Font.Style Font.Name

BoundLabel.Active BoundLabel.Active BoundLabel.Active BoundLabel.Active BoundLabel.Active BoundLabel.Active BoundLabel.Active BoundLabel.Active

Invalid compressed size, rfs.size = %d, count = %d

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group feel free to contact us at [email protected]

t.hK C.Ph

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

E:\NOVOTUDO\ARQUIVOS TEMPORARIO\bsf1010\bsf1010\bsEffects.pas E:\NOVOTUDO\ARQUIVOS TEMPORARIO\bsf1010\bsf1010\bsEffects.pas

(3)

E:\NOVOTUDO\ARQUIVOS TEMPORARIO\bsf1010\bsf1010\bsEffects.pas E:\NOVOTUDO\ARQUIVOS TEMPORARIO\bsf1010\bsf1010\bsEffects.pas F.Ph

clGreen Pen.Style

\Software\Borland\C++Builder

\Software\Borland\Delphi P.rsrc

Options.dat Options.dat Options.dat

SOFTWARE\Borland\Delphi\RTL Delphi%.8X

Software\Borland\Locales Software\Borland\Delphi\Locales

\Software\Borland\BDS

\log.txt comctl32.dll msimg32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll msimg32.dll version.dll uxtheme.dll vcltest3.dll ThirdPanels urlmon.dll dwmapi.dll Network is down.

RdPS

Host is down.

BS_CALC_BACKSPACE

Hashed list of file names is invalid Username

Username

The compression scheme is Password for "%s"

EDIT_DELETE=Delete Socket Error # %d OnDeleteError OnDeleteError OnDeleteError

;s4tG

""fD**~T +IdTCPServer

CLSID\%s\InProcServer32 UhB/R

UhB\A

ControlOfs%.8X%.8X WndProcPtr%.8X%.8X fkCalculated

Calculated Bad address.

5%5E5a5~5 N&oToAll &YesToAll TRecordsetReasonEvent Connected.

(4)

2%3F3T3\3a3l3r3 JumpID("","%s")

Host not found.)"%s" DOMImplementation already registered TabStop8fD

TabStop8fD

Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.

- Dock zone has no control OnPasswordp

SkinSection8fD BorderStyle8fD BorderWidth8fD showfocus showfocus showfocus showfocus

Foremost

Matches 4236.bmp, 774 B, 0.exe, 2 MB, 4179.png, 3 KB, 4185.png, 3 KB, 4192.png, 3 KB, 4204.png, 1 KB, 4206.png, 1 KB, 4208.png, 417 B, 4209.png, 1 KB, 4 212.png, 1 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: True

Suspicious: http://www.componentace.com hasAllowed: False

hasSuspicious: True

Files Allowed: MAPI32.DLL, DWMAPI.DLL, mtxex.dll, WS2_32.DLL, user32.dll, uxt heme.dll, comctl32.dll, ole32.dll, imm32.dll, advapi32.dll, gdi32.dll, urlmon.

dll, oleaut32.dll, kernel32.dll, vcltest3.dll, version.dll, shell32.dll, MIDAS.DLL , msimg32.dll

hasFiles: True

Suspicious: Options.dat, 2.tmp, 1.tmp, \log.txt hasAllowed: True

Binary

Sizes RVA

RVA: 16

(5)

Suspicious: False Code

Size: 322048 Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 16384 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: code, data, bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 4

Suspicious: False Image

Version: True Suspicious: 4 Linker

Version: 2.25 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 1857140

Suspicious: False

(6)

tch.

hasAnomalies: True

Libraries Allowed: mapi32.dll, dwmapi.dll, mtxex.dll, ws2_32.dll, user32.dll, uxthem e.dll, comctl32.dll, ole32.dll, imm32.dll, advapi32.dll, gdi32.dll, urlmon.dll, o leaut32.dll, kernel32.dll, version.dll, shell32.dll, msimg32.dll

hasLibs: True

Suspicious: vcltest3.dll, midas.dll hasAllowed: True

Timestamp Past: True

Valid: True

Value: 1992-06-19 19:22:17 Future: False

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.

0

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret none: 276

.rsrc: 14

pushpopmath none: 52

.rsrc: 32 .reloc: 67

ss register .reloc: 1

(7)

garbagebytes none: 266 .rsrc: 1

hookdetection none: 6

.rsrc: 1 .reloc: 6

software breakpoint none: 21 .rsrc: 1 .reloc: 22

programcontrolflowchange none: 266 .rsrc: 1

cpuinstructionsresultscomparison none: 51 .rsrc: 66 .reloc: 2

AVclass

banload 1

VirusTotal

md5 cbc3f9685f0da01dfac0769f9fa42d53

sha1 e82283fd14ec769ba7d63e6c7a794c4187c564ad

SCANS (DETECTION RATE = 58.82%)

AVG result: Win32:Malware-gen

update: 20180216 version: 18.1.3800.0 detected: True

CMC update: 20180216

version: 1.1.0.977 detected: False

MAX result: malware (ai score=100)

(8)

K7GW result: Trojan-Downloader ( 005176741 )

update: 20180216 version: 10.40.26234 detected: True

ALYac result: Gen:Variant.Zusy.257550

Avast result: Win32:Malware-gen

Avira result: TR/Dldr.Delphi.obmwf

Baidu update: 20180208

Cyren result: W32/Trojan.FDBG-4096

DrWeb update: 20180216

GData result: Gen:Variant.Zusy.257550

update: 20180216

version: A:25.16049B:25.11597 detected: True

Panda result: Trj/GdSda.A

(9)

VIPRE result: Trojan.Win32.Generic!BT

update: 20180216 version: 64642 detected: True

Zoner update: 20180216

version: 1.0 detected: False

AVware result: Trojan.Win32.Generic!BT

ClamAV update: 20180216

Comodo update: 20180216

version: 28535 detected: False

F-Prot update: 20180216

Ikarus result: Trojan-Downloader.Win32.Banload update: 20180216

version: 0.1.5.2 detected: True

McAfee result: Trojan-FNXL!CBC3F9685F0D

Rising update: 20180216

Sophos result: Mal/Generic-S

update: 20180216 version: 4.98.0

(10)

Yandex result: Trojan.DL.Banload!LGV70by0q8g update: 20180216

Zillya result: Downloader.Banload.Win32.83154

Arcabit result: Trojan.Zusy.D3EE0E

Cylance update: 20180216

Endgame result: malicious (high confidence) update: 20180214

version: 1.2.0 detected: True

Tencent result: Win32.Trojan.Dldr.Tcbz

ViRobot update: 20180216

Webroot update: 20180216

eGambit result: Unsafe.AI_Score_99%

update: 20180216 version: v4.3.4 detected: True

Ad-Aware result: Gen:Variant.Zusy.257550

update: 20180216 version: 3.0.3.1010

(11)

AegisLab result: Troj.Gen!c update: 20180216 version: 4.2 detected: True

Emsisoft update: 20180216

F-Secure result: Gen:Variant.Zusy.257550

Fortinet result: W32/Banload.YAC!tr.dldr

Invincea update: 20180121

Jiangmin update: 20180216

version: 16.0.100 detected: False

Kingsoft update: 20180216

Paloalto result: generic.ml

update: 20180216 version: 1.0 detected: True

Symantec result: Trojan.Gen.2

nProtect update: 20180216

version: 2018-02-16.02 detected: False

(12)

AhnLab-V3 update: 20180216 version: 3.11.3.19504 detected: False

Antiy-AVL result: Trojan/Win32.TSGeneric update: 20180216

Kaspersky result: HEUR:Trojan-Downloader.Win32.Banload.gen update: 20180216

Microsoft update: 20180216

Qihoo-360 update: 20180216

TheHacker update: 20180213

version: 6.8.0.5.2403 detected: False

ZoneAlarm result: HEUR:Trojan-Downloader.Win32.Banload.gen update: 20180216

version: 1.0 detected: True

Cybereason result: malicious.85f0da

update: 20180205 version: 1.2.27 detected: True

ESET-NOD32 result: a variant of Win32/TrojanDownloader.Banload.WLC update: 20180216

version: 16915 detected: True

TrendMicro result: TROJ_GEN.R002C0OIG17

(13)

detected: False

BitDefender result: Gen:Variant.Zusy.257550 update: 20180216

CrowdStrike result: malicious_confidence_90% (D) update: 20170201

K7AntiVirus result: Trojan-Downloader ( 005176741 ) update: 20180216

version: 10.40.26233 detected: True

SentinelOne result: static engine - malicious update: 20180115

Avast-Mobile update: 20180216

version: 180216-02 detected: False

Malwarebytes update: 20180216

TotalDefense update: 20180216

CAT-QuickHeal result: Trojan.IGENERIC update: 20180216 version: 14.00 detected: True

NANO-Antivirus update: 20180216

MicroWorld-eScan result: Gen:Variant.Zusy.257550 update: 20180216

version: 14.0.297.0

(14)

SUPERAntiSpyware update: 20180216 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: BehavesLike.Win32.Dropper.vh update: 20180216

version: v2015 detected: True

TrendMicro-HouseCall result: TROJ_GEN.R002C0OIG17 update: 20180216

total 68

sha256 3375c73ca7ee0332ef120b0d7a373a6c7cae2e337ac4ffe4360b2c67c20afba f

scan_id 3375c73ca7ee0332ef120b0d7a373a6c7cae2e337ac4ffe4360b2c67c20afba f-1518791722

resource cbc3f9685f0da01dfac0769f9fa42d53

permalink https://www.virustotal.com/file/3375c73ca7ee0332ef120b0d7a373a6c7cae 2e337ac4ffe4360b2c67c20afbaf/analysis/1518791722/

positives 40

scan_date 2018-02-16 14:35:22

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 20 - 16:

45:43.8 25

U nk no w

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

(15)

n

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:43.8 25

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor

18/2/20 20 - 16:

45:43.8 25

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 20 - 16:

45:43.8 25

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\propsys.dll

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\propsys.dll

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Cache s

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Cache s\cversions.1.db

18/2/20 1 C:\m

(16)

20 - 16:

45:43.8 25

O pe n

4 8 0

alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Cache s

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Cache s\cversions.1.db

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Cache s\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x00 00000000000000.db

18/2/20 20 - 16:

45:43.8 25

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\Desktop\desktop.ini

18/2/20 20 - 16:

45:43.8 25

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:43.8 25

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\WindowsCodecs.dll

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\WindowsCodecs.dll

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\WindowsCodecs.dll WindowsCodecs.dll

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\WindowsCodecs.dll

18/2/20 20 - 16:

45:43.9 U nk no w

1 4 8

C:\m alwa

re.e C:\Windows\SysWOW64\WindowsCodecs.dll WindowsCodecs.dll

(17)

03 n 0 xe

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\apphelp.dll

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\apphelp.dll

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\apphelp.dll

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\EhStorShell.dll

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\EhStorShell.dll EhStorShell.dll

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\AppPatch\sysmain.sdb

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

(18)

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:43.9 03

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:43.9 03

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:43.9 03

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 1 C:\m

(19)

45:43.9 65

ad 8 0

re.e xe

18/2/20 20 - 16:

45:44.1 2

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.5 9

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.1 06

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui

18/2/20 20 - 16:

45:44.1 53

Re ad

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui EhStorShell.dll.mui

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui EhStorShell.dll.mui

(20)

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 Re ad

1 4 8

C:\m alwa

re.e C:\Windows\SysWOW64\EhStorShell.dll EhStorShell.dll

(21)

00 0 xe

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\ntshrui.dll

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\AppPatch\sysmain.sdb

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows

(22)

18/2/20 20 - 16:

45:44.2 00

nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:44.2 00

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 15

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 15

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 15

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 O pe n

1 4 8

C:\m alwa

re.e C:\Windows\SysWOW64\ntshrui.dll

(23)

18/2/20 20 - 16:

45:44.2 15

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 15

Re ad

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 31

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 31

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 31

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.2 31

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\srvcli.dll

18/2/20 20 - 16:

45:44.2 31

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\srvcli.dll

18/2/20 20 - 16:

45:44.2 31

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\srvcli.dll

18/2/20 20 - 16:

45:44.3 09

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\cscapi.dll

18/2/20 20 - 16:

45:44.3 09

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\cscapi.dll

18/2/20 20 - 16:

45:44.3 09

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\cscapi.dll

(24)

18/2/20 20 - 16:

45:44.4 97

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\slc.dll

18/2/20 20 - 16:

45:44.4 97

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\slc.dll

18/2/20 20 - 16:

45:44.4 97

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\slc.dll

18/2/20 20 - 16:

45:44.6 84

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\imageres.dll

18/2/20 20 - 16:

45:44.6 84

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.6 84

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.6 84

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 18

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\pt-BR\imageres.dll.mui

18/2/20 20 - 16:

45:44.9 18

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\System32\pt-BR\imageres.dll.mui

18/2/20 20 - 16:

45:44.9 18

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\windows\SysWOW64\pt\imageres.dll.mui

18/2/20 20 - 16:

45:44.9 18

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\en-US\imageres.dll.mui

(25)

18/2/20 20 - 16:

45:44.9 18

Re ad

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\en-US\imageres.dll.mui imageres.dll.mui

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

(26)

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:44.9 65

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

(27)

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

(28)

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

(29)

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w

1 4 8 0

C:\m alwa re.e xe

(30)

n

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 O pe

1 4 8

C:\m alwa

re.e C:\Windows\SysWOW64\imageres.dll

(31)

2 n 0 xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16: O

pe 1 4

C:\m

alwa C:\Windows\SysWOW64\imageres.dll

(32)

45:45.1 2

n 8 0

re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20

O 1 C:\m

(33)

45:45.1 2

pe n

8 0

re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

(34)

20 - 16:

45:45.1 2

O pe n

4 8 0

alwa re.e xe

18/2/20 20 - 16:

45:45.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.2 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe

18/2/20 20 - 16:

45:45.2 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe

18/2/20 20 - 16:

45:45.2 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe

18/2/20 20 - 16:

45:45.2 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 1 C:\m

(35)

20 - 16:

45:45.2 8

O pe n

4 8 0

alwa re.e xe

C:\

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\

18/2/20 20 - 16:

45:45.2 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor

18/2/20 20 - 16:

45:45.2 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 20 - 16:

45:45.2 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Monitor\Malware

18/2/20 20 - 16:

45:45.7 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\malware.exe.Local

18/2/20 20 - 16:

45:45.7 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\winsxs\x86_microsoft.windows.c..-controls.reso urces_6595b64144ccf1df_5.82.7600.16385_pt-br_039faf2d 05cfba61

18/2/20 20 - 16:

45:45.1 68

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

45:45.1 68

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20

20 - 16: O 1 4

C:\m

alwa C:\Windows\winsxs\x86_microsoft.windows.c..-controls.reso

(36)

45:45.1 68

pe n

8 0

re.e xe

urces_6595b64144ccf1df_5.82.7600.16385_pt-br_039faf2d 05cfba61\comctl32.dll.mui

18/2/20 20 - 16:

45:45.2 15

Re ad

1 4 8 0

C:\m alwa re.e xe

C:\Windows\winsxs\x86_microsoft.windows.c..-controls.reso urces_6595b64144ccf1df_5.82.7600.16385_pt-br_039faf2d 05cfba61\comctl32.dll.mui

comctl32.dll.mui

18/2/20 20 - 16:

46:5.48 1

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\Fonts\roman.fon

18/2/20 20 - 16:

46:5.48 1

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Program Files (x86)\Common Files\System\ado\msado15 .dll

18/2/20 20 - 16:

46:5.52 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Program Files (x86)\Common Files\System\ado\msado15 .dll

18/2/20 20 - 16:

46:5.95 0

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Program Files (x86)\Common Files\System\ado\MSDART.

DLL

18/2/20 20 - 16:

46:5.95 0

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\msdart.dll

18/2/20 20 - 16:

46:5.99 7

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\msdart.dll

18/2/20 20 - 16:

46:7.63 7

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\SORCE5R478

18/2/20 20 - 16:

46:8.76 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:8.76 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming

18/2/20 U

nk 1 C:\m

(37)

46:8.76 2

no w n

8 0

re.e xe

18/2/20 20 - 16:

46:8.76 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:8.76 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\api-ms-win-downlevel-shlwapi-l2-1-0.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\api-ms-win-downlevel-shlwapi-l2-1 -0.dll

18/2/20 20 - 16:

46:9.77 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

api-ms-win-downlevel-shlwapi- l2-1-0.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.77 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

api-ms-win-downlevel-shlwapi- l2-1-0.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Secur32.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\secur32.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\secur32.dll

(38)

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Tempo rary Internet Files

18/2/20 20 - 16:

46:9.77 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\api-ms-win-downlevel-advapi32-l2-1-0.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\api-ms-win-downlevel-advapi32-l2- 1-0.dll

18/2/20 20 - 16:

46:9.77 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

api-ms-win-downlevel-advapi3 2-l2-1-0.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.77 8

U nk no w n

1 4 8 0

C:\m alwa re.e xe

api-ms-win-downlevel-advapi3 2-l2-1-0.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Tempo rary Internet Files\counters.dat

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\winhttp.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\winhttp.dll

18/2/20

O 1 C:\m

(39)

46:9.77 8

pe n

8 0

re.e xe

C:\Windows\SysWOW64\webio.dll

18/2/20 20 - 16:

46:9.77 8

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\webio.dll

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\SystemCerti ficates\My\Certificates

18/2/20 20 - 16:

46:9.82 5

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\SystemCerti ficates\My\Certificates

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\SystemCerti ficates\My\CRLs

18/2/20 20 - 16:

46:9.82 5

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\SystemCerti ficates\My\CRLs

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\SystemCerti ficates\My\CTLs

18/2/20 20 - 16:

46:9.82 5

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\SystemCerti ficates\My\CTLs

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\IPHLPAPI.DLL

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\IPHLPAPI.DLL

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\IPHLPAPI.DLL

(40)

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\WINNSI.DLL

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\winnsi.dll

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\winnsi.dll

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\DNSAPI.dll

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dnsapi.dll

18/2/20 20 - 16:

46:9.82 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dnsapi.dll

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\mswsock.dll

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\mswsock.dll

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\wship6.dll

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\wship6.dll

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

(41)

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Tempo rary Internet Files\Content.IE5

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Tempo rary Internet Files\Content.IE5

18/2/20 1 C:\m

(42)

46:9.87 2

pe n

8 0

re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Co okies

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 U nk no w

1 4 8

C:\m alwa re.e

(43)

n

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Histor y

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:9.87 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Histor y\History.IE5

(44)

18/2/20 20 - 16:

46:9.87 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\Histor y\History.IE5

18/2/20 20 - 16:

46:9.96 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\netprofm.dll

18/2/20 20 - 16:

46:9.96 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\netprofm.dll

18/2/20 20 - 16:

46:9.96 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\nlaapi.dll

18/2/20 20 - 16:

46:9.96 5

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\nlaapi.dll

18/2/20 20 - 16:

46:10.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\dhcpcsvc6.DLL

18/2/20 20 - 16:

46:10.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dhcpcsvc6.dll

18/2/20 20 - 16:

46:10.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dhcpcsvc6.dll dhcpcsvc6.dll

18/2/20 20 - 16:

46:10.1 2

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dhcpcsvc6.dll

18/2/20 20 - 16:

46:10.1 2

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dhcpcsvc6.dll dhcpcsvc6.dll

18/2/20 20 - 16: O

pe 1 4

C:\m

alwa C:\CRYPTSP.dll

(45)

9 n 0 xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\cryptsp.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\cryptsp.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\rsaenh.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 O pe n

1 4 8

C:\m alwa

re.e C:\Windows\SysWOW64\rsaenh.dll

(46)

9 0 xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\RpcRtRemote.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\RpcRtRemote.dll

18/2/20 20 - 16:

46:10.5 9

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\RpcRtRemote.dll RpcRtRemote.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\RpcRtRemote.dll

18/2/20 20 - 16:

46:10.5 9

U nk no w n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\RpcRtRemote.dll RpcRtRemote.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\WSHTCPIP.DLL

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\WSHTCPIP.DLL

18/2/20

O 1 C:\m

(47)

46:10.5 9

pe n

8 0

re.e xe

C:\dhcpcsvc.DLL

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dhcpcsvc.dll

18/2/20 20 - 16:

46:10.5 9

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\dhcpcsvc.dll

18/2/20 20 - 16:

46:10.1 06

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\rasadhlp.dll

18/2/20 20 - 16:

46:10.1 06

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\rasadhlp.dll

18/2/20 20 - 16:

46:10.1 06

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\rasadhlp.dll

18/2/20 20 - 16:

46:10.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\npmproxy.dll

18/2/20 20 - 16:

46:10.2 00

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\npmproxy.dll

18/2/20 20 - 16:

46:10.2 47

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\FWPUCLNT.DLL

18/2/20 20 - 16:

46:10.2 47

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\FWPUCLNT.DLL

18/2/20 20 - 16:

46:10.2 93

O pe n

1 4 8 0

C:\m alwa re.e xe

C:\Windows\SysWOW64\wininet.dll

18/2/20

20 - 16: O 1 4

C:\m alwa