Report #13267

(1)

Binary

DLL False

Size 25.00KB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows CLI

Hashes

md5 dd8d09523cdb5610078df64ba4889806

sha1 ddd0091f0639779beba748bf1c2808a5eef71daa

crc32 0xf21aef5e

sha224 7ce199e6de426ee8bda04bc6417b3de944f02e454c00ab4954e4e031

sha256 e5e48338d83f248b77c44e041ef590b4cc1fbb05cb3c72bd65c85b9687d9ae 4a

sha384 ac74a93a8930d8b574b2b121ede8c501cc9e9ae04840456f247e0841910ab 1ae2055c97d504084c411071bdd0b69b9f0

sha512 d8d22ab16e59bfa931c0324c9fdad339ecde7c1b437950205ed786ade4b96 66cbe2503f56140dea2148c89046d61ad5d5b11534148fa87a467a9dd84c4 9450a8

ssdeep 384:Gx59osEt80onfateiLeoW6LOpa8pWrch/NH2I5s+0ZZj/3YqE4dWXgNWj:

Gx5udHhOp3YU55WZZj/39NhS

Report #13267

Creation Date: Aug. 20, 2021, 2:24 a.m.

Last Update: Aug. 20, 2021, 1:47 p.m.

File:

netiougc.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches VC8_Microsoft_Corporation, domain, IP, contentis_base64, Microsoft_Visual_

Cpp_8, Visual_Cpp_2005_Release_Microsoft, HasDebugData, IsConsole, mal doc_find_kernel32_base_method_1, IsPE32, HasRichSignature

Suspicious True

Imports

NSI.dll NsiSetAllParameters, NsiSetAllPersistentParametersWithMask, NsiGetAllPara meters, NsiGetAllPersistentParametersWithMask

ntdll.dll RtlIpv4StringToAddressW, RtlIpv6StringToAddressW, RtlAllocateHeap, RtlFre eHeap

msvcrt.dll wcschr, _wcsnicmp, _vsnprintf, wcsrchr, iswdigit, _onexit, __dllonexit, _unlo ck, _lock, _except_handler4_common, _controlfp, ?terminate@@YAXXZ, _ini tterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __set_app_type, __

getmainargs, _amsg_exit, __p__commode, _XcptFilter, _stricmp, _strnicmp, f ree, malloc, memset

IPHLPAPI.DLL ConvertInterfaceLuidToNameW, ConvertInterfaceAliasToLuid, ParseNetwork String, InitializeUnicastIpAddressEntry, InternalCreateUnicastIpAddressEntr y, InternalCreateIpForwardEntry2, InitializeIpForwardEntry, ConvertInterfac ePhysicalAddressToLuid, ConvertStringToInterfacePhysicalAddress, ConvertI nterfaceNameToLuidW

dhcpcsvc.DLL DhcpEnableDhcp

api-ms-win-core-file-l1-1-0.dll GetFileAttributesW, CreateDirectoryW, GetFullPathNameW api-ms-win-core-heap-l1-1-0.dll GetProcessHeap, HeapFree, HeapAlloc, HeapSetInformation

api-ms-win-core-synch-l1-1-0.dll LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSection, EnterCri ticalSection

api-ms-win-core-synch-l1-2-0.dll Sleep

api-ms-win-core-string-l1-1-0.dll MultiByteToWideChar

api-ms-win-core-profile-l1-1-0.dl l

QueryPerformanceCounter

(3)

api-ms-win-core-sysinfo-l1-1-0.d ll

GetSystemTimeAsFileTime, GetTickCount64, GetTickCount

api-ms-win-core-registry-l1-1-0.

dll

RegOpenKeyExA, RegCloseKey, RegEnumKeyExA, RegQueryInfoKeyA, RegE numValueA

api-ms-win-service-winsvc-l1-1- 0.dll

OpenServiceA, QueryServiceStatus, StartServiceA, OpenSCManagerA

api-ms-win-core-errorhandling-l 1-1-0.dll

UnhandledExceptionFilter, GetLastError, SetUnhandledExceptionFilter, SetL astError

api-ms-win-core-libraryloader-l1 -2-0.dll

GetModuleFileNameW, GetModuleHandleW, LoadLibraryExW, FreeLibrary, G etProcAddress

api-ms-win-service-managemen t-l1-1-0.dll

CloseServiceHandle

api-ms-win-core-processthreads -l1-1-0.dll

GetCurrentProcessId, GetCurrentThreadId, GetCurrentProcess, TerminatePro cess

api-ms-win-core-processenviron ment-l1-1-0.dll

ExpandEnvironmentStringsW

Strings

List

netiougc.pdb

onecore\base\ntsetup\lib\unattendlog\src\unattendlog.cpp TCPIP: Failed adding IP address '%s' to interface: 0x%x.

TCPIP: Failed to open the root registry key (named '%s') for all Netio Unattend settings: 0x%x.

TCPIP: Failed to open subkey '%s' (number %d of %d) under the registry key named '%s': 0x%x TCPIP: Failed to enumerate value %d of %d under the registry key named '%s': 0x%x.

api-ms-win-core-registry-l1-1-0.dll

TCPIP: Failed to query information for the '%s' registry key.

TCPIP: Error while processing the the '%s' registry key.

TCPIP: Error querying for information about the registry key named '%s': 0x%x

TCPIP: Failed to enumerate subkey %d of %d under the registry key named '%s': 0x%x.

TCPIP: Error processing values under '%s' registry key: 0x%x.

TCPIP: Error processing subkeys under '%s' registry key: 0x%x.

wdscore.dll ntdll.dll netiougc.exe netiougc.exe

TCPIP: Consumer %d accepted the value named '%s' (under '%s').

TCPIP: No consumer accepted the value named '%s' (under '%s').

TCPIP: Failed to add the constructed route table entry to the stack: 0x%x.

TCPIP: Returning from context %d ('%s') to context %d ('%s').

TCPIP: Consumer %d REJECTED the value named '%s' (under '%s') with status 0x%x.

Software\Microsoft\Windows NT\CurrentVersion\UnattendSettings\Netio TCPIP: Unable to transition to subkey '%s' (under '%s'): 0x%x.

TCPIP: Failed parsing IP address '%s': 0x%x.

TCPIP: Failed parsing route prefix '%s': 0x%x.

TCPIP: Transition to context %d accepted for key '%s'.

(4)

TCPIP: Encountered an error during Netio Unattend processing: 0x%x.

name="Microsoft.Windows.Net.NetIO.NetIOUGC"

api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll

api-ms-win-core-profile-l1-1-0.dll

api-ms-win-service-management-l1-1-0.dll api-ms-win-core-file-l1-1-0.dll

api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-service-winsvc-l1-1-0.dll Service %s is already running

OpenSCManager failed due to error %u _wcsnicmp

_strnicmp dhcpcsvc.DLL

IcmpRedirectsEnabled

_stricmp DhcpEnabled

CreatePath: Unable to create parent directory for [%s]; GLE = 0x%x GetProcAddress

CreatePath: Unable to create [%s]; GLE = 0x%x WSSh

DHCP Interfaces

TerminateProcess

StartService %s failed due to error %u OpenService %s failed due to error %u FreeLibrary

CreateDirectoryW LoadLibraryExW StartServiceA RegOpenKeyExA GetModuleFileNameW OpenSCManagerA RegEnumKeyExA GetModuleHandleW OpenServiceA

QueryPerformanceCounter

QueryServiceStatus %s failed due to error %u Service %s failed to start due to timeout.

GetTickCount Sleep

Service %s is succesfully started

TCPIP: Failed to allocate memory for a route table entry -- rejecting transition.

TCPIP: HeapSetInformation failed, bailing out

%windir%\Panther\UnattendGC

<description>Netio Unattend Generic Command</description>

<requestedExecutionLevel DhcpEnableDhcp

GetProcessHeap version="5.1.0.0"

Netio Unattend Generic Command

(5)

IPHLPAPI.DLL __p__commode type="win32"

10.0.19041.746 _initterm

0 0(040@0H0P0T0d0 __p__fmode

.CRT$XIAA .CRT$XCAA

<assemblyIdentity __setusermatherr _controlfp

__set_app_type __dllonexit

Foremost

Matches 0.exe, 25 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: wdscore.dll, api-ms-win-core-string-l1-1-0.dll, api-ms-win-service- management-l1-1-0.dll, NSI.dll, msvcrt.dll, api-ms-win-service-winsvc-l1-1-0 .dll, dhcpcsvc.DLL, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-proc essenvironment-l1-1-0.dll, IPHLPAPI.DLL, api-ms-win-core-processthreads-l1 -1-0.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, a pi-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-wi n-core-file-l1-1-0.dll, ntdll.dll, api-ms-win-core-errorhandling-l1-1-0.dll, api- ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll hasFiles: True

Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

(6)

RVA: 16

Suspicious: False Code

Size: 9216

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 8192 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 59150

Suspicous: False

Sections Allowed: .text, .data, .idata, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 10

Suspicious: False Image

Version: False Suspicious: 10 Linker

Version: 14.20 Suspicious: False Subsystem

Version: 10.0 Suspicious: False Suspicious: False

EntryPoint Address: 18336

Suspicious: False

(7)

Anomalies Anomalies

hasAnomalies: False

Libraries Allowed: wdscore.dll, api-ms-win-core-string-l1-1-0.dll, api-ms-win-service- management-l1-1-0.dll, nsi.dll, msvcrt.dll, api-ms-win-service-winsvc-l1-1-0.

dll, dhcpcsvc.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-proces senvironment-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms- win-core-heap-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core- profile-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-file-l1-1- 0.dll, ntdll.dll, api-ms-win-core-errorhandling-l1-1-0.dll, api-ms-win-core-sysi nfo-l1-1-0.dll

hasLibs: True

Suspicious: iphlpapi.dll, api-ms-win-core-libraryloader-l1-2-0.dll hasAllowed: True

hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2058-04-04 16:32:56 Future: True

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .text: 1

pushpopmath .text: 1

.reloc: 2

(8)

garbagebytes .text: 1

programcontrolflowchange .text: 1

cpuinstructionsresultscomparison .idata: 1

AVclass

None 1

VirusTotal

md5 dd8d09523cdb5610078df64ba4889806

sha1 ddd0091f0639779beba748bf1c2808a5eef71daa

SCANS (DETECTION RATE = 0.00%)

CMC update: 20210506

version: 2.10.2019.1 detected: False

MAX update: 20210610

APEX update: 20210607

version: 6.172 detected: False

Bkav update: 20210609

K7GW update: 20210610

version: 11.187.37414 detected: False

ALYac update: 20210610

Avast update: 20210609

version: 21.1.5827.0

(9)

detected: False

Avira update: 20210610

Baidu update: 20190318

Cynet update: 20210610

Cyren update: 20210610

DrWeb update: 20210610

GData update: 20210610

version: A:25.29915B:27.23311 detected: False

Panda update: 20210609

VBA32 update: 20210609

VIPRE update: 20210610

version: 93188 detected: False

Zoner update: 20210609

ClamAV update: 20210609

(10)

Comodo update: 20210610 version: 33608 detected: False

Ikarus update: 20210609

Lionic update: 20210610

McAfee update: 20210610

Rising update: 20210610

Sophos update: 20210610

Yandex update: 20210609

Zillya update: 20210609

Acronis update: 20210512

Alibaba update: 20190527

Arcabit update: 20210610

(11)

Cylance update: 20210610 version: 2.3.1.101 detected: False

Elastic update: 20210524

FireEye update: 20210610

Sangfor update: 20210607

TACHYON update: 20210610

version: 2021-06-10.02 detected: False

Tencent update: 20210610

ViRobot update: 20210610

Webroot update: 20210610

eGambit update: 20210610

detected: False

Ad-Aware update: 20210610

Emsisoft update: 20210610

F-Secure update: 20210610

version: 12.0.86.52

(12)

detected: False

Fortinet update: 20210610

Jiangmin update: 20210610

Kingsoft update: 20210610

Paloalto update: 20210610

Symantec update: 20210610

AhnLab-V3 update: 20210610

Antiy-AVL update: 20210610

Kaspersky update: 20210610

MaxSecure update: 20210610

Microsoft update: 20210610

Qihoo-360 update: 20210610

(13)

ZoneAlarm update: 20210610 version: 1.0 detected: False

Cybereason update: 20210330

ESET-NOD32 update: 20210610

version: 23438 detected: False

Gridinsoft update: 20210610

TrendMicro update: 20210610

BitDefender update: 20210610

CrowdStrike update: 20210203

K7AntiVirus update: 20210610

SentinelOne update: 20210518

Malwarebytes update: 20210610

CAT-QuickHeal update: 20210610

(14)

NANO-Antivirus update: 20210610 version: 1.0.146.25311 detected: False

BitDefenderTheta update: 20210602 version: 7.2.37796.0 detected: False

MicroWorld-eScan update: 20210610 version: 14.0.409.0 detected: False

SUPERAntiSpyware update: 20210605 version: 5.6.0.1032 detected: False

McAfee-GW-Edition update: 20210610 version: v2019.1.2+3728 detected: False

TrendMicro-HouseCall update: 20210610 version: 10.0.0.1040 detected: False

total 69

sha256 e5e48338d83f248b77c44e041ef590b4cc1fbb05cb3c72bd65c85b9687d9ae 4a

scan_id e5e48338d83f248b77c44e041ef590b4cc1fbb05cb3c72bd65c85b9687d9ae 4a-1623315677

resource dd8d09523cdb5610078df64ba4889806

permalink https://www.virustotal.com/gui/file/e5e48338d83f248b77c44e041ef590b4c c1fbb05cb3c72bd65c85b9687d9ae4a/detection/f-e5e48338d83f248b77c44 e041ef590b4cc1fbb05cb3c72bd65c85b9687d9ae4a-1623315677

positives 0

scan_date 2021-06-10 09:01:17

verbose_msg Scan finished, information embedded

response_code 1

File

(15)

Trace

20/8/2021 - 12:45:43 .481

Un kn ow n

4 C:\Users\Behemot\Desktop\desktop.ini

20/8/2021 - 12:45:43 .481

Un kn ow n

4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 12:45:45 .497

Wri

te 4 C:\Windows

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

C:\Windows\System32\

svchost.exe C:\Monitor\WKCD_Load_Use.exe

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

(16)

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A2F27954F4B4C5FD26

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A30415A103D3F52066

(17)

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Re ad

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

20/8/2021 - 12:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Op en

2 9 2 8

Un 2

(18)

20/8/2021 - 12:45:47 .856

kn ow n

9 2 8

e.exe

20/8/2021 - 12:45:47 .856

Wri te

2 5 7 6

C:\Monitor\WKCD_Load_

Use.exe C:\Monitor\Files\Logs\File.log

20/8/2021 - 12:45:47 .903

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

20/8/2021 - 12:45:49 .497

Un kn ow n

4 C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 12:45:49 .497

Wri

te 4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 12:45:49 .497

Un kn ow n

4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 12:45:52 .418

Op en

7 9 6

svchost.exe

C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782 7.pf

20/8/2021 - 12:45:52 .418

Op en

7 9 6

svchost.exe

20/8/2021 - 12:45:52 .418

Wri te

7 9 6

svchost.exe

WKCD_LOAD_U SE.EXE-695C7 827.pf

20/8/2021 - 12:45:52 .418

Un kn ow n

7 9 6

svchost.exe

20/8/2021 - 12:45:52 .434

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 12:45:52 .434

Un kn ow n

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 Op 7 C:\Windows\System32\

(19)

- 12:45:52 .434

en 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 12:45:52 .434

Wri te

7 9 6

20/8/2021 - 12:45:52 .434

Un kn ow n

7 9 6

20/8/2021 - 12:45:52 .856

Op en

2 9 2 8

svchost.exe C:\Windows\System32\conhost.exe

20/8/2021 - 12:45:52 .856

Op en

2 9 2 8

20/8/2021 - 12:45:52 .856

Op en

2 9 2 8

20/8/2021 - 12:45:52 .856

Op en

2 9 2 8

20/8/2021 - 12:45:53 .497

Wri

te 4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

20/8/2021 - 12:45:53 .497

Wri

te 4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 12:45:53 .497

Wri te

2 5 7 6

20/8/2021 - 12:45:53 .497

Wri te

2 5 7 6

20/8/2021 - 12:45:53 .497

Un kn ow n

4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

Un

(20)

20/8/2021 - 12:45:53 .497

kn ow n

20/8/2021 - 12:45:53 .497

Un kn ow n

20/8/2021 - 12:45:55 .497

Wri

20/8/2021 - 12:45:55 .497

Un kn ow n

20/8/2021 - 12:45:57 .465

Wri

te 4 C:\Monitor

20/8/2021 - 12:46:11 .497

Wri

te 4 C:\Windows\Temp

20/8/2021 - 12:46:17 .465

Wri te

6 8 4

svchost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat

20/8/2021 - 12:46:18 .215

Wri

te 4 C:\Windows

20/8/2021 - 12:46:19 .481

Wri

te 4 C:\Windows

20/8/2021 - 12:46:27 .418

Wri

te 4 C:\Windows\System32\config\SYSTEM.LOG1

20/8/2021 - 12:46:27 .418

Wri

20/8/2021 - 12:46:27 .418

Wri

20/8/2021 - 12:46:27 .418

Wri

20/8/2021

(21)

- 12:46:27 .418

Wri te

4 C:\Windows\System32\config\SYSTEM

20/8/2021 - 12:46:27 .418

Wri

te 4 C:\Windows\System32\config\SYSTEM

20/8/2021 - 12:46:27 .418

Wri

20/8/2021 - 12:46:27 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

te 4 C:\System Volume Information\Syscache.hve.LOG1

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

(22)

20/8/2021 - 12:46:32 .418

Wri

te 4 C:\System Volume Information\Syscache.hve

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri

20/8/2021 - 12:46:32 .418

Wri te

2 5 7 6

20/8/2021 - 12:46:32 .512

Wri

20/8/2021 - 12:46:35 .450

Wri

20/8/2021 - 12:46:35 .450

Un kn ow n

(23)

20/8/2021 - 12:46:55 .715

Op en

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 12:46:55 .715

Un kn ow n

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 12:47:17 .465

Wri te

6 8 4

svchost.exe

20/8/2021 - 12:47:27 .559

Op en

1 8 6 4

C:\Windows\explorer.ex

e C:\

20/8/2021 - 12:47:27 .559

Un kn ow n

1 8 6 4

e C:\

20/8/2021 - 12:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 12:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 12:47:32 .809

Un kn ow n

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 12:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot\AppData\Roaming

20/8/2021 - 12:47:32 .809

Op en

1 8 6 4

20/8/2021 - 12:47:32 .809

Un kn ow n

1 8 6 4

20/8/2021 - 12:47:32 Op

en 1 8 6

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes

(24)

.809 4

20/8/2021 - 12:47:32 .809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes\slideshow.ini

20/8/2021 - 12:47:35 .856

Op en

7 9 6

svchost.exe C:\Windows\CSC\v2.0.6\namespace

20/8/2021 - 12:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 12:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 12:47:35 .856

Op en

7 9 6

svchost.exe \Device\Mup\.\.\

20/8/2021 - 12:47:35 .856

Op en

7 9 6

20/8/2021 - 12:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 12:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 12:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 12:47:41 .28

Re ad

1 2 3 2

C:\Program Files\Windo ws Media Player\wmpn etwk.exe

C:\Program Files\Windows Media Player\wmpnetwk.e xe

20/8/2021 - 12:47:41 .28

Wri te

2 5 7 6

2

(25)

20/8/2021 - 12:47:41 .28

Wri te

5 7 6

Use.exe

C:\Monitor\Files\Logs\File.log

20/8/2021 - 12:47:44 .59

Wri

20/8/2021 - 12:47:44 .59

Un kn ow n

20/8/2021 - 12:48:11 .309

Op

en 4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021 - 12:48:11 .309

Un kn ow n

4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021 - 12:48:13 .59

Op

en 4 C:\System Volume Information

20/8/2021 - 12:48:13 .59

Op

en 4 C:\System Volume Information\{3808876b-c176-4e4 8-b7ae-04046e6cc752}

20/8/2021 - 12:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7ec-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 - 12:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7f0-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 - 12:48:13 .59

Un kn ow n

4 C:\System Volume Information

20/8/2021 - 12:48:17 .481

Wri te

6 8 4

svchost.exe

20/8/2021 - 12:48:25 .887

Op en

7 9 6

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

(26)

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 12:48:25 .887

Op en

7 9 6

20/8/2021 - 12:48:25 .887

Op en

7 9 6

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 12:48:25 .887

Op en

7 9 6

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 12:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Windows\System32\t askhost.exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

Temporary Internet Files\Content.IE5\container.dat container.dat

20/8/2021 - 12:49:20 Op

1

7 C:\Windows\System32\t C:\Users\Behemot\AppData\Local\Microsoft\Windows\

(27)

.684 en 9 6

askhost.exe History\History.IE5\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

History\History.IE5\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca che\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca

che\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatCache\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo

ws\IECompatCache\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatUACache\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

ws\IECompatUACache\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\DNTException\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

ws\DNTException\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies\container.dat

20/8/2021 - 12:49:20

Un kn ow

1 7 9

ws\Cookies\container.dat container.dat

(28)

.684 n 6

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieSiteList\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E

xplorer\EmieSiteList\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieUserList\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

xplorer\EmieUserList\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\DOMStore\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

xplorer\DOMStore\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IEDownloadHistory\container.dat

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

ws\IEDownloadHistory\container.dat container.dat

20/8/2021 - 12:49:20 Op

en 1 7 9

AppCache\B2419NGQ\container.dat

(29)

.684 6

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

AppCache\B2419NGQ\container.dat container.dat

20/8/2021 - 12:49:20 .684

Op en

1 7 9 6

WebCache

20/8/2021 - 12:49:20 .684

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 12:49:20 .684

Wri te

2 5 7 6

20/8/2021 - 12:49:20 .684

Wri te

2 5 7 6

20/8/2021 - 12:49:20 .731

Wri te

1 7 9 6

WebCache\WebCacheV01.dat

20/8/2021 - 12:49:20 .731

Wri

te 4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

20/8/2021 - 12:49:20 .825

Wri te

1 7 9 6

20/8/2021 - 12:49:20 .825

Wri

20/8/2021 - 12:49:20 .918

Wri te

1 7 9 6

20/8/2021 - 12:49:20 .918

Wri

20/8/2021 1

(30)

- 12:49:20 .918

Wri te

7 9 6

WebCache\V01.log

20/8/2021 - 12:49:20 .918

Wri

WebCache\V01.log

20/8/2021 - 12:49:20 .918

Re ad

1 7 9 6

20/8/2021 - 12:49:20 .965

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 12:49:20 .965

Wri

WebCache\V01.log

20/8/2021 - 12:49:20 .965

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 12:49:20 .965

Wri

WebCache\V01.log

20/8/2021 - 12:49:21 .12

Wri te

1 7 9 6

20/8/2021 - 12:49:21 .12

Wri

20/8/2021 - 12:49:21 .59

Op en

1 7 9 6

20/8/2021 - 12:49:21 .59

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:21 .59

Op en

1 7 9 6

WebCache

(31)

20/8/2021 - 12:49:21 .59

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 12:49:21 .59

Op en

1 7 9 6

20/8/2021 - 12:49:21 .59

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:21 .59

Wri te

2 5 7 6

20/8/2021 - 12:49:23 .684

Wri

20/8/2021 - 12:49:23 .684

Un kn ow n

20/8/2021 - 12:49:25 .887

Un kn ow n

2 3 6 0

audiodg.exe C:\Windows

20/8/2021 - 12:49:30 .747

Wri te

1 7 9 6

20/8/2021 - 12:49:30 .747

Wri

20/8/2021 - 12:49:30 .793

Wri te

1 7 9 6

20/8/2021 - 12:49:30 .793

Wri

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache\V01.chk

(32)

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

WebCache

(33)

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

C:\Windows\System32\t

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

1

(34)

20/8/2021 - 12:49:30 .840

Op en

7 9 6

C:\Users\Behemot\AppData\Local\Microsoft

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 Un 1

(35)

- 12:49:30 .840

kn ow n

7 9 6

C:\Users\Behemot\AppData\Local

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 Un 1

(36)

- 12:49:30 .840

kn ow n

7 9 6

C:\Users\Behemot\AppData

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 Un 1

(37)

- 12:49:30 .840

kn ow n

7 9 6

C:\Users\Behemot

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

askhost.exe C:\Users

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 - 12:49:30 .840

Un kn ow n

1 7 9 6

20/8/2021 - 12:49:30 .840

Op en

1 7 9 6

20/8/2021 Un kn

1

7 C:\Windows\System32\t

(38)

- 12:49:30 .840

ow n

9 6

20/8/2021 - 12:49:30 .840

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Wri

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Wri te

2 5 7 6

20/8/2021 - 12:49:30 .840

Wri te

2 5 7 6

20/8/2021 - 12:49:30 .840

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Wri

WebCache\V01.chk

20/8/2021 - 12:49:30 .840

Wri te

2 5 7 6

20/8/2021 - 12:49:30 .840

Wri te

2 5 7 6

20/8/2021 - 12:49:30 .856

Op en

7 9 6

20/8/2021 - 12:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 12:49:30 .856

Un kn ow n

7 9 6

(39)

20/8/2021 - 12:49:30 .856

Op en

7 9 6

20/8/2021 - 12:49:30 .856

Op en

7 9 6

20/8/2021 - 12:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 12:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 12:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 12:49:31 .497

Wri

20/8/2021 - 12:49:31 .497

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

20/8/2021 - 12:49:31 .497

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

20/8/2021 - 12:49:31 .590

Un kn ow n

20/8/2021 - 12:49:32 .481

Wri te

6 8 4

svchost.exe

Process

Trace

20/8/2021 - 12:49:25.8 87

Terminat e

68 4

C:\Windows\System32\svchost.e xe

236 0

C:\Windows\System32\audiodg.e xe

(40)

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

20/8/2021 - 12:4 6:22.418

Wr

ite 4 \REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObj

ectStore\LruList CurrentLru

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000ED ObjectId

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000ED ObjectLru

20/8/2021 - 12:4 6:22.418

Wr

ectStore\ObjectTable\1E _ObjectLru_

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000E8 ObjectId

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000E8 ObjectLru

20/8/2021 - 12:4 6:22.418

Wr

ectStore\ObjectTable\3E _ObjectLru_

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000EB ObjectId

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000EB ObjectLru

20/8/2021 - 12:4 6:22.418

Wr

ectStore\ObjectTable\3F _ObjectLru_

20/8/2021 - 12:4 6:22.418

Wr

ectStore\LruList\00000000000000F0 ObjectId

20/8/2021 - 12:4 Wr 4

\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObj

ObjectLru

(41)

6:22.418 ite ectStore\LruList\00000000000000F0

20/8/2021 - 12:4 6:22.418

Wr

ectStore\ObjectTable\40 _ObjectLru_

20/8/2021 - 12:4 6:23.872

Wr

ite 4 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b 1a-11d4-9123-0050047759bc}\22

20/8/2021 - 12:4 6:23.872

Wr

ffffffffffffffffffffff ffffffff00

20/8/2021 - 12:4 6:23.872

Wr

20/8/2021 - 12:4 6:23.872

Wr

20/8/2021 - 12:4 6:23.872

Wr

File Summary

Created Identified: True

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: True

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: True

Deleted Identified: False

(42)

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

UDP False

HTTP False

(43)

Results

BINARY

NFS 2.0 (Threshold = 0.8) confidence: 90.00%

suspicious: False

NFS 3.0 (Threshold = 0.75) confidence: 75.33%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 98.75%

Random Forest (100 estimators, NFS-BRMalware) confidence: 76.00%

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 46.17%

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 100.00%