Report #582

(1)

Binary

DLL False

Size 1.47MB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 5a61d8336fb3fb4bc4cdccf0d94d40d1

sha1 4c0eeeff524db00e21d648d226b25001836424be

crc32 0x4f676bfd

sha224 0f10af5594962f98fd844058e1e78538bc6d7bedca77e04234776dfc

sha256 6b0cb431dd74949214d8a398d18966e294633ccd5328eafb336a97ffd2107 a0e

sha384 271102c409bb4f536c175aeeb058c03c9ecbb2bf8ad5e2bc61d14471a29a6 9b4be6112f2ebc383b58c710beeee9ea15d

sha512 50c51f1c534ea4167f2dfa3b145e4724bbd735a80017f171aaf4af1eaa2aa4c f8bc796274b4aec12142e7deb28b21f3ca5fe5846b04a975cf62811f146f9ad b6

ssdeep 24576:8yAOYcKoR6185jZ2qVsOZeUr5Nqrv2IgmYQ20+b0B1uWiinMMMMMM

Gf98e:/AVcSlqOOUTd2b4BXMMMMMMGF3

Report #582

Creation Date: Oct. 14, 2019, 8:01 p.m.

Last Update: Oct. 14, 2019, 8:09 p.m.

File:

045 Results:

(2)

Community

Google True

HashLib False

YARA

Matches domain, IP, Dropper_Strings, CRC32b_poly_Constant, HasDebugData, CRC3 2_poly_Constant, escalate_priv, HasRichSignature, VC8_Random, RIPEMD16 0_Constants, Antivirus, win_files_operation, IsPE32, contentis_base64, scree nshot, win_token, win_mutex, keylogger, IsWindowsGUI, anti_dbg, HasDigit alSignature, url, SHA1_Constants, win_registry, HasOverlay, Browsers, Misc _Suspicious_Strings, System_Tools, Big_Numbers3

Suspicious True

Strings

List

;http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q 2http://crt.comodoca.com/COMODORSACodeSigningCA.crt0$

2http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t /http://crt.comodoca.com/COMODORSAAddTrustCA.crt0$

https://secure.comodo.net/CPS0C

http://www.win-rar.comHhttp://www.win-rar.com/buyredirect.html?L=0&BL=0&src=drp&arch=32&ver=530 3http://crl.usertrust.com/AddTrustExternalCARoot.crl05

##0a>9<<24]8hwrq>(-rwt(vmi/waq(bkj-kowogmbp*?ogocrcbe>$M&tmpr`c<`ur&lbhemieuadc<bnpvt&pdvtkjn>3 24&cwckouadvprf;$E<[0hwrq>(-rwt(vmi/waq(bkj-kowogmbp*?ogocrcbe>$M&tmpr`c<`ur&lbhemieuadc<bnpvtfxq muga&ucswnmk=$P&euamiwcbprp`=$G7:]GSE9<Y1hwrq>(-rwt(vmi/waq(bkj-kowogmbp*?ogocrcbe>$M&tmpr`c<

`ur&lbhemieuadc<axrlrfb&rbpvilh<$Q&dr`nhpbaquqc<$F]8 http://www.rarlab.com/themes.htm

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

avp.com

\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Drweb32w.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\AvastUI.exe t.ht

d:\Projects\WinRAR\build\winrar32\Release\WinRAR.pdb http://ocsp.comodoca.com0

http://ocsp.comodoca.com0 WinRAR.ZIP

\Software\KasperskyLab\AVP%d\environment nod32.exe

\Software\Classes\%s\shell\print\command

\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Navw32.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\vet32.exe

\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\kav.exe

\Software\Microsoft\Windows\CurrentVersion\App Paths\WinRAR.exe a.%s.sep

f.%s.sep

\Software\Classes\WinRAR.ZIP\DefaultIcon

(3)

%ls%0*d_%0*d_%0*d.rev

+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(

.http://crl.thawte.com/ThawteTimestampingCA.crl0

Software\Microsoft\Windows\CurrentVersion\App Paths\winrar.exe +http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<

%ls%0*d.rev Rar$Scan%d.bat

\SOFTWARE\KasperskyLab\SetupFolders

%s.tmp

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ClamAV

\SOFTWARE\Data Fellows\F-Secure\Anti-Virus WinRAR.ZIP\shellex\PropertySheetHandlers\%s WinRAR.ZIP\shellex\ContextMenuHandlers\%s

%s::/html/%s.htm .bz2.tbz2.bz.tbz

\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice

\Software\Classes\%s u.Ph

Create WinRAR.ini fileu%s file has been created successfully. You can copy it to desired location. Press "Help" butto n for more information.

ExtractTo.bmp

\SOFTWARE\KasperskyLab\Components\101 PasswordOff.ico

PasswordOn.ico Setup.ico cabinet.dll Crypt32.dll Extract.bmp

\Software\IDAVLAB\Drweb32w iexplore.exe

firefox.exe

/e "%s" HKEY_CURRENT_USER\Software\WinRAR avcmd.exe

install.exe setup.exe chrome.exe

SOFTWARE\Classes\%s

\SOFTWARE\Sophos\SweepNT Software\WinRAR%s%s MpCmdRun.exe

tGHt.Ht&

WinRAR.ZIP\shell\open\command WinRAR.ZIP\shellex\DropHandler

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{EAAAB119-D0BF-4FF4-B6F0-B6FB0393921A}

http://ocsp.usertrust.com0 HTTP %d: %s

Settings.reg winrar.lng WinRAR.chm WinRAR.lnk winrar.chm

\Software\Microsoft\Windows\CurrentVersion\Explorer

\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer rarfiles.lst

Silent=%d win.rar GmbH0 win.rar GmbH1 hhctrl.ocx

\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

(4)

WhatsNew.txt DragMove.cur rarinfo.log YDragNo.cur

\Software\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver version.dat

.theme.rar COMCTL32.dll default.sfx

\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Client rarreg.txt

rarreg.key Rar.txt rar.log

%s\shell\open\command

Foremost

Matches 0.exe, 1 MB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed: http://schemas.microsoft.com/smi/2005/windowssettings hasURLs: True

Suspicious: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, http://ts-ocsp.ws .symantec.com07, http://ocsp.comodoca.com0, http://crl.thawte.com/thawt etimestampingca.crl0, file://, http://crl.comodoca.com/comodorsacertificatio nauthority.crl0q, http://crl.comodoca.com/comodorsacodesigningca.crl0t, ht tp://ocsp.thawte.com0, http://crt.comodoca.com/comodorsaaddtrustca.crt0

$, http://crl.usertrust.com/addtrustexternalcaroot.crl05, http://www.rarlab.c om/themes.htm, https://secure.comodo.net/cps0c, http://ocsp.usertrust.co m0, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<, http://crt.comodoca.co m/comodorsacodesigningca.crt0$, http://www.win-rar.comhhttp://www.win-r ar.com/buyredirect.html?l=0&bl=0&src=drp&arch=32&ver=530

hasAllowed: True hasSuspicious: True

Files Allowed: rarext64.dll, rarext.dll, riched20.dll, KERNEL32.DLL, cabinet.dll, U nAceV2.Dll, Wkernel32.dll, mscoree.dll, \SOFTWARE\Microsoft\Windows\Curr entVersion\App Paths\AVGSE.DLL, riched32.dll, comctl32.dll, shell32.dll, MA PI32.DLL, Crypt32.dll, rarlng.dll, 7zxa.dll, SHLWAPI.dll, OLEAUT32.dll, UxThe me.dll, ole32.dll, USER32.dll, ADVAPI32.dll, GDI32.dll, COMDLG32.dll hasFiles: True

Suspicious: %s.tmp, rar.log, rarinfo.log, *.txt, \winrar_theme_description.tx

(5)

t, Rar.txt, winrar_theme_description.txt, rarreg.txt, WhatsNew.txt, hhctrl.oc x, Setup\.cab, Setup\.jar, WinRAR.ZIP, Setup\.zip, Setup\.iso, *.exe *.com *.p if *.scr *.bat *.cmd *.lnk, WinRAR.lnk, zipnew.dat, rarnew.dat, version.dat, S ettings.reg, *.reg

hasAllowed: True hasSuspicious: True

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 1081344 Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 4096 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .rdata, .data, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 5

Suspicious: False Image

Version: True Suspicious: 5 Linker

Version: 9.0

(6)

Suspicious: False Subsystem

Version: 5.1 Suspicious: False Suspicious: False

EntryPoint Address: 966571

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: riched20.dll, kernel32.dll, cabinet.dll, mscoree.dll, riched32.dll, co mctl32.dll, shell32.dll, mapi32.dll, crypt32.dll, shlwapi.dll, oleaut32.dll, uxth eme.dll, ole32.dll, user32.dll, advapi32.dll, gdi32.dll, comdlg32.dll

hasLibs: True

Suspicious: rarext64.dll, rarext.dll, unacev2.dll, wkernel32.dll, \software\m icrosoft\windows\currentversion\app paths\avgse.dll, rarlng.dll, 7zxa.dll hasAllowed: True

hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2015-11-18 07:14:52 Future: False

Compilation Packed: False

Missing: True Packers

Compiled: False Compilers

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

(7)

pushret .data: 1 .rsrc: 6 .text: 1 .rdata: 2 .reloc: 47

nopsequence .rsrc: 2

pushpopmath .data: 1

.rsrc: 12 .text: 6 .rdata: 9 .reloc: 56

garbagebytes .data: 1

.rsrc: 3 .text: 1 .reloc: 17

hookdetection .text: 1

.reloc: 6

stealthimport .text: 4

software breakpoint .rsrc: 3 .text: 10 .reloc: 11

programcontrolflowchange .data: 1 .rsrc: 3 .text: 1 .reloc: 17

cpuinstructionsresultscomparison .data: 1 .rsrc: 30 .rdata: 52 .reloc: 6

AVclass

sality 1

VirusTotal

(8)

md5 5a61d8336fb3fb4bc4cdccf0d94d40d1

sha1 4c0eeeff524db00e21d648d226b25001836424be

SCANS (DETECTION RATE = 88.24%)

AVG result: Win32:SaliCode

update: 20191010 version: 18.4.3895.0 detected: True

CMC update: 20190321

version: 1.1.0.977 detected: False

MAX result: malware (ai score=100)

APEX result: Malicious

update: 20191010 version: 5.72 detected: True

Bkav result: W32.Sality.PE

K7GW result: Virus ( f10001071 )

update: 20191010 version: 11.72.32236 detected: True

Avast result: Win32:SaliCode

Avira result: W32/Sality.AT

Baidu result: Win32.Virus.Sality.gen

update: 20190318 version: 1.0.0.2

(9)

detected: True

Cyren result: W32/Sality.gen2

DrWeb result: Win32.Sector.30

GData result: Win32.Sality.3

update: 20191011

version: A:25.23660B:26.16246 detected: True

Panda result: W32/Sality.AA

VBA32 result: Virus.Win32.Sality.bakb

VIPRE result: Virus.Win32.Sality.atbh (v)

update: 20191010 version: 78476 detected: True

Zoner result: Trojan.Win32.Sality.22009

ClamAV update: 20191010

Comodo result: Malware@#2n0czoxheilye

F-Prot result: W32/Sality.gen2

(10)

Ikarus result: Virus.Win32.Sality

McAfee result: W32/Sality.gen.z

Rising result: Virus.Sality!1.A5BD (CLASSIC)

Sophos result: Mal/Sality-D

Yandex result: Win32.Sality.FA.Gen

Zillya result: Virus.Sality.Win32.25

Acronis result: suspicious

Alibaba result: Virus:Win32/Sality.56e8726c update: 20190527

version: 0.3.0.5 detected: True

Arcabit result: Win32.Sality.3

(11)

Cylance result: Unsafe update: 20191011 version: 2.3.1.101 detected: True

Endgame result: malicious (high confidence) update: 20190918

version: 3.0.15 detected: True

FireEye result: Generic.mg.5a61d8336fb3fb4b

TACHYON result: Virus/W32.Sality.D

update: 20191010 version: 2019-10-10.02 detected: True

Tencent result: Virus.Win32.TuTu.Gen.200004

ViRobot result: Win32.Sality.Gen.A

Webroot update: 20191011

eGambit update: 20191011

version: v5.0.5 detected: False

Ad-Aware result: Win32.Sality.3

AegisLab result: Virus.Win32.Sality.v!c update: 20191010

version: 4.2

(12)

detected: True

Emsisoft result: Win32.Sality.3 (B)

F-Secure result: Malware.W32/Sality.AT

Fortinet result: W95/SK.8699

Invincea result: heuristic

Jiangmin result: Win32/HLLP.Kuku.poly2

Kingsoft update: 20191011

Paloalto result: generic.ml

Symantec result: W32.Sality.AE

AhnLab-V3 result: Win32/Kashu.E

Antiy-AVL result: Virus/Win32.Sality.gen

(13)

Kaspersky result: Virus.Win32.Sality.gen update: 20191010

Microsoft result: Virus:Win32/Sality.AT update: 20191010

Qihoo-360 result: Virus.Win32.Sality.I update: 20191011

ZoneAlarm result: Virus.Win32.Sality.gen update: 20191011

version: 1.0 detected: True

Cybereason result: malicious.36fb3f

ESET-NOD32 result: Win32/Sality.NBA

TrendMicro result: PE_SALITY.ER

BitDefender result: Win32.Sality.3

CrowdStrike result: win/malicious_confidence_100% (W) update: 20190702

version: 1.0 detected: True

(14)

K7AntiVirus result: Virus ( f10001071 ) update: 20191010

version: 11.72.32242 detected: True

SentinelOne result: DFI - Malicious PE update: 20190807 version: 1.0.31.22 detected: True

Avast-Mobile update: 20191010

version: 191010-00 detected: False

Malwarebytes update: 20191010

TotalDefense result: Win32/Sality.AA update: 20191009 version: 37.1.62.1 detected: True

CAT-QuickHeal result: W32.Sality.U update: 20191009 version: 14.00 detected: True

NANO-Antivirus result: Virus.Win32.Sality.bzkem update: 20191010

MicroWorld-eScan result: Win32.Sality.3 update: 20191011 version: 14.0.297.0 detected: True

SUPERAntiSpyware update: 20191004

McAfee-GW-Edition result: BehavesLike.Win32.SoftPulse.th update: 20191010

version: v2017.3010 detected: True

(15)

TrendMicro-HouseCall result: PE_SALITY.ER update: 20191011 version: 10.0.0.1040 detected: True

total 68

sha256 6b0cb431dd74949214d8a398d18966e294633ccd5328eafb336a97ffd2107 a0e

scan_id 6b0cb431dd74949214d8a398d18966e294633ccd5328eafb336a97ffd2107 a0e-1570751851

resource 5a61d8336fb3fb4bc4cdccf0d94d40d1

permalink https://www.virustotal.com/file/6b0cb431dd74949214d8a398d18966e2946 33ccd5328eafb336a97ffd2107a0e/analysis/1570751851/

positives 60

scan_date 2019-10-10 23:57:31

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

3/5/20 18 - 18 :45:42.

559 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\RICHED20.dll

3/5/20 18 - 18 :45:42.

559 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\riched20.dll

3/5/20 18 - 18 :45:42.

606 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\riched20.dll

3/5/20 18 - 18

O p

1 4

C:\

mal

(16)

:45:42.

653 e n

8 0

war e.ex e

C:\sfc.DLL

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\sfc.dll

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\sfc.dll

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\sfc_os.DLL

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\sfc_os.dll

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\sfc_os.dll

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\AppData\Local\Temp\ujpus.exe

3/5/20 18 - 18 :45:42.

653 W rit e

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

653 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18

O p

1 4

C:\

mal

war C:\Windows\SysWOW64\mswsock.dll

(17)

:45:42.

653 e n

8 0

e.ex e

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\mswsock.dll

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\WSHTCPIP.DLL

3/5/20 18 - 18 :45:42.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\WSHTCPIP.DLL

3/5/20 18 - 18 :45:42.

668 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\winsxs\FileMaps\users_behemot_appdata_local_temp _2e8d4dddeb709d8e.cdf-ms

3/5/20 18 - 18 :45:42.

668 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\DEVRTL.dll

3/5/20 18 - 18 :45:42.

668 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\devrtl.dll

3/5/20 18 - 18 :45:42.

668 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\devrtl.dll

3/5/20 18 - 18 :45:42.

684 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

684 U n k n o

1 4 8 0

C:\

mal war

e.ex C:\Users\Behemot\AppData\Local\Temp\ujpus.exe

(18)

w n

e

3/5/20 18 - 18 :45:42.

684 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

684 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 R e a d

1 4 8 0

C:\

mal war e.ex e

(19)

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 W rit e

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

U n k n o

1 4 8

C:\

mal war

e.ex C:\Users\Behemot\AppData\Local\Temp\ujpus.exe

(20)

700 w n

0 e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Monitor\Files\DeletedFiles

3/5/20 18 - 18 :45:42.

700 D el et e

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

700 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

934 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\NTUSER.DAT

3/5/20 18 - 18 :45:42.

O p e

1 4 8

C:\

mal

war C:\Users\Behemot\AppData\Roaming\WinRAR

(21)

934 n 0 e.ex e

3/5/20 18 - 18 :45:42.

934 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\AppData\Roaming\WinRAR

3/5/20 18 - 18 :45:42.

934 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\AppData\Roaming\WinRAR\version.dat

3/5/20 18 - 18 :45:42.

934 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

934 W rit e

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

934 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\dwmapi.dll

3/5/20 18 - 18 :45:42.

934 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\dwmapi.dll

3/5/20 18 - 18 :45:42.

934 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\dwmapi.dll

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\Fonts\StaticCache.dat

3/5/20 18 - 18 :45:42.

R e a

1 4 8

C:\

mal war

e.ex C:\Windows\Fonts\StaticCache.dat StaticCache.dat

(22)

950 d 0 e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Monitor\Malware

3/5/20 18 - 18 :45:42.

950 U n k n o w

1 4 8 0

C:\

mal war e.ex e

C:\Monitor\Malware

(23)

n

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Monitor\Malware

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Monitor\Malware

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\AppData\Roaming\WinRAR\Settings.reg

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\AppData\Roaming\WinRAR\Settings.reg

C:\

(24)

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

mal war e.ex e

C:\Settings.reg

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Settings.reg

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Settings.reg

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Settings.reg

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\ole32.dll

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\ole32.dll

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\AppData\Roaming\WinRAR\Themes

C:\

(25)

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

mal war e.ex e

C:\Users\Behemot\AppData\Roaming\WinRAR\Themes

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Themes

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Themes

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Themes

3/5/20 18 - 18 :45:42.

950 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Themes

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\malware.exe.Local

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\winsxs\x86_microsoft.windows.common-controls_65 95b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d

3/5/20 18 - 18 :45:42.

965 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 O 1 C:\

(26)

18 - 18 :45:42.

965 p e n

4 8 0

mal war e.ex e

C:\Windows\SysWOW64\UxTheme.dll.Config

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\uxtheme.dll

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\malware.exe.Local

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\shell32.dll

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

(27)

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.d ll

3/5/20 18 - 18 :45:42.

965 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.d ll

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Behemot\Desktop

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\WindowsCodecs.dll

(28)

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\WindowsCodecs.dll

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\WindowsCodecs.dll WindowsCodecs.dll

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\WindowsCodecs.dll

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\WindowsCodecs.dll WindowsCodecs.dll

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\apphelp.dll

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\apphelp.dll

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\apphelp.dll

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\EhStorShell.dll

3/5/20 18 - 18 :45:42.

U n k n o

1 4 8

C:\

mal war e.ex

C:\Windows\SysWOW64\EhStorShell.dll EhStorShell.dll

(29)

981 w n

0 e

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\AppPatch\sysmain.sdb

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows

(30)

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:42.

981 R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 R 1 C:\

mal

(31)

18 - 18 :45:42.

997 e a d

4 8 0

war e.ex e

3/5/20 18 - 18 :45:42.

997 R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

12

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui

3/5/20 18 - 18 :45:43.

12

R e a d

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui EhStorShell.dll.mui

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui

(32)

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\pt-BR\EhStorShell.dll.mui EhStorShell.dll.mui

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

(33)

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\ntshrui.dll

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\AppPatch\sysmain.sdb

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18

U n k 1

4 C:\

mal

(34)

:45:43.

43

n o w n

8 0

war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows

3/5/20 18 - 18 :45:43.

43

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:43.

43

U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:43.

O p e

1 4 8

C:\

mal

war C:\Windows\SysWOW64

(35)

43 n 0 e.ex e

3/5/20 18 - 18 :45:43.

106 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64

3/5/20 18 - 18 :45:43.

106 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

106 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 R e a d

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18

R e

1 4

C:\

mal

war C:\Windows\SysWOW64\ntshrui.dll

(36)

:45:43.

293 a d

8 0

e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

293 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

387 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\srvcli.dll

3/5/20 18 - 18 :45:43.

387 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\srvcli.dll

3/5/20 18 - 18 :45:43.

387 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\srvcli.dll

3/5/20 18 - 18 :45:43.

387 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\cscapi.dll

3/5/20 18 - 18 :45:43.

387 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\cscapi.dll

3/5/20 18 - 18 :45:43.

387 O p e n

1 4 8 0

C:\

mal war e.ex

C:\Windows\SysWOW64\cscapi.dll

(37)

e

3/5/20 18 - 18 :45:43.

543 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\slc.dll

3/5/20 18 - 18 :45:43.

543 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\slc.dll

3/5/20 18 - 18 :45:43.

543 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\slc.dll

3/5/20 18 - 18 :45:43.

684 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\imageres.dll

3/5/20 18 - 18 :45:43.

684 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

684 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

684 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

856 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\pt-BR\imageres.dll.mui

3/5/20 18 - 18 :45:43.

856 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\System32\pt-BR\imageres.dll.mui

(38)

3/5/20 18 - 18 :45:43.

856 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\windows\SysWOW64\pt\imageres.dll.mui

3/5/20 18 - 18 :45:43.

856 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\en-US\imageres.dll.mui

3/5/20 18 - 18 :45:43.

856 R e a d

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\en-US\imageres.dll.mui imageres.dll.mui

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18

O p

1 4

C:\

mal

(39)

:45:43.

887 e n

8 0

war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 O 1 C:\

mal

(40)

18 - 18 :45:43.

887 p e n

4 8 0

war e.ex e

3/5/20 18 - 18 :45:43.

887 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 O 1 C:\

(41)

18 - 18 :45:43.

981 p e n

4 8 0

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 O 1 C:\

(42)

18 - 18 :45:43.

981 p e n

4 8 0

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 O 1 C:\

(43)

18 - 18 :45:43.

981 p e n

4 8 0

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\

(44)

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

(45)

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

(46)

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

(47)

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

981 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

(48)

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

(49)

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:43.

997 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\

(50)

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

mal war e.ex e

C:\Windows\SysWOW64\pt\imageres.dll.mui

3/5/20 18 - 18 :45:44.

90

O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

278 U n k n o w n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

278 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

278 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Public\Desktop\desktop.ini

3/5/20 18 - 18 :45:44.

278 R e a d

1 4 8 0

C:\

mal war e.ex e

C:\Users\Public\Desktop\desktop.ini

3/5/20 18 - 18 :45:44.

278 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Users\Public\Desktop

3/5/20 18 - 18 :45:44.

278 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 18 - 18 :45:44.

278 O p e n

1 4 8 0

C:\

mal war e.ex e

3/5/20 O 1 C:\

(51)

18 - 18 :45:44.

418 p e n

4 8 0

mal war e.ex e

C:\Windows\SysWOW64\drprov.dll

3/5/20 18 - 18 :45:44.

465 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\drprov.dll

3/5/20 18 - 18 :45:44.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\winsta.dll

3/5/20 18 - 18 :45:44.

653 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\winsta.dll

3/5/20 18 - 18 :45:44.

700 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\ntlanman.dll

3/5/20 18 - 18 :45:44.

747 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\ntlanman.dll

3/5/20 18 - 18 :45:45.

59

O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\davclnt.dll

3/5/20 18 - 18 :45:45.

106 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\davclnt.dll

3/5/20 18 - 18 :45:45.

387 O p e n

1 4 8 0

C:\

mal war e.ex e

C:\Windows\SysWOW64\davhlpr.dll

3/5/20 18 - 18 :45:45.

O p e

1 4 8

C:\

mal war e.ex

C:\Windows\SysWOW64\davhlpr.dll