Report #6158

(1)

Binary

DLL False

Size 8.00KB

trid 62.0% Generic CIL Executable

23.4% Win64 Executable

5.5% Win32 Dynamic Link Library 3.8% Win32 Executable

1.7% OS/2 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 bad40f40a4d4063255c0b0740bb269ea

sha1 f19119a475f5f922387afd795252c75319ed8ee4

crc32 0x3623a918

sha224 ab2c630281b8baa5ca95fcdd9e7c0d6521e13d84a30ef8f852f5297f

sha256 9bc7df98926b08693f5254ad29b88937352f114cfe31a1506cd2bcb44f46bf5 1

sha384 02e2a3cea6a646d51aae9f0ef793c7c73e0b3f77e8f30ab9e491b4697db510 d497194c2f2e4da7efd8dc9ff1f6908e5f

sha512 d166671a864d7ec941082b541a8f7e763c18b2f6cfdd26942b2a94c50a259c e79ad6d1431f63d1fcadd01a729dc4daf28c59bf8330ea8a6967fb11227c89d f83

ssdeep 96:jPG9fPAuXcyok1R6tKTY82MKj+Xj4YdYIEPLS3QjsH3m9mPTsGKzNt:a9fPAu Xct4TiM2+sYdYeAjsH2Sls

Report #6158

Creation Date: Feb. 14, 2020, 11:58 a.m.

Last Update: Feb. 14, 2020, 1:57 p.m.

File:

BerLo0000000098328320932309232.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches NET_executable, contentis_base64, Microsoft_Visual_C_v70_Basic_NET, Micr osoft_Visual_Studio_NET_additional, IP, IsNET_EXE, NETexecutableMicrosoft, Microsoft_Visual_C_Basic_NET, Microsoft_Visual_Studio_NET, NET_executabl e_, domain, IsPE32, Microsoft_Visual_C_v70_Basic_NET_additional, IsWindo wsGUI

Suspicious True

Strings

List

System.IO System.Net

This executable has been obfuscated by using RustemSoft Skater .NET Obfuscator Demo version. Please visit Ruste mSoft.com for more information.

0.0.0.0 0.0.0.0 0.0.0.0 load.exe load.exe load.exe Next mscoree.dll get_UserName ExitProcess EncryptOutput Sleep

Random

Crypt _CorExeMain IEnumerable`1 RustemSoft.Skater

<EncryptOutput>b__2 System.Core

get_Chars get_Unicode System.Linq System.Text

#Strings get_Length

(3)

RuntimeCompatibilityAttribute

</assembly>

Environment WebClient

AttributeUsageAttribute AttributeTargets

Attribute Func`2 ve2ncyGR

<EncryptInitalize>b__0 InternalName

DirectoryInfo OriginalFilename CreateDirectory uExitCode FileVersion FileDescription StringFileInfo VarFileInfo mscorlib Translation Enumerable Encoding Process GetBytes

#GUID Program GetString

Assembly Version Convert

ConfKey ToArray .ctor

o0eMqwIQkwsaBRS+TxyakSivnvirnnVFabP+3HuZx9f7OabiuKz55D3DQWirQp3SakVeoaifdziXkHqvSOJFmQS/lpLvNzq JCZTEOus9JZt6sfIAGaD1p0D3/tPYjWrscCVCPRHy916YuimCFbLg5pF+FRoj0qudS4WEnOtRd+ACa5/xEmgNtVH2PtEow Da1DgM=

.cctor Config Object Select Loader Concat Exists Thread

`.rsrc Range String System

hO2Scy2R/7C8EkEnot9e22Dy0VMsT9L26/OctyoDm+hfFa009AM=

load

</security>

Foremost

Matches 0.exe, 8 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: kernel32.dll, mscoree.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 2048

Suspicious: False Image

Address: 4194304 Suspicious: False

(5)

Stack Stack: 4096 Suspicious: False Headers

Headers: 512 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 0

Suspicous: True

Sections Allowed: .text, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 4

Suspicious: False Image

Version: True Suspicious: 4 Linker

Version: 8.0 Suspicious: False Subsystem

Version: 4.0 Suspicious: False Suspicious: False

EntryPoint Address: 13342

Suspicious: False

Anomalies Anomalies: The header checksum and the calculated checksum do not ma tch.

hasAnomalies: True

Libraries Allowed: kernel32.dll, mscoree.dll hasLibs: True

(6)

Suspicious

hasAllowed: True hasSuspicious: False

Timestamp Past: False

Valid: True

Value: 2017-06-21 12:30:44 Future: False

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C# / Basic .NET, Microsoft Visual Studio .NET, . NET executable, Microsoft Visual C# v7.0 / Basic .NET

Obfuscation XOR: False

Fuzzing: True

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushpopmath .text: 1

AVclass

banload 1

VirusTotal

md5 bad40f40a4d4063255c0b0740bb269ea

sha1 f19119a475f5f922387afd795252c75319ed8ee4

SCANS (DETECTION RATE = 68.75%)

AVG result: Win32:Malware-gen

(7)

update: 20180702 version: 18.4.3895.0 detected: True

CMC update: 20180701

version: 1.1.0.977 detected: False

MAX result: malware (ai score=80)

Bkav update: 20180630

K7GW result: Trojan ( 700000121 )

update: 20180702 version: 10.51.27618 detected: True

ALYac result: Gen:Variant.Zusy.237971

Avast result: Win32:Malware-gen

Avira result: TR/Downloader.dzpto

Baidu update: 20180628

Cyren result: W32/Trojan.HUCX-8108

DrWeb result: Trojan.DownLoader24.65133

(8)

GData result: Gen:Variant.Zusy.237971

update: 20180702

version: A:25.17658B:25.12627 detected: True

Panda result: Trj/GdSda.A

VBA32 result: Trojan.Downloader

VIPRE result: Trojan.Win32.Generic!BT

update: 20180702 version: 67818 detected: True

Zoner update: 20180701

version: 1.0 detected: False

AVware result: Trojan.Win32.Generic!BT

ClamAV update: 20180702

Comodo update: 20180702

detected: False

F-Prot update: 20180702

Ikarus result: Trojan-Downloader.MSIL.Banload update: 20180701

version: 0.1.5.2

(9)

detected: True

McAfee result: Artemis!BAD40F40A4D4

Sophos result: Mal/Generic-S

Yandex result: Trojan.Agent!HZpBJxaGg9I

Zillya update: 20180629

Arcabit result: Trojan.Zusy.D3A193

Babable update: 20180406

version: 9107201 detected: False

Endgame result: malicious (high confidence) update: 20180612

version: 2.1.3 detected: True

TACHYON update: 20180702

version: 2018-07-02.01 detected: False

Tencent result: Win32.Trojan.Generic.Pjdk update: 20180702

version: 1.0.0.1 detected: True

ViRobot update: 20180701

(10)

Webroot update: 20180702 version: 1.0.0.403 detected: False

eGambit update: 20180702

detected: False

Ad-Aware result: Gen:Variant.Zusy.237971

AegisLab result: Troj.W32.Generic!c

update: 20180702 version: 4.2 detected: True

Emsisoft result: Gen:Variant.Zusy.237971 (B) update: 20180702

F-Secure result: Gen:Variant.Zusy.237971

Fortinet result: MSIL/Banload.GZ!tr.dldr update: 20180702

Invincea result: heuristic

Jiangmin result: Trojan.Generic.bbpkl

Kingsoft update: 20180702

(11)

Paloalto result: generic.ml update: 20180702 version: 1.0 detected: True

Symantec result: ML.Attribute.HighConfidence update: 20180701

AhnLab-V3 result: Trojan/Win32.Zbot.R202816 update: 20180702

Antiy-AVL result: Trojan/Win32.AGeneric update: 20180702

Kaspersky result: HEUR:Trojan.Win32.Generic update: 20180702

Microsoft update: 20180702

Qihoo-360 update: 20180702

TheHacker update: 20180628

version: 6.8.0.5.3218 detected: False

ZoneAlarm result: HEUR:Trojan.Win32.Generic update: 20180702

version: 1.0 detected: True

Cybereason result: malicious.0a4d40

(12)

ESET-NOD32 result: a variant of MSIL/TrojanDownloader.Banload.GZ update: 20180702

version: 17644 detected: True

BitDefender result: Gen:Variant.Zusy.237971 update: 20180702

CrowdStrike result: malicious_confidence_100% (D) update: 20180530

K7AntiVirus result: Trojan ( 700000121 ) update: 20180702

version: 10.51.27618 detected: True

SentinelOne result: static engine - malicious update: 20180701

Avast-Mobile update: 20180702

version: 180701-04 detected: False

Malwarebytes result: Trojan.Banload update: 20180702 version: 2.1.1.1115 detected: True

TotalDefense update: 20180701

CAT-QuickHeal result: TrojanDownloader.Banload update: 20180701

NANO-Antivirus result: Trojan.Win32.Banload.etinyb update: 20180702

(13)

MicroWorld-eScan result: Gen:Variant.Zusy.237971 update: 20180702

SUPERAntiSpyware update: 20180701 version: 5.6.0.1032 detected: False

McAfee-GW-Edition result: Artemis!Trojan update: 20180702 version: v2017.2786 detected: True

total 64

sha256 9bc7df98926b08693f5254ad29b88937352f114cfe31a1506cd2bcb44f46bf5 1

scan_id 9bc7df98926b08693f5254ad29b88937352f114cfe31a1506cd2bcb44f46bf5 1-1530512551

resource bad40f40a4d4063255c0b0740bb269ea

permalink https://www.virustotal.com/file/9bc7df98926b08693f5254ad29b88937352f 114cfe31a1506cd2bcb44f46bf51/analysis/1530512551/

positives 44

scan_date 2018-07-02 06:22:31

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

14/2/202 0 - 12:45 :42.981

Re ad

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\machine.config

machine.c onfig

14/2/202 0 - 12:45 :42.981

Re ad

1 4 8 0

machine.c onfig

(14)

14/2/202 0 - 12:45 :42.997

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :42.997

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :42.997

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :42.997

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :42.997

Op en

1 4 8 0

C:\malware.exe C:\malware.exe.config

14/2/202 0 - 12:45 :42.997

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fusion.

localgac

14/2/202 0 - 12:45 :43.12

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\security.config

14/2/202 0 - 12:45 :43.12

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\security.config.cch

14/2/202 0 - 12:45 :43.12

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\enterprisesec.config

14/2/202 0 - 12:45 :43.12

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFI G\enterprisesec.config.cch

14/2/202 0 - 12:45 :43.12

Op en

1 4 8 0

C:\malware.exe C:\Windows\Globalization\Sorting\SortDefault.nls

Un 1

(15)

14/2/202 0 - 12:45 :43.28

kn ow n

4 8 0

C:\malware.exe C:\Windows\Globalization\Sorting\SortDefault.nls SortDefau lt.nls

14/2/202 0 - 12:45 :43.28

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot

14/2/202 0 - 12:45 :43.28

Op en

1 4 8 0

14/2/202 0 - 12:45 :43.28

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :43.28

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming

14/2/202 0 - 12:45 :43.28

Op en

1 4 8 0

14/2/202 0 - 12:45 :43.28

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :43.28

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming\Microsoft\CLR Securit y Config\v2.0.50727.312\64bit\security.config

14/2/202 0 - 12:45 :43.28

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Roaming\Microsoft\CLR Securit y Config\v2.0.50727.312\64bit\security.config.cch

14/2/202 0 - 12:45 :43.247

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\index1 87.dat

14/2/202 0 - 12:45 :43.481

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorl ib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll

14/2/202 Un 1

(16)

0 - 12:45 :43.622

kn ow n

4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.622

Op en

1 4 8 0

14/2/202 0 - 12:45 :43.622

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.668

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.715

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.762

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.809

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.856

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.903

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.950

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :43.997

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 Re 1

4 C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorl mscorlib.

(17)

0 - 12:45 :44.43

ad 8 0

C:\malware.exe ib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll ni.dll

14/2/202 0 - 12:45 :44.90

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.137

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.184

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.231

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.278

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.325

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.372

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.418

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.465

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.512

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 Re 1

(18)

0 - 12:45 :44.559

ad 8 0

14/2/202 0 - 12:45 :44.606

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.653

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.700

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.747

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.840

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.934

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :44.981

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.28

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.75

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.122

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 Op

1

4 C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c56

(19)

:45.215 en 8 0

C:\malware.exe 1934e089

14/2/202 0 - 12:45 :45.262

Re ad

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c56 1934e089

14/2/202 0 - 12:45 :45.309

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c56 1934e089

14/2/202 0 - 12:45 :45.356

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.731

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.778

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.825

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.872

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.918

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :45.965

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.12

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 Re

1

4 C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorl mscorlib.

(20)

:46.59 ad 8 0

ib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll ni.dll

14/2/202 0 - 12:45 :46.106

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.153

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.200

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.247

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.387

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\malware.exe

14/2/202 0 - 12:45 :46.622

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\

14/2/202 0 - 12:45 :46.622

Un kn ow n

1 4 8 0

C:\malware.exe C:\

14/2/202 0 - 12:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Monitor

14/2/202 0 - 12:45

Un kn ow

1 4

8 C:\malware.exe C:\Monitor

(21)

:46.622 n 0

14/2/202 0 - 12:45 :46.622

Op en

1 4 8 0

C:\malware.exe C:\Monitor\Malware

14/2/202 0 - 12:45 :46.622

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :46.622

Op en

1 4 8 0

14/2/202 0 - 12:45 :46.622

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :46.622

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.762

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.809

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :46.997

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.43

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.90

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.137

Re ad

1 4

8 C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorl ib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll

mscorlib.

ni.dll

(22)

0

14/2/202 0 - 12:45 :47.418

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.465

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.512

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.606

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.653

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.700

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.747

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.793

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.840

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :47.903

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 Re

ad 1 4

8 C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorl ib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll

mscorlib.

ni.dll

(23)

:47.950 0

14/2/202 0 - 12:45 :47.997

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.90

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.465

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.512

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.559

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.606

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.653

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ole32.

dll

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\rpcss.dll

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

14/2/202 0 - 12:45 :48.747

Op en

1 4

8 C:\malware.exe C:\Windows\System32\rpcss.dll

(24)

0

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

C:\malware.exe C:\CRYPTBASE.dll

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll

14/2/202 0 - 12:45 :48.747

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll cryptbase .dll

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll

14/2/202 0 - 12:45 :48.747

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\System32\cryptbase.dll cryptbase .dll

14/2/202 0 - 12:45 :48.747

Op en

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows\Tempo rary Internet Files

14/2/202 0 - 12:45 :48.747

Un kn ow n

1 4 8 0

C:\malware.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows\Tempo rary Internet Files

14/2/202 0 - 12:45 :48.793

Op en

1 4 8 0

C:\malware.exe C:\malware.config

14/2/202 0 - 12:45 :48.793

Op en

1 4 8 0

14/2/202 0 - 12:45 :48.793

Un kn ow n

1 4 8 0

(25)

14/2/202 0 - 12:45 :48.840

Op en

1 4 8 0

14/2/202 0 - 12:45 :48.840

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :48.840

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.887

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :48.981

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.28

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.75

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.122

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.215

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.356

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.403

Re ad

1 4 8 0

mscorlib.

ni.dll

(26)

14/2/202 0 - 12:45 :49.497

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.590

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.637

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.731

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :49.778

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :50.59

Op en

1 4 8 0

C:\malware.exe C:\Windows\System32\l_intl.nls

14/2/202 0 - 12:45 :50.153

Op en

1 4 8 0

14/2/202 0 - 12:45 :50.153

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :50.434

Op en

1 4 8 0

C:\malware.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorj it.dll

14/2/202 0 - 12:45 :50.481

Op en

1 4 8 0

14/2/202 0 - 12:45 :50.622

Op en

1 4 8 0

1

(27)

14/2/202 0 - 12:45 :50.622

Op en

4 8 0

C:\malware.exe C:\malware.exe.Local

14/2/202 0 - 12:45 :50.622

Op en

1 4 8 0

C:\malware.exe C:\Windows\winsxs\amd64_microsoft.vc80.crt_1fc8b3b9a1 e18e3b_8.0.50727.4940_none_88df89932faf0bf6

14/2/202 0 - 12:45 :50.622

Un kn ow n

1 4 8 0

14/2/202 0 - 12:45 :50.622

Op en

1 4 8 0

14/2/202 0 - 12:45 :50.903

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :50.950

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :51.512

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :51.606

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\pubpol4.dat

14/2/202 0 - 12:45 :51.606

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC\PublisherPolicy.tme

14/2/202 0 - 12:45 :51.606

Op en

1 4 8 0

14/2/202 0 - 12:45 :51.606

Un kn ow n

1 4 8 0

machine.c onfig

14/2/202 1

(28)

0 - 12:45 :51.606

Op en

4 8 0

14/2/202 0 - 12:45 :51.606

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :51.606

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :51.606

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :51.606

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :51.606

Re ad

1 4 8 0

machine.c onfig

14/2/202 0 - 12:45 :51.653

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste m\9b0f837c5a73d17be9743868915d6115\System.ni.dll

14/2/202 0 - 12:45 :51.793

Un kn ow n

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :51.793

Op en

1 4 8 0

14/2/202 0 - 12:45 :51.793

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :51.840

Re ad

1 4 8 0

System.ni .dll

14/2/202 1

(29)

0 - 12:45 :51.887

Re ad

4 8 0

System.ni .dll

14/2/202 0 - 12:45 :51.934

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :51.981

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.28

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.75

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.122

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.168

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.215

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.262

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.309

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.356

Re ad

1 4 8 0

System.ni .dll

14/2/202 1

(30)

0 - 12:45 :52.403

Re ad

4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.450

Re ad

1 4 8 0

C:\malware.exe

C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste m\9b0f837c5a73d17be9743868915d6115\System.ni.dll

System.ni .dll

14/2/202 0 - 12:45 :52.497

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.543

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.590

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.637

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c5 61934e089

14/2/202 0 - 12:45 :52.825

Un kn ow n

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c5 61934e089

14/2/202 0 - 12:45 :52.825

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.872

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.918

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :52.965

Re ad

1 4 8 0

System.ni .dll

1

(31)

14/2/202 0 - 12:45 :53.12

Re ad

4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.59

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.106

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.153

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.200

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.247

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.293

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.340

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.387

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.434

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.481

Re ad

1 4 8 0

System.ni .dll

14/2/202 1

(32)

0 - 12:45 :53.528

Re ad

4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.575

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.622

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.668

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.715

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.762

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.809

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :53.856

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.903

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.950

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :53.997

Re ad

1 4 8 0

System.ni .dll

14/2/202 Re

1

4 C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste System.ni

(33)

0 - 12:45 :54.43

ad 8 0

C:\malware.exe m\9b0f837c5a73d17be9743868915d6115\System.ni.dll .dll

14/2/202 0 - 12:45 :54.90

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.137

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.184

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.231

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.278

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.325

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.372

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :54.418

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.465

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.512

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 Re

1

(34)

0 - 12:45 :54.559

ad 8 0

14/2/202 0 - 12:45 :54.606

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.653

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.700

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.747

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.793

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.840

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :54.887

Op en

1 4 8 0

C:\malware.exe

C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste m.Core\d5a6b47b56d49e85668104cc5118f1fe\System.Cor e.ni.dll

14/2/202 0 - 12:45 :54.981

Un kn ow n

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :54.981

Op en

1 4 8 0

C:\malware.exe

14/2/202 0 - 12:45 :54.981

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 Re

1

4 C:\malware.exe

C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste

m.Core\d5a6b47b56d49e85668104cc5118f1fe\System.Cor System.C

(35)

:55.28 ad 8 0

e.ni.dll ore.ni.dll

14/2/202 0 - 12:45 :55.75

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.122

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.168

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.215

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.262

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.309

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.356

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.403

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.450

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.497

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 Re

ad 1 4

8 C:\malware.exe

m.Core\d5a6b47b56d49e85668104cc5118f1fe\System.Cor System.C ore.ni.dll

(36)

:55.543 0 e.ni.dll

14/2/202 0 - 12:45 :55.590

Op en

1 4 8 0

C:\malware.exe C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77 a5c561934e089

14/2/202 0 - 12:45 :55.684

Un kn ow n

1 4 8 0

C:\malware.exe

C:\Windows\assembly\GAC_MSIL\System.Core\3.5.0.0__b77 a5c561934e089

14/2/202 0 - 12:45 :55.684

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.731

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.778

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.825

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.872

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.918

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :55.965

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.12

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 Re

ad 1 4

8 C:\malware.exe

(37)

:56.59 0 e.ni.dll

14/2/202 0 - 12:45 :56.106

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.153

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.200

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.247

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.293

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.340

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.387

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.434

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.481

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.528

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 Re

ad 1 4

8 C:\malware.exe

(38)

:56.575 0 e.ni.dll

14/2/202 0 - 12:45 :56.622

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :56.668

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :56.715

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.762

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.809

Re ad

1 4 8 0

C:\malware.exe

System.C ore.ni.dll

14/2/202 0 - 12:45 :56.856

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :56.903

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :56.950

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :56.997

Re ad

1 4 8 0

mscorlib.

ni.dll

14/2/202 0 - 12:45 :57.43

Re ad

1 4 8 0

System.ni .dll

14/2/202 0 - 12:45 :57.90

Re ad

1 4

8 C:\malware.exe C:\Windows\assembly\NativeImages_v2.0.50727_64\Syste m\9b0f837c5a73d17be9743868915d6115\System.ni.dll

System.ni .dll