Binary
DLL False
Size 1.56MB
trid 53.9% InstallShield setup
17.7% Win32 Executable Delphi generic 12.5% DOS Borland compiled Executable 5.6% Win32 Executable
2.5% Win16/32 Executable Delphi generic
type PE
wordsize 32
Subsystem Windows GUI
Hashes
md5 1fe080ea1528ec5a8e23d74fbbcdde65
sha1 39b5a4d91e4dfecd975d23d5a1eb2b22fa945241
crc32 0x3fcd5b0e
sha224 51405bc59283eb4363389dbc3854b3028e17eea2db3b50aa6da02d36
sha256 c16559dc034ad9be6f6af5740a6224ea0ac4b99cf9fada39989b46dc0a56ba a3
sha384 de15cbca16b4477682aacf622a16b463c88f3306c45e589661c5c823597e06 76bb2c6959bf79f9a80ae7c951c50db947
sha512 2684fb4bd6e48c7b2fe05f97b4ca692b7378acfb33223dcfa59d0b39f31c583 5c92131595ef52b08153dfa31e74bd172187f9124cd5e1d440fba6d7172631 938
ssdeep 24576:Kq/jhK1W5ATPPb3F1vDTzaZSuY3vsb/jAWiBdKDecTU+3vsU:Km2PTj2 ZSuYEHEyD9TP1
Report #7211
Creation Date: Feb. 21, 2020, 1:09 p.m.
Last Update: Feb. 21, 2020, 2:02 p.m.
File:
3516100304046235785001645500100001.exe Results:
Community
Google False
HashLib False
YARA
Matches domain, Borland, IP, CookieTools, Borland_Delphi_30_, HasOverlay, CRC32_
poly_Constant, BASE64_table, Delphi_DecodeDate, RIPEMD160_Constants, borland_delphi, Delphi_FormShow, network_dns, BobSoftMiniDelphiBoBBob Soft, CRC32_table, Microsoft_Visual_Cpp_v50v60_MFC, BobSoft_Mini_Delphi _BoB_BobSoft_additional, win_files_operation, IsPE32, win_hook, RijnDael_A ES_CHAR, contentis_base64, network_tcp_socket, screenshot, network_tcp_
listen, Borland_Delphi_v40_v50, keylogger, win_mutex, Borland_Delphi_40_
additional, Borland_Delphi_40, network_ssl, Delphi_Random, IsWindowsGUI, HasDigitalSignature, network_udp_sock, Delphi_Copy, Borland_Delphi_Setu p_Module, Borland_Delphi_DLL, url, SHA1_Constants, win_registry, Delphi_C ompareCall, RijnDael_AES_LONG, Delphi_StrToInt, Borland_Delphi_30_additi onal, Borland_Delphi_v30
Suspicious True
Strings
List
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
the appropriate version of this product at http://www.componentace.com Web site: http://www.componentace.com
outlander.org outlander.org
c:\program files (x86)\borland\delphi7\Lib\bsEffects.pas c:\program files (x86)\borland\delphi7\Lib\bsEffects.pas c:\program files (x86)\borland\delphi7\Lib\bsEffects.pas c:\program files (x86)\borland\delphi7\Lib\bsEffects.pas t.Ht
DefaultFont.Name Font.Style
Font.Name DefaultFont.Style
Invalid compressed size, rfs.size = %d, count = %d +http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
.http://crl.thawte.com/ThawteTimestampingCA.crl0 +http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group feel free to contact us at support@componentace.com
127.0.0.1
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
\Software\Borland\C++Builder
P.rsrc
SOFTWARE\Borland\Delphi\RTL Delphi%.8X
Software\Borland\Locales Software\Borland\Delphi\Locales
\Software\Borland\BDS msimg32.dll
comctl32.dll comctl32.dll comctl32.dll comctl32.dll comctl32.dll version.dll vcltest3.dll uxtheme.dll wininet.dll thompson.sey 0.0.0.1 dwmapi.dll
\thompson.sey SHFolder.dll Network is down.
Host is down.
PasswordCharx,E
Hashed list of file names is invalid http://ts-ocsp.ws.symantec.com07 Username
Username Username Username
Password for "%s"
EDIT_DELETE=Delete OnReceive`
OnDockOverH Socket Error # %d OnDeleteError OnDeleteError
""fD**~T +IdTCPServer TIdTCPServer\
UhI:H
ControlOfs%.8X%.8X WndProcPtr%.8X%.8X
Connection Closed Gracefully.;Could not bind socket. Address and port are already in use.
name="Microsoft.Windows.Common-Controls"
fkCalculated Calculated Bad address.
TRecordsetReasonEvent PixelsPerInchx,E
Picturex,E
Socks server did not respond.$Invalid socks authentication method.%Authentication error to socks server.
Connected.
JumpID("","%s")
Socket is not connected..Cannot send or receive after socket is closed.#Too many references, cannot splice.
- Dock zone has no control OnCommand(
Command not supported.
FullRepaint4nB
showfocus focusedskinrect showfocus showfocus focusedskinrect focustabrect showfocus showfocus showfocus showfocus focuscellrect showfocus focustabrect showfocus focuscellrect showfocus
Connection refused.
Foremost
Matches 0.exe, 1 MB
Suspicious True
Heuristics
IPs hasIPs: True
Allowed: 127.0.0.1, 1, localhost.
Suspicious: 0.0.0.1, 0, Unknown hasAllowed: True
hasSuspicious: True
URLs Allowed: http://schemas.microsoft.com/smi/2005/windowssettings hasURLs: True
Suspicious: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(, http://crl.thawte.
com/thawtetimestampingca.crl0, http://www.componentace.com, http://ocs p.thawte.com0, http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<, http://ts-oc sp.ws.symantec.com07
hasAllowed: True hasSuspicious: True
Files Allowed: MAPI32.DLL, mtxex.dll, WS2_32.DLL, user32.dll, uxtheme.dll, dw mapi.dll, wininet.dll, ole32.dll, imm32.dll, advapi32.dll, comctl32.dll, SHFold er.dll, gdi32.dll, oleaut32.dll, kernel32.dll, vcltest3.dll, version.dll, shell32.dll , msimg32.dll
hasFiles: True Suspicious
hasAllowed: True hasSuspicious: False
Sizes RVA RVA: 16
Suspicious: False Code
Size: 576000 Suspicious: False Image
Address: 4194304 Suspicious: False Stack
Stack: 16384 Suspicious: False Headers
Headers: 1024 Suspicious: False Suspicious: False
Symbols Number
Number: 0
Suspicious: True Pointer
Pointer: 0
Suspicious: True Directories Number: 16 Suspicious: False
Checksum Value: 1676173
Suspicous: False
Sections Allowed: code, data, bss, .idata, .tls, .rdata, .reloc, .rsrc Suspicious
hasAllowed: True hasSections: True hasSuspicious: False
Versions OS
Version: 4
Suspicious: False Image
Version: True Suspicious: 4 Linker
Version: 2.25 Suspicious: False Subsystem
Version: 4.0 Suspicious: False Suspicious: False
EntryPoint Address: 1062764
Suspicious: False
Anomalies Anomalies
hasAnomalies: False
Libraries Allowed: mapi32.dll, mtxex.dll, ws2_32.dll, user32.dll, uxtheme.dll, dwmap i.dll, wininet.dll, ole32.dll, imm32.dll, advapi32.dll, comctl32.dll, shfolder.dll, gdi32.dll, oleaut32.dll, kernel32.dll, version.dll, shell32.dll, msimg32.dll hasLibs: True
Suspicious: vcltest3.dll hasAllowed: True hasSuspicious: True
Timestamp Past: True
Valid: True
Value: 1992-06-19 19:22:17 Future: False
Compilation Packed: True
Missing: False
Packers: BobSoft Mini Delphi -> BoB / BobSoft Compiled: True
Compilers: Borland Delphi 3.0 (???), Borland Delphi 4.0, Borland Delphi v3.
0, Borland Delphi v6.0 - v7.0
MainPacker: BobSoft Mini Delphi -> BoB / BobSoft
Obfuscation XOR: False
Fuzzing: True
PEDetector
Matches None
Suspicious False
Disassembly
hasTricks True
Tricks
pushret none: 195
.rsrc: 28
nopsequence .rsrc: 2
.rsrc: 8 .reloc: 50
garbagebytes none: 189
.rsrc: 26
hookdetection none: 6
.reloc: 6
software breakpoint none: 14 .reloc: 20
programcontrolflowchange none: 189 .rsrc: 26
cpuinstructionsresultscomparison none: 29 .rsrc: 64 .reloc: 3
AVclass
banload 1
VirusTotal
md5 1fe080ea1528ec5a8e23d74fbbcdde65
sha1 39b5a4d91e4dfecd975d23d5a1eb2b22fa945241
SCANS (DETECTION RATE = 65.67%)
AVG result: Win32:Banker-MXQ [Trj]
update: 20180323 version: 18.2.3827.0 detected: True
CMC update: 20180323
version: 1.1.0.977 detected: False
MAX result: malware (ai score=100)
update: 20180323 version: 2017.11.15.1 detected: True
Bkav update: 20180322 version: 1.3.0.9466 detected: False
K7GW result: Trojan-Downloader ( 004ffc551 )
update: 20180323 version: 10.42.26597 detected: True
ALYac result: Gen:Variant.Symmi.68812
update: 20180323 version: 1.1.1.5 detected: True
Avast result: Win32:Banker-MXQ [Trj]
update: 20180323 version: 18.2.3827.0 detected: True
Avira result: TR/Dldr.Delphi.Gen
update: 20180323 version: 8.3.3.6 detected: True
Baidu update: 20180323
version: 1.0.0.2 detected: False
Cyren result: W32/Trojan.VNMO-2025
update: 20180323 version: 5.4.30.7 detected: True
DrWeb result: Trojan.PWS.Banker1.25948
update: 20180323 version: 7.0.28.2020 detected: True
GData result: Gen:Variant.Symmi.68812
update: 20180323
version: A:25.16478B:25.11859 detected: True
Panda result: Trj/GdSda.A
update: 20180323 version: 4.6.4.2
VBA32 result: TrojanDownloader.Banload update: 20180323
version: 3.12.28.0 detected: True
VIPRE result: Trojan.Win32.Generic!BT
update: 20180323 version: 65472 detected: True
Zoner update: 20180323
version: 1.0 detected: False
AVware result: Trojan.Win32.Generic!BT
update: 20180323 version: 1.5.0.42 detected: True
ClamAV update: 20180323
version: 0.99.2.0 detected: False
Comodo update: 20180323
version: 28732 detected: False
F-Prot update: 20180323
version: 4.7.1.166 detected: False
Ikarus result: Trojan-Downloader.Win32.Banload update: 20180323
version: 0.1.5.2 detected: True
McAfee result: Trojan-FKEQ!1FE080EA1528
update: 20180323 version: 6.0.6.653 detected: True
Rising result: Downloader.Banload!8.15B (TFE:4:EVUcsMV667E) update: 20180323
version: 25.0.0.1 detected: True
Sophos result: Mal/Generic-S update: 20180323 version: 4.98.0 detected: True
Yandex result: Trojan.DL.Banload!UtySJHnPzCo
update: 20180323 version: 5.5.1.3 detected: True
Zillya result: Downloader.Banload.Win32.74223
update: 20180323 version: 2.0.0.3519 detected: True
Arcabit result: Trojan.Symmi.D10CCC
update: 20180323 version: 1.0.0.831 detected: True
Cylance result: Unsafe
update: 20180323 version: 2.3.1.101 detected: True
Endgame result: malicious (high confidence) update: 20180316
version: 2.0.5 detected: True
Tencent result: Win32.Trojan.Falsesign.Edye update: 20180323
version: 1.0.0.1 detected: True
ViRobot update: 20180323
version: 2014.3.20.0 detected: False
eGambit result: Unsafe.AI_Score_73%
update: 20180323 version: v4.3.5 detected: True
Ad-Aware result: Gen:Variant.Symmi.68812
update: 20180323 version: 3.0.3.1010
AegisLab result: Uds.Dangerousobject.Multi!c update: 20180323
version: 4.2 detected: True
Emsisoft result: Gen:Variant.Symmi.68812 (B) update: 20180323
version: 4.0.2.899 detected: True
F-Secure result: Gen:Variant.Symmi.68812
update: 20180323 version: 11.0.19100.45 detected: True
Fortinet result: W32/Banload.XTF!tr
update: 20180323 version: 5.4.247.0 detected: True
Invincea update: 20180121
version: 6.3.4.26036 detected: False
Jiangmin update: 20180323
version: 16.0.100 detected: False
Kingsoft update: 20180323
version: 2013.8.14.323 detected: False
Paloalto result: generic.ml
update: 20180323 version: 1.0 detected: True
Symantec result: Trojan.Gen.2
update: 20180323 version: 1.5.0.0 detected: True
nProtect update: 20180323
version: 2018-03-23.02 detected: False
AhnLab-V3 update: 20180323 version: 3.12.0.20130 detected: False
Antiy-AVL update: 20180323
version: 3.0.0.1 detected: False
Kaspersky result: UDS:DangerousObject.Multi.Generic update: 20180323
version: 15.0.1.13 detected: True
Microsoft result: TrojanDownloader:Win32/Banload update: 20180323
version: 1.1.14600.4 detected: True
Qihoo-360 update: 20180323
version: 1.0.0.1120 detected: False
TheHacker update: 20180319
version: 6.8.0.5.2551 detected: False
ZoneAlarm result: UDS:DangerousObject.Multi.Generic update: 20180323
version: 1.0 detected: True
Cybereason result: malicious.a1528e
update: 20180225 version: 1.2.27 detected: True
ESET-NOD32 result: a variant of Win32/TrojanDownloader.Banload.XRN update: 20180323
version: 17106 detected: True
TrendMicro result: TROJ_GEN.R002C0DBG18
update: 20180323 version: 9.862.0.1074 detected: True
WhiteArmor update: 20180223 detected: False
BitDefender result: Gen:Variant.Symmi.68812 update: 20180323
version: 7.2 detected: True
CrowdStrike result: malicious_confidence_100% (W) update: 20170201
version: 1.0 detected: True
K7AntiVirus result: Trojan-Downloader ( 004ffc551 ) update: 20180323
version: 10.42.26598 detected: True
SentinelOne update: 20180225
version: 1.0.15.206 detected: False
Avast-Mobile update: 20180323
version: 180323-04 detected: False
Malwarebytes update: 20180323
version: 2.1.1.1115 detected: False
TotalDefense update: 20180323
version: 37.1.62.1 detected: False
CAT-QuickHeal update: 20180323
version: 14.00 detected: False
NANO-Antivirus result: Trojan.Win32.Banload.eibkix update: 20180323
version: 1.0.100.22043 detected: True
MicroWorld-eScan result: Gen:Variant.Symmi.68812 update: 20180323
version: 14.0.297.0 detected: True
SUPERAntiSpyware update: 20180323 version: 5.6.0.1032 detected: False
McAfee-GW-Edition result: Trojan-FKEQ!1FE080EA1528 update: 20180323
version: v2015 detected: True
TrendMicro-HouseCall result: TROJ_GEN.R002C0DBG18 update: 20180323
version: 9.950.0.1006 detected: True
total 67
sha256 c16559dc034ad9be6f6af5740a6224ea0ac4b99cf9fada39989b46dc0a56ba a3
scan_id c16559dc034ad9be6f6af5740a6224ea0ac4b99cf9fada39989b46dc0a56ba a3-1521831840
resource 1fe080ea1528ec5a8e23d74fbbcdde65
permalink https://www.virustotal.com/file/c16559dc034ad9be6f6af5740a6224ea0ac4 b99cf9fada39989b46dc0a56baa3/analysis/1521831840/
positives 44
scan_date 2018-03-23 19:04:00
verbose_msg Scan finished, information embedded
response_code 1
File
Trace
21/2/2020 - 1 2:45:43.762
Ope n
1 4 8 0
C:\malw are.exe
C:\Program Files (x86)\Common Files\System\ado\MS DART.DLL
21/2/2020 - 1 2:45:43.762
Ope n
1 4 8
C:\malw
are.exe C:\Windows\SysWOW64\msdart.dll
21/2/2020 - 1 2:45:43.762
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\msdart.dll
21/2/2020 - 1 2:45:43.762
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:43.762
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:43.762
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:43.762
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:53.793
Ope n
1 4 8 0
C:\malw
are.exe C:\malware.exe
21/2/2020 - 1 2:45:53.793
Rea d
1 4 8 0
C:\malw
are.exe C:\malware.exe
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:53.809
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
1
21/2/2020 - 1 2:45:53.809
Unk now n
4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\Secur32.dll
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\secur32.dll
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\secur32.dll
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files
21/2/2020 - 1 2:45:53.809
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw
are.exe C:\api-ms-win-downlevel-advapi32-l2-1-0.dll
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-advap i32-l2-1-0.dll
21/2/2020 - 1 2:45:53.809
Unk now n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-advap i32-l2-1-0.dll
api-ms-win-downlevel-a dvapi32-l2-1-0.dll
21/2/2020 - 1 2:45:53.809
Ope n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-advap i32-l2-1-0.dll
21/2/2020 - 1 2:45:53.809
Unk now n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-advap i32-l2-1-0.dll
api-ms-win-downlevel-a dvapi32-l2-1-0.dll
21/2/2020 - 1 2:45:53.856
Ope n
4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files\counters.dat
21/2/2020 - 1 2:45:53.887
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\winhttp.dll
21/2/2020 - 1 2:45:53.887
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\winhttp.dll
21/2/2020 - 1 2:45:53.887
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\webio.dll
21/2/2020 - 1 2:45:53.887
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\webio.dll
21/2/2020 - 1 2:45:53.887
Ope n
1 4 8 0
C:\malw
are.exe C:\IPHLPAPI.DLL
21/2/2020 - 1 2:45:53.887
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\IPHLPAPI.DLL
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\IPHLPAPI.DLL
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\WINNSI.DLL
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\winnsi.dll
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\winnsi.dll
1
21/2/2020 - 1 2:45:53.903
Ope n
4 8 0
C:\malw are.exe
C:\api-ms-win-downlevel-shlwapi-l2-1-0.dll
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-shlwa pi-l2-1-0.dll
21/2/2020 - 1 2:45:53.903
Unk now n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-shlwa pi-l2-1-0.dll
api-ms-win-downlevel-s hlwapi-l2-1-0.dll
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-shlwa pi-l2-1-0.dll
21/2/2020 - 1 2:45:53.903
Unk now n
1 4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\api-ms-win-downlevel-shlwa pi-l2-1-0.dll
api-ms-win-downlevel-s hlwapi-l2-1-0.dll
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\DNSAPI.dll
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dnsapi.dll
21/2/2020 - 1 2:45:53.903
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dnsapi.dll
21/2/2020 - 1 2:45:53.965
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\mswsock.dll
21/2/2020 - 1 2:45:53.965
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\mswsock.dll
21/2/2020 - 1 2:45:53.965
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\wship6.dll
21/2/2020 - 1 2:45:53.965
Ope n
4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\wship6.dll
21/2/2020 - 1 2:45:54.59
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\netprofm.dll
21/2/2020 - 1 2:45:54.59
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\netprofm.dll
21/2/2020 - 1 2:45:54.59
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\nlaapi.dll
21/2/2020 - 1 2:45:54.59
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\nlaapi.dll
21/2/2020 - 1 2:45:54.106
Ope n
1 4 8 0
C:\malw
are.exe C:\dhcpcsvc6.DLL
21/2/2020 - 1 2:45:54.106
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dhcpcsvc6.dll
21/2/2020 - 1 2:45:54.106
Unk now n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dhcpcsvc6.dll dhcpcsvc6.dll
21/2/2020 - 1 2:45:54.106
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dhcpcsvc6.dll
21/2/2020 - 1 2:45:54.106
Unk now n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dhcpcsvc6.dll dhcpcsvc6.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\CRYPTSP.dll
1
21/2/2020 - 1 2:45:54.153
Ope n
4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\cryptsp.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\cryptsp.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rsaenh.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\RpcRtRemote.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\RpcRtRemote.dll
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\RpcRtRemote.dll RpcRtRemote.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\RpcRtRemote.dll
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\RpcRtRemote.dll RpcRtRemote.dll
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
1
21/2/2020 - 1 2:45:54.153
Ope n
4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Content.IE5
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
Temporary Internet Files\Content.IE5
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Ope n
4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Roaming
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Roaming
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Roaming
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot
1
21/2/2020 - 1 2:45:54.153
Ope n
4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
History
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
History
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
History
21/2/2020 - 1 2:45:54.153
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
History\History.IE5
21/2/2020 - 1 2:45:54.153
Unk now n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\Microsoft\Windows\
History\History.IE5
21/2/2020 - 1 2:45:54.168
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\WSHTCPIP.DLL
21/2/2020 - 1 2:45:54.168
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\WSHTCPIP.DLL
21/2/2020 - 1 2:45:54.168
Ope n
1 4 8 0
C:\malw
are.exe C:\dhcpcsvc.DLL
21/2/2020 - 1 2:45:54.168
Ope n
4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\dhcpcsvc.dll
21/2/2020 - 1 2:45:54.168
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\dhcpcsvc.dll
21/2/2020 - 1 2:45:54.215
Ope n
1 4 8 0
C:\malw
are.exe C:\rasadhlp.dll
21/2/2020 - 1 2:45:54.215
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rasadhlp.dll
21/2/2020 - 1 2:45:54.215
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\rasadhlp.dll
21/2/2020 - 1 2:45:54.262
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\npmproxy.dll
21/2/2020 - 1 2:45:54.262
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\npmproxy.dll
21/2/2020 - 1 2:45:54.356
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\sub\125Z3R2D897 W2613.15
21/2/2020 - 1 2:45:54.356
Writ e
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\sub\125Z3R2D897 W2613.15
125Z3R2D897W2613.1 5
21/2/2020 - 1 2:45:54.356
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\sub\125Z3R2D897 W2613.15
21/2/2020 - 1 2:45:54.356
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\pt-BR\KernelBase.dll.mui
1
21/2/2020 - 1 2:45:55.325
Ope n
4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\wininet.dll
21/2/2020 - 1 2:45:55.325
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\wininet.dll
21/2/2020 - 1 2:46:1.387
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:46:1.387
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:46:1.387
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:46:1.387
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:46:1.387
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\sub\125Z3R2D897 W2613.15
21/2/2020 - 1 2:46:1.387
Ope n
1 4 8 0
C:\malw are.exe
C:\Users\Behemot\AppData\Local\sub\125Z3R2D897 W2613.15
21/2/2020 - 1 2:46:10.418
Ope n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:46:10.418
Unk now n
1 4 8 0
C:\malw
are.exe C:\Users\Behemot\AppData\Local\sub
21/2/2020 - 1 2:46:10.700
Ope n
1 4 8 0
C:\malw
are.exe C:\imageres.dll
21/2/2020 - 1 2:46:10.700
Ope n
4 8 0
C:\malw are.exe
C:\Windows\SysWOW64\imageres.dll
21/2/2020 - 1 2:46:10.700
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\imageres.dll
21/2/2020 - 1 2:46:10.934
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\pt-BR\imageres.dll.mui
21/2/2020 - 1 2:46:10.934
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\System32\pt-BR\imageres.dll.mui
21/2/2020 - 1 2:46:10.934
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\pt\imageres.dll.mui
21/2/2020 - 1 2:46:10.934
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\en-US\imageres.dll.mui
21/2/2020 - 1 2:46:10.934
Rea d
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\en-US\imageres.dll.mui imageres.dll.mui
21/2/2020 - 1 2:46:11.168
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\ole32.dll
21/2/2020 - 1 2:46:11.168
Ope n
1 4 8 0
C:\malw
are.exe C:\Windows\SysWOW64\ole32.dll
Process
Trace
Analysis
Reason Timeout
Status Sucessfully Executed
Results 1
Registry
Trace
21/2/2020 - 1 2:45:53.903
Wr ite
1 4 8 0
C:\malw
are.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyEnabl e
21/2/2020 - 1 2:45:53.903
De let e
1 4 8 0
C:\malw
are.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyServe r
21/2/2020 - 1 2:45:53.903
De let e
1 4 8 0
C:\malw
are.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings ProxyOverri de
21/2/2020 - 1 2:45:53.903
De let e
1 4 8 0
C:\malw
are.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings AutoConfig URL
21/2/2020 - 1 2:45:53.903
De let e
1 4 8 0
C:\malw
are.exe HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings AutoDetect
21/2/2020 - 1 2:45:53.903
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Connections
SavedLega cySettings
21/2/2020 - 1 2:45:54.153
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
5.0\Cache\Content CachePrefix
21/2/2020 - 1 2:45:54.153
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
5.0\Cache\Cookies CachePrefix
21/2/2020 - 1 2:45:54.153
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
5.0\Cache\History CachePrefix
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi onReason
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi onTime
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi on
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDetec tedUrl
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap
ProxyBypas s
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap
IntranetNa me
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap
UNCAsIntra net
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap AutoDetect
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap
ProxyBypas s
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap
IntranetNa me
1
21/2/2020 - 1 2:45:54.262
Wr ite
4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap
UNCAsIntra net
21/2/2020 - 1 2:45:54.262
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
ZoneMap AutoDetect
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}
WpadDecisi onReason
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}
WpadDecisi onTime
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}
WpadDecisi on
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}
WpadNetw orkName
21/2/2020 - 1 2:45:55.559
De let e
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\{D8C667F4-C62D-460A-82E2-EC8687C3DC60}
WpadDetec tedUrl
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi onReason
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi onTime
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi on
21/2/2020 - 1 2:45:55.559
De let e
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDetec tedUrl
1
2:45:55.559 ite 8 0
are.exe Wpad\52-54-00-83-08-f3 onReason
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi onTime
21/2/2020 - 1 2:45:55.559
Wr ite
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDecisi on
21/2/2020 - 1 2:45:55.559
De let e
1 4 8 0
C:\malw are.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\
Wpad\52-54-00-83-08-f3
WpadDetec tedUrl
File Summary
Created Identified: True
Deleted Identified: False
Process Summary
Created Identified: False
Deleted Identified: False
Registry Summary
Proxy Identified: False
AutoRun Identified: False
Created Identified: True
Deleted Identified: True
Browsers Identified: False
Internet Identified: True
DNS
Query
localhost gateway:DNS www.eco-concept-etudes.fr.
localhost gateway:50273 www.eco-concept-etudes.fr.
localhost gateway:DNS www.a4imoveisce.com.br.
Response
TCP
Info
UDP
Info
localhost:55394 localhost:53 localhost:50273 localhost:53 localhost:68 255.255.255.255:67 localhost:53 localhost:55394 localhost:67 localhost:68 localhost:53 localhost:50273
HTTP
Info
Summary
DNS True
TCP False
HTTP False
Results
BINARY
KNN (K=3, NFS-BRMalware) confidence: 100.00%
suspicious: True
Decision Tree (NFS-BRMalware) confidence: 100.00%
suspicious: True
SVC (Kernel=Linear, NFS-BRMalware) confidence: 61.88%
suspicious: False
MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 82.46%
suspicious: True
Random Forest (100 estimators, NFS-BRMalware) confidence: 61.00%
suspicious: True
Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 84.42%
suspicious: False
LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 96.45%
suspicious: False
