Report #9570

(1)

Binary

DLL False

Size 171.00KB

trid 79.2% Generic CIL Executable

7.1% Win32 Dynamic Link Library 4.8% Win32 Executable

2.2% Win16/32 Executable Delphi generic 2.1% OS/2 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 fa4a849f3da1a6cb41697fb397e733c3

sha1 0eac15bc6a1412da2f9192403b729aa722abdfed

crc32 0x4acc8b90

sha224 76e95a52976a700388d00819702b04fa7f7f9ecf024455b9b434b6c0

sha256 3a52bfb4c3e55b7fd3dd4e55e05c6c9af966bb871026d09043a470492a1bf3 f4

sha384 e222f30b5379dc02719776a7fcbed6b27e6f9bad23b2b704d1a0370929c57c 280db2ee63598c1787bff91959c5105e81

sha512 8b9c5ebe50853fbece3f4c48ef978ba9237054ac35dcc6762ee65701edba1e 130bd68b5552c303258b75b317d3c79e05308913a732d8f3b519c91dc5774 9a682

ssdeep 1536:71+1OLKKKKKKKKKKKKaKKKKKKKKKKKKLKFKKKKKKKKKKKKLKKKKKA GKKKKKKKKR1:/7i7tbHigg5eOXNbxqGCbiJ9A

Report #9570

Creation Date: March 13, 2020, 12:32 p.m.

Last Update: March 13, 2020, 12:46 p.m.

File:

Comprovante-Deposito-02092014.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches NET_executable, contentis_base64, Microsoft_Visual_C_v70_Basic_NET, Micr osoft_Visual_Studio_NET_additional, url, IP, IsNET_EXE, NETexecutableMicros oft, Microsoft_Visual_C_Basic_NET, Microsoft_Visual_Studio_NET, HasDebug Data, NET_executable_, domain, IsPE32, Microsoft_Visual_C_v70_Basic_NET _additional, IsWindowsGUI

Suspicious True

Strings

List

http://talkofthetownnews.com/modules/mod_search/google/BOTFINAL.exe http://www.wtimports.com.br/translations/fr/xml/w3r/oldxyahsd.exe

C:\Users\eCoLoGyy\Documents\Visual Studio 2013\Projects\NewLoad\NewLoad\obj\Debug\Documento.pdb My.Computer

Documento.My System.IO System.Net

System.ComponentModel.Design

\Skype_Update.exe

4System.Web.Services.Protocols.SoapHttpClientProtocol Documento.exe

Documento.exe Documento.exe 13.2.4.0

12.0.0.0 13.2.4.0 13.2.4.0 13.2.4.0

\oldxyahsd.exe

Documento.My.Resources 8.0.0.0

4.0.0.0

System.Windows.Forms.Form

3System.Resources.Tools.StronglyTypedResourceBuilder System.Windows.Forms

mscoree.dll

get_ResourceManager

lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e 089#System.Resources.RuntimeResourceSet

ServerComputer

(3)

DebuggerHiddenAttribute FileSystemProxy

DebuggableAttribute DebuggingModes ResourceManager m_FormBeingCreated Hashtable

GetHashCode

$9b9a8051-c442-4683-9090-a9757be74be3

SpecialDirectoriesProxy

DebuggerNonUserCodeAttribute HideModuleNameAttribute _CorExeMain

Documento.Resources.resources get_Computer

get_Settings get_IsDisposed Documento.Resources get_Culture

set_Culture get_Forms get_Temp get_User

My.MyProject.Forms My.WebServices get_FileSystem My.Application get_Message get_Default get_Assembly

get_SpecialDirectories get_WebServices System.Resources get_GetInstance My.Settings get_Application System.Collections get_InnerException Dispose__Instance__

Dispose__Instance__

My.Forms

#Strings

Create__Instance__

RuntimeCompatibilityAttribute SetProjectError

ComVisibleAttribute

Comments Documento Documento Documento Documento Documento

</assembly>

(4)

MyComputer Environment My.User

`.sdata ProductName ProjectData ClearProjectError Computer SpecialFolder WebClient GuidAttribute

Foremost

Matches 0.exe, 171 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: True

Suspicious: http://www.wtimports.com.br/translations/fr/xml/w3r/oldxyahs d.exe, http://talkofthetownnews.com/modules/mod_search/google/botfinal.e xe

hasAllowed: False hasSuspicious: True

Files Allowed: mscoree.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 164864 Suspicious: False Image

Address: 4194304 Suspicious: False

(5)

Stack Stack: 4096 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .sdata, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 4

Suspicious: False Image

Version: True Suspicious: 4 Linker

Version: 11.0 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 16926

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: mscoree.dll

(6)

Suspicious

hasAllowed: True hasSuspicious: False

Timestamp Past: False

Valid: True

Value: 2014-09-05 13:55:40 Future: False

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, . NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .rsrc: 2

pushpopmath .text: 2

cpuinstructionsresultscomparison .text: 1

AVclass

banload 1

VirusTotal

md5 fa4a849f3da1a6cb41697fb397e733c3

(7)

sha1 0eac15bc6a1412da2f9192403b729aa722abdfed SCANS (DETECTION RATE = 68.66%)

AVG result: Win32:Malware-gen

update: 20180325 version: 18.2.3827.0 detected: True

CMC update: 20180324

version: 1.1.0.977 detected: False

MAX result: malware (ai score=81)

Bkav update: 20180325

K7GW result: Trojan-Downloader ( 004a96091 )

update: 20180325 version: 10.42.26600 detected: True

ALYac result: Gen:Variant.Kazy.450850

Avast result: Win32:Malware-gen

Avira result: TR/Downloader.A.4873

Baidu result: Win32.Trojan.WisdomEyes.16070401.9500.9977 update: 20180323

version: 1.0.0.2 detected: True

(8)

Cyren result: W32/Trojan.PGIW-0864 update: 20180325

DrWeb result: Trojan.DownLoader11.31514

GData result: Gen:Variant.Kazy.450850

update: 20180325

version: A:25.16493B:25.11870 detected: True

Panda result: Trj/Chgt.F

VBA32 result: TrojanDownloader.MSIL.Agent

VIPRE result: Trojan.Win32.Generic!BT

update: 20180325 version: 65504 detected: True

Zoner update: 20180325

version: 1.0 detected: False

AVware result: Trojan.Win32.Generic!BT

ClamAV update: 20180324

Comodo result: .UnclassifiedMalware

update: 20180325 version: 28740 detected: True

(9)

F-Prot update: 20180325 version: 4.7.1.166 detected: False

Ikarus result: Trojan.MSIL.Crypt

McAfee result: Artemis!FA4A849F3DA1

Rising update: 20180325

Sophos result: Mal/Generic-S

Yandex result: Trojan.DL.Banload!pQpXHIOhq/s

Zillya update: 20180323

Arcabit result: Trojan.Kazy.D6E122

Cylance result: Unsafe

Endgame result: malicious (moderate confidence) update: 20180316

version: 2.0.5 detected: True

(10)

Tencent result: Msil.Trojan-downloader.Agent.Ednm update: 20180325

ViRobot update: 20180324

eGambit update: 20180325

version: v4.3.5 detected: False

Ad-Aware result: Gen:Variant.Kazy.450850

AegisLab result: Troj.Downloader.MSIL.Agent.gcu!c update: 20180325

version: 4.2 detected: True

Emsisoft result: Gen:Variant.Kazy.450850 (B) update: 20180325

F-Secure result: Gen:Variant.Kazy.450850

Fortinet result: W32/Agent.AJ!tr.dldr

Invincea update: 20180121

Jiangmin result: TrojanDownloader.MSIL.aeo update: 20180325

(11)

Kingsoft update: 20180325 version: 2013.8.14.323 detected: False

Paloalto result: generic.ml

update: 20180325 version: 1.0 detected: True

Symantec result: Downloader

nProtect update: 20180325

version: 2018-03-25.01 detected: False

AhnLab-V3 update: 20180324

Antiy-AVL result: Trojan[Downloader]/MSIL.Agent update: 20180325

Kaspersky result: Trojan-Downloader.MSIL.Agent.gcu update: 20180325

Microsoft update: 20180325

Qihoo-360 update: 20180325

TheHacker update: 20180319

version: 6.8.0.5.2551 detected: False

ZoneAlarm result: Trojan-Downloader.MSIL.Agent.gcu

(12)

Cybereason result: malicious.f3da1a

ESET-NOD32 result: a variant of MSIL/TrojanDownloader.Banload.AJ update: 20180325

version: 17111 detected: True

TrendMicro result: TROJ_BANLOAD.AFK

WhiteArmor update: 20180324

detected: False

BitDefender result: Gen:Variant.Kazy.450850 update: 20180325

CrowdStrike result: malicious_confidence_90% (W) update: 20170201

K7AntiVirus result: Trojan-Downloader ( 004a96091 ) update: 20180325

SentinelOne update: 20180225

Avast-Mobile update: 20180324

version: 180324-00 detected: False

Malwarebytes result: Trojan.Banker update: 20180325 version: 2.1.1.1115

(13)

detected: True

TotalDefense update: 20180324

CAT-QuickHeal result: Trojan.Sisproc update: 20180324 version: 14.00 detected: True

NANO-Antivirus result: Trojan.Win32.Agent.dexbba update: 20180325

MicroWorld-eScan result: Gen:Variant.Kazy.450850 update: 20180325

SUPERAntiSpyware update: 20180324 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: Artemis!Trojan update: 20180324 version: v2015 detected: True

TrendMicro-HouseCall result: TROJ_BANLOAD.AFK update: 20180325

total 67

sha256 3a52bfb4c3e55b7fd3dd4e55e05c6c9af966bb871026d09043a470492a1bf3 f4

scan_id 3a52bfb4c3e55b7fd3dd4e55e05c6c9af966bb871026d09043a470492a1bf3 f4-1521949989

resource fa4a849f3da1a6cb41697fb397e733c3

permalink https://www.virustotal.com/file/3a52bfb4c3e55b7fd3dd4e55e05c6c9af966b b871026d09043a470492a1bf3f4/analysis/1521949989/

(14)

positives 46

scan_date 2018-03-25 03:53:09

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

13/3/202 0 - 11:45 :45.950

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\machine.config

13/3/202 0 - 11:45 :46.606

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.606

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.606

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.606

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.606

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.606

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.606

Op en

1 4 8 0

C:\malware.exe C:\malware.exe.config

13/3/202 Op

1

4 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion

(15)

0 - 11:45 :46.606

en 8 0

C:\malware.exe .localgac

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\security.config

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\security.config.cch

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\enterprisesec.config

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\enterprisesec.config.cch

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Windows\Globalization\Sorting\SortDefault.nls

13/3/202 0 - 11:45 :46.622

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\Globalization\Sorting\SortDefault.nls SortDefaul t.nls

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.622

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming

13/3/202 1

4 C:\malware.exe

(16)

:46.622 en 8 0

13/3/202 0 - 11:45 :46.622

Un kn ow n

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming\Microsoft\CLR Securit y Config\v2.0.50727.312\64bit\security.config

13/3/202 0 - 11:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming\Microsoft\CLR Securit y Config\v2.0.50727.312\64bit\security.config.cch

13/3/202 0 - 11:45 :46.840

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\index 187.dat

13/3/202 0 - 11:45 :46.840

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscor lib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll

13/3/202 0 - 11:45 :46.840

Un kn ow n

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 Re

ad 1 4

8 C:\malware.exe

C:\Windows\assembly\NativeImages_v2.0.50727_64\mscor lib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll

mscorlib.ni .dll

(17)

:46.840 0

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 Re

1 4

8 C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscor mscorlib.ni

(18)

:46.840 0

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.840

Re ad

1 4

8 C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscor lib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll

mscorlib.ni .dll

(19)

0

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c56 1934e089

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4

mscorlib.ni .dll

(20)

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.856

Re ad

1 4 8 0

mscorlib.ni .dll

(21)

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\malware.exe

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

C:\malware.exe C:\

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Monitor

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

C:\malware.exe C:\Monitor

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Monitor\Malware

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ole32.

dll

(22)

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\rpcss.dll

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\CRYPTBASE.dll

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll cryptbase.

dll

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll

13/3/202 0 - 11:45 :46.856

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll cryptbase.

dll

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\uxtheme.dll

13/3/202 0 - 11:45 :46.856

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\uxtheme.dll

1

(23)

13/3/202 0 - 11:45 :46.918

Re ad

4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 1

(24)

0 - 11:45 :46.918

ad 8 0

C:\malware.exe lib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 Re

1

(25)

:46.918 ad 8 0

lib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.918

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows\Temp orary Internet Files

13/3/202 0 - 11:45 :46.934

Un kn ow n

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows\Temp orary Internet Files

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

C:\malware.exe C:\malware.config

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.934

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.934

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 Re

1

(26)

:46.934 0

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Re ad

1 4

mscorlib.ni .dll

(27)

0

13/3/202 0 - 11:45 :46.934

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\l_intl.nls

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.934

Un kn ow n

1 4 8 0

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscor jit.dll

13/3/202 0 - 11:45 :46.934

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.950

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.950

Op en

1 4 8 0

C:\malware.exe C:\malware.exe.Local

13/3/202 0 - 11:45 :46.950

Op en

1 4 8 0

C:\malware.exe C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1 e18e3b_8.0.50727.4940_none_88df89932faf0bf6

13/3/202 0 - 11:45 :46.950

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1 e18e3b_8.0.50727.4940_none_88df89932faf0bf6

13/3/202 0 - 11:45 :46.950

Op en

1 4

8 C:\malware.exe C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1 e18e3b_8.0.50727.4940_none_88df89932faf0bf6

(28)

13/3/202 0 - 11:45 :46.950

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.950

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :46.965

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\pubpol4.dat

13/3/202 0 - 11:45 :46.965

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC\PublisherPolicy.tme

13/3/202 0 - 11:45 :46.965

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.965

Un kn ow n

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.965

Op en

1 4 8 0

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

machine.c onfig

(29)

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.965

Re ad

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.965

Un kn ow n

1 4 8 0

machine.c onfig

13/3/202 0 - 11:45 :46.965

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste m\9b0f837c5a73d17be9743868915d6115\System.ni.dll

13/3/202 0 - 11:45 :47.106

Un kn ow n

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.106

Op en

1 4 8 0

13/3/202 0 - 11:45 :47.106

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.153

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.200

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.247

Re ad

1 4 8 0

System.ni.

dll

(30)

13/3/202 0 - 11:45 :47.293

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.340

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.387

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.434

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.481

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.528

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.575

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.622

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.668

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.715

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.762

Re ad

1 4 8 0

System.ni.

dll

1

(31)

13/3/202 0 - 11:45 :47.809

Re ad

4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.856

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.903

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :47.950

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c5 61934e089

13/3/202 0 - 11:45 :48.137

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c5 61934e089

13/3/202 0 - 11:45 :48.137

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.184

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.231

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.278

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.325

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.372

Re ad

1 4 8 0

System.ni.

dll

1

(32)

0 - 11:45 :48.418

Re ad

4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.465

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.512

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.559

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.606

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.653

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.700

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.747

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.793

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.840

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.887

Re ad

1 4 8 0

System.ni.

dll

13/3/202 1

(33)

0 - 11:45 :48.934

Re ad

4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :48.981

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :49.106

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :49.153

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :49.872

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :49.918

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :49.965

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.12

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.59

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.106

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.153

Re ad

1 4 8 0

mscorlib.ni .dll

1

(34)

0 - 11:45 :50.200

Re ad

4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.247

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.293

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.340

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.481

Op en

1 4 8 0

C:\malware.exe C:\Windows\Globalization\pt-br.nlp

13/3/202 0 - 11:45 :50.481

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.528

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.575

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :50.622

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.668

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.715

Re ad

1 4 8 0

System.ni.

dll

13/3/202 Re

1

4 C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste System.ni.

(35)

0 - 11:45 :50.762

ad 8 0

C:\malware.exe m\9b0f837c5a73d17be9743868915d6115\System.ni.dll dll

13/3/202 0 - 11:45 :50.809

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.856

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.903

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.950

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :50.997

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.43

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.90

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.184

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.231

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.278

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 Re

1

4 C:\Windows\assembly\NativeImages_v2.0.50727_64\mscor mscorlib.ni

(36)

:51.325 ad 8 0

lib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll .dll

13/3/202 0 - 11:45 :51.372

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.418

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.465

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.512

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.559

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.606

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.700

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.793

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :51.840

Op en

1 4 8 0

C:\malware.exe C:\shfolder.dll

13/3/202 0 - 11:45 :51.840

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\shfolder.dll

13/3/202 0 - 11:45 Op

en 1 4

8 C:\malware.exe C:\Windows\System32\shfolder.dll

(37)

:51.887 0

13/3/202 0 - 11:45 :52.168

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Startup

13/3/202 0 - 11:45 :52.168

Un kn ow n

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming\Microsoft\Windows\St art Menu\Programs\Startup

13/3/202 0 - 11:45 :52.168

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_64\Microsoft.VisualBasic\8.0.0.

0__b03f5f7f11d50a3a

13/3/202 0 - 11:45 :52.168

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.

0.0__b03f5f7f11d50a3a

13/3/202 0 - 11:45 :52.309

Un kn ow n

1 4 8 0

0.0__b03f5f7f11d50a3a

13/3/202 0 - 11:45 :52.309

Op en

1 4 8 0

0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll

13/3/202 0 - 11:45 :52.356

Un kn ow n

1 4 8 0

Microsoft.V isualBasic.

dll

13/3/202 0 - 11:45 :52.356

Op en

1 4 8 0

13/3/202 0 - 11:45 :52.356

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.403

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 Re

1

4 C:\malware.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0. Microsoft.V isualBasic.

(38)

:52.450 0 dll

13/3/202 0 - 11:45 :52.497

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.543

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.590

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.637

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.684

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.731

Op en

1 4 8 0

0.0__b03f5f7f11d50a3a

13/3/202 0 - 11:45 :52.731

Un kn ow n

1 4 8 0

0.0__b03f5f7f11d50a3a

13/3/202 0 - 11:45 :52.731

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.778

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.825

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.872

Re ad

1 4

8 C:\malware.exe C:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.

dll

(39)

0

13/3/202 0 - 11:45 :52.918

Op en

1 4 8 0

13/3/202 0 - 11:45 :52.918

Op en

1 4 8 0

13/3/202 0 - 11:45 :52.918

Un kn ow n

1 4 8 0

dll

13/3/202 0 - 11:45 :52.918

Op en

1 4 8 0

13/3/202 0 - 11:45 :52.918

Un kn ow n

1 4 8 0

dll

13/3/202 0 - 11:45 :52.918

Un kn ow n

1 4 8 0

dll

13/3/202 0 - 11:45 :52.918

Re ad

1 4 8 0

dll

13/3/202 0 - 11:45 :52.965

Re ad

1 4 8 0

mscorlib.ni .dll

13/3/202 0 - 11:45 :53.12

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :53.59

Re ad

1 4 8 0

System.ni.

dll

13/3/202 0 - 11:45 :53.106

Re ad

1 4

mscorlib.ni .dll