Report #13320

(1)

Binary

DLL False

Size 76.50KB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows CLI

Hashes

md5 9d71dbdd3ad017ec69554acf9caadd05

sha1 0989525dda5f937a4895f2a53a4319ff16890b03

crc32 0x5cd939e1

sha224 f4b5e4b9b0c4917e4b523ba6661226ab305d6d6f07004b463ab53130

sha256 7b48d1d9eb8ecc4e59f76cabac1a9e009e5a39f0524fa8eea29a3acbc8cd32 c1

sha384 f103d13f06de46e4e5cf64484e16d97efd609e1f0230c889aa75fdc5f821af2d 8ce9f1123eecfa907de4a16df7d2fa06

sha512 d145d011d8e344a650d4e60579bd0ce5d8bd33645342ca20f44d62013b6b dc4935f4e2e272d80410e17b3d2464d3c9b1e8fda2a3657e0606f301cf24b9 45b1b3

ssdeep 1536:shBwU9X3QNgjjy8uAQBc2vkgNszy+yfPildu/iaxczLMYe4/z0ls:wwUp3zO vAK5Ky9iQiaxULMYeCC

Report #13320

Creation Date: Aug. 20, 2021, 1:26 p.m.

Last Update: Aug. 20, 2021, 5:43 p.m.

File:

powercfg.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches VC8_Microsoft_Corporation, domain, DebuggerException__SetConsoleCtrl, I P, contentis_base64, Microsoft_Visual_Cpp_8, Visual_Cpp_2005_Release_Mic rosoft, HasDebugData, IsConsole, maldoc_find_kernel32_base_method_1, Is PE32, HasRichSignature

Suspicious True

Imports

ntdll.dll NtCreateFile, NtQueryObject, RtlFreeHeap, RtlInitUnicodeString, RtlAllocate Heap, RtlNtStatusToDosError, NtPowerInformation, RtlLoadString

RPCRT4.dll RpcStringFreeW, UuidFromStringW, UuidEqual, UuidToStringW

msvcrt.dll _except_handler4_common, _controlfp, ?terminate@@YAXXZ, ??1type_info

@@UAE@XZ, _initterm, __setusermatherr, __p__fmode, _cexit, _exit, exit, __

set_app_type, memmove, _amsg_exit, __p__commode, _XcptFilter, free, _ca llnewh, malloc, fprintf, fflush, _wtoi, _wcstoui64, _wcsnicmp, _ui64tow_s, _it ow_s, _vsnwprintf, _purecall, wcstoul, wcscat_s, wcscpy_s, _wcsicmp, __Cxx FrameHandler3, __iob_func, memcpy, memcmp, _CxxThrowException, swpr intf_s, __wgetmainargs, memset

POWRPROF.dll DevicePowerEnumDevices, PowerInformationWithPrivileges, PowerGetAdap tiveStandbyDiagnostics, PowerEnumerate, PowerReadValueIncrement, Pow erReadFriendlyName, PowerGetOverlaySchemes, PowerPolicyToGUIDFormat , PowerWriteDCDefaultIndex, PowerReadValueMin, PowerRemovePowerSetti ng, PowerRestoreIndividualDefaultPowerScheme, ReadPwrScheme, PowerR eadValueUnitsSpecifier, PowerRestoreDefaultPowerSchemes, PowerReadVal ueMax, PowerReadACValueIndexEx, PowerWriteValueMax, PowerReplaceDef aultPowerSchemes, PowerSetActiveOverlayScheme, PowerReadPossibleFrie ndlyName, PowerWritePossibleValue, PowerReadPossibleValue, PowerWriteV alueIncrement, PowerDeleteScheme, PowerWriteValueMin, PowerWriteDesc ription, PowerReadSecurityDescriptor, PowerWriteSecurityDescriptor, Power DuplicateScheme, PowerReadDCValueIndexEx, PowerWriteACDefaultIndex, GetActivePwrScheme, PowerWriteSettingAttributes, PowerWriteFriendlyNam e, DevicePowerOpen, PowerApplyPowerRequestOverride, PowerReadDCValu eIndex, PowerGetActualOverlayScheme, DevicePowerClose, PowerOpenUse rPowerKey, PowerReadSettingAttributes, DevicePowerSetDeviceState, Powe rReadACValueIndex, PowerImportPowerScheme

api-ms-win-core-file-l1-1-0.dll FileTimeToLocalFileTime, GetFinalPathNameByHandleW, FindClose, GetFullP athNameW, FindFirstFileW, GetFileAttributesW, CreateFileW, DeleteFileW, G etFileType

(3)

api-ms-win-core-file-l1-2-0.dll GetTempPathW

api-ms-win-core-heap-l1-1-0.dll HeapAlloc, GetProcessHeap, HeapSetInformation, HeapFree api-ms-win-core-path-l1-1-0.dll PathCchAppend, PathCchRemoveBackslash

api-ms-win-core-synch-l1-1-0.dll ReleaseSRWLockExclusive, AcquireSRWLockExclusive api-ms-win-core-synch-l1-2-0.dll Sleep

api-ms-win-power-base-l1-1-0.dl l

GetPwrCapabilities

api-ms-win-core-handle-l1-1-0.d ll

CloseHandle

api-ms-win-core-memory-l1-1-0.

dll

VirtualQuery, VirtualProtect

api-ms-win-core-string-l1-1-0.dll WideCharToMultiByte, CompareStringOrdinal

api-ms-win-core-console-l1-1-0.

dll

SetConsoleCtrlHandler, GetConsoleMode, WriteConsoleW, GetConsoleOutp utCP

api-ms-win-core-profile-l1-1-0.dl l

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0.d ll

GetSystemInfo, GetSystemTimeAsFileTime, GetTickCount

api-ms-win-core-datetime-l1-1-0 .dll

GetTimeFormatW, GetDateFormatW

api-ms-win-core-registry-l1-1-0.

dll

RegEnumValueW, RegQueryInfoKeyW, RegGetValueW, RegSetValueExW, Re gCloseKey, RegOpenKeyExW, RegCreateKeyExW, RegDeleteValueW

api-ms-win-core-registry-l2-1-0.

dll

RegSaveKeyW

api-ms-win-core-timezone-l1-1- 0.dll

FileTimeToSystemTime

api-ms-win-power-setting-l1-1-0 .dll

PowerGetActiveScheme, PowerWriteDCValueIndex, PowerSetActiveScheme, PowerWriteACValueIndex

api-ms-win-security-base-l1-1-0.

dll

GetTokenInformation, AdjustTokenPrivileges

api-ms-win-service-private-l1-1- 0.dll

I_QueryTagInformation

api-ms-win-core-localization-l1- 2-0.dll

FormatMessageW

(4)

api-ms-win-eventing-provider-l1 -1-0.dll

EventWriteTransfer, EventSetInformation, EventUnregister, EventRegister

api-ms-win-core-errorhandling-l 1-1-0.dll

UnhandledExceptionFilter, RaiseException, SetUnhandledExceptionFilter, G etLastError

api-ms-win-core-heap-obsolete-l 1-1-0.dll

LocalFree, LocalAlloc

api-ms-win-core-libraryloader-l1 -2-0.dll

GetModuleHandleW, LoadLibraryExA, GetProcAddress, LoadStringW, FreeLib rary, LoadLibraryExW

api-ms-win-core-libraryloader-l1 -2-1.dll

LoadLibraryW

api-ms-win-security-lsalookup-l 2-1-0.dll

LookupPrivilegeValueW

api-ms-win-core-processthreads -l1-1-0.dll

GetCurrentProcessId, OpenProcessToken, TerminateProcess, GetCurrentThre adId, GetCurrentProcess

api-ms-win-core-string-obsolete -l1-1-0.dll

lstrcmpiW

api-ms-win-core-processenviron ment-l1-1-0.dll

GetStdHandle

Strings

List

powercfg.pdb u.Sj

name="Microsoft.Windows.CmdLine.PowerCfg"

api-ms-win-core-registry-l2-1-0.dll api-ms-win-core-registry-l1-1-0.dll t.Sh`K@

api-ms-win-security-lsalookup-l2-1-0.dll battery-report.xml

sleepstudy-report.html sleepstudy-report.xml

system-sleep-diagnostics.xml system-sleep-diagnostics.html DEVOBJ.dll

api-ms-win-security-base-l1-1-0.dll bamsettingsclient.dll

srumutil.xml srumutil.csv battery-report.html energy-report.xml energy-trace.etl POWRPROF.dll ntdll.dll PowerCfg.exe PowerCfg.exe

(5)

energy-report.html

SYSTEM\CurrentControlSet\Control\Session Manager\Power [DRIVER]

[DRIVER]

Microsoft.Windows.Power.PowercfgExe api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-heap-obsolete-l1-1-0.dll api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-string-obsolete-l1-1-0.dll api-ms-win-core-processenvironment-l1-1-0.dll api-ms-win-core-console-l1-1-0.dll

api-ms-win-core-sysinfo-l1-1-0.dll Delete

List

PERFBOOSTMODE reduced

api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-core-libraryloader-l1-2-1.dll api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll

api-ms-win-core-timezone-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-datetime-l1-1-0.dll api-ms-win-core-memory-l1-1-0.dll api-ms-win-power-setting-l1-1-0.dll api-ms-win-core-file-l1-2-0.dll api-ms-win-core-file-l1-1-0.dll - Error Code: 0x%X.

- Battery: %d%%.

api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-path-l1-1-0.dll api-ms-win-core-heap-l1-1-0.dll api-ms-win-service-private-l1-1-0.dll api-ms-win-eventing-provider-l1-1-0.dll SUB_SLEEP

- Hibernate Timeout: %d seconds.

ext-ms-win-rtcore-ntuser-sysparams-l1-1-0.dll ATTRIB_HIDE

api-ms-win-core-handle-l1-1-0.dll api-ms-win-power-base-l1-1-0.dll

System\CurrentControlSet\Control\Power\PowerRequestOverride This command should be run when the power source is DC.

Application: %s [PROCESS]

[PROCESS]

[SERVICE]

SeBackupPrivilege _wcsnicmp

_wcsicmp

SOFTPARKLATENCY

hibernate-timeout-dc hibernate-timeout-ac

- Query Begin System Time: %04d/%02d/%02d %02d:%02d:%02d.%03d - Query End System Time: %04d/%02d/%02d %02d:%02d:%02d.%03d - Simulated Battery Percentage Consumed InStandby: %d%%.

- Effective Reserve Battery Percentage: %d%%.

(6)

- Battery Percentage Budget: %d%%.

EeUtilCommand CommandLine

- Percentage Cap: %d%%.

EXECUTION

PROCTHROTTLEMAX1 PROCTHROTTLEMIN1 - Low Battery Level: %d%%.

- Battery Full Charge Capacity: %d mWh.

Execution GetProcAddress

- SRUM Error Code: 0x%X.

- EstimatedRemainingActiveDcTime: %d seconds.

EXECTIME

REMOTEFILESLEEP PROCTHROTTLEMIN PROCTHROTTLEMAX

Foremost

Matches 0.exe, 76 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: bamsettingsclient.dll, api-ms-win-core-string-l1-1-0.dll, api-ms-wi n-core-path-l1-1-0.dll, api-ms-win-core-libraryloader-l1-2-1.dll, POWRPROF.dl l, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-localization-l1-2-0.dll, nt dll.dll, api-ms-win-security-lsalookup-l2-1-0.dll, api-ms-win-core-console-l1-1 -0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-handle-l1-1-0.dll, a pi-ms-win-core-registry-l2-1-0.dll, api-ms-win-core-string-obsolete-l1-1-0.dll, api-ms-win-core-timezone-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.

dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-datetime-l1-1-0.dll, D EVOBJ.dll, api-ms-win-eventing-provider-l1-1-0.dll, RPCRT4.dll, api-ms-win-c ore-processenvironment-l1-1-0.dll, msvcrt.dll, api-ms-win-core-heap-l1-1-0.

dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-core-heap-obsolete-l1-1- 0.dll, api-ms-win-core-file-l1-2-0.dll, api-ms-win-power-setting-l1-1-0.dll, api- ms-win-core-registry-l1-1-0.dll, api-ms-win-power-base-l1-1-0.dll, api-ms-wi n-service-private-l1-1-0.dll, api-ms-win-core-memory-l1-1-0.dll, ext-ms-win-r

(7)

tcore-ntuser-sysparams-l1-1-0.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win -core-errorhandling-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win -core-libraryloader-l1-2-0.dll

hasFiles: True

Suspicious: battery-report.xml, system-sleep-diagnostics.xml, sleepstudy- report.xml, srumutil.xml, energy-report.xml

hasAllowed: True hasSuspicious: True

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 23040

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 8192 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 88232

Suspicous: False

Sections Allowed: .text, .data, .idata, .didat, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 10

Suspicious: False Image

Version: False Suspicious: 10

(8)

Linker

Version: 14.20 Suspicious: False Subsystem

Version: 10.0 Suspicious: False Suspicious: False

EntryPoint Address: 59600

Suspicious: False

Anomalies Anomalies

hasAnomalies: False

Libraries Allowed: api-ms-win-core-string-l1-1-0.dll, api-ms-win-core-path-l1-1-0.dll, powrprof.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-localization-l 1-2-0.dll, ntdll.dll, api-ms-win-security-lsalookup-l2-1-0.dll, api-ms-win-core- console-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-handle- l1-1-0.dll, api-ms-win-core-registry-l2-1-0.dll, api-ms-win-core-string-obsolet e-l1-1-0.dll, api-ms-win-core-timezone-l1-1-0.dll, api-ms-win-core-processthr eads-l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-datetime- l1-1-0.dll, devobj.dll, api-ms-win-eventing-provider-l1-1-0.dll, rpcrt4.dll, api- ms-win-core-processenvironment-l1-1-0.dll, msvcrt.dll, api-ms-win-core-hea p-l1-1-0.dll, api-ms-win-security-base-l1-1-0.dll, api-ms-win-core-heap-obsol ete-l1-1-0.dll, api-ms-win-core-file-l1-2-0.dll, api-ms-win-power-setting-l1-1- 0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-power-base-l1-1-0.dll, a pi-ms-win-service-private-l1-1-0.dll, api-ms-win-core-memory-l1-1-0.dll, api- ms-win-core-file-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll, api-ms- win-core-sysinfo-l1-1-0.dll

hasLibs: True

Suspicious: bamsettingsclient.dll, api-ms-win-core-libraryloader-l1-2-1.dll, ext-ms-win-rtcore-ntuser-sysparams-l1-1-0.dll, api-ms-win-core-libraryloade r-l1-2-0.dll

hasAllowed: True hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2089-04-19 11:49:18 Future: True

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation XOR: False

Fuzzing: False

(9)

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

ldr .text: 1

pushret .data: 1

.text: 3

pushpopmath .data: 1

.text: 1 .idata: 1 .reloc: 7

garbagebytes .data: 1

.text: 2

programcontrolflowchange .data: 1 .text: 2

cpuinstructionsresultscomparison .text: 1

AVclass

File

Trace

20/8/2021 - 16:45:44 .497

Un kn ow n

4 C:\Users\Behemot\Desktop\desktop.ini

20/8/2021 - 16:45:44

Un kn

ow 4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

(10)

.497 n

20/8/2021 - 16:45:46 .481

Wri

te 4 C:\Users\Behemot

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

C:\Windows\System32\

svchost.exe C:\Monitor\WKCD_Load_Use.exe

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

(11)

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A2F27954F4B4C5FD26

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A30415A103D3F52066

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

2

(12)

20/8/2021 - 16:45:48 .856

Op en

9 2 8

svchost.exe

C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

20/8/2021 - 16:45:48 .856

Re ad

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .856

Op en

2 9 2 8

20/8/2021 - 16:45:48 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 16:45:48 .872

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

20/8/2021 2

(13)

- 16:45:48 .872

Wri te

9 4 8

C:\Monitor\WKCD_Load_

Use.exe

C:\Monitor\Files\Logs\File.log

20/8/2021 - 16:45:50 .465

Un kn ow n

4 C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 16:45:50 .465

Wri

te 4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 16:45:50 .465

Un kn ow n

4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 16:45:53 .434

Op en

7 9 6

svchost.exe

C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782 7.pf

20/8/2021 - 16:45:53 .434

Op en

7 9 6

svchost.exe

20/8/2021 - 16:45:53 .434

Wri te

7 9 6

svchost.exe

WKCD_LOAD_U SE.EXE-695C7 827.pf

20/8/2021 - 16:45:53 .434

Un kn ow n

7 9 6

svchost.exe

20/8/2021 - 16:45:53 .450

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 16:45:53 .450

Un kn ow n

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 16:45:53 .450

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 16:45:53 .450

Wri te

7 9 6

20/8/2021 - 16:45:53

Un kn ow

7

9 C:\Windows\System32\

(14)

.450 n 6

20/8/2021 - 16:45:53 .856

Op en

2 9 2 8

svchost.exe C:\Windows\System32\conhost.exe

20/8/2021 - 16:45:53 .856

Op en

2 9 2 8

20/8/2021 - 16:45:53 .856

Op en

2 9 2 8

20/8/2021 - 16:45:53 .856

Op en

2 9 2 8

20/8/2021 - 16:45:53 .856

Wri te

2 9 4 8

Use.exe C:\Monitor\Files\Logs\File.log

20/8/2021 - 16:45:53 .856

Wri te

2 9 4 8

20/8/2021 - 16:45:54 .465

Wri

te 4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

20/8/2021 - 16:45:54 .465

Wri

te 4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 16:45:54 .465

Un kn ow n

4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

20/8/2021 - 16:45:54 .465

Wri

20/8/2021 - 16:45:54 .465

Un kn ow n

4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

Un

(15)

20/8/2021 - 16:45:54 .465

kn ow n

4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 16:45:54 .465

Un kn ow n

20/8/2021 - 16:45:57 .262

Wri

te 4 C:\Monitor

20/8/2021 - 16:45:59 .512

Wri te

6 8 4

svchost.exe C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 16:45:59 .512

Wri te

6 8 4

svchost.exe C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 16:45:59 .512

Wri te

6 8 4

svchost.exe C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 16:45:59 .512

Wri te

6 8 4

svchost.exe C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 16:46:0.

497

Wri

te 4 C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 16:46:0.

497

Wri

te 4 C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 16:46:2.

481

Wri

te 4 C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 16:46:2.

481

Wri

te 4 C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 16:46:2.

481

Un kn ow n

4 C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 16:46:2.

481

Un kn ow n

4 C:\Windows\System32\winevt\Logs\Security.evtx

(16)

20/8/2021 - 16:46:12 .465

Wri

te 4 C:\Windows\Temp

20/8/2021 - 16:46:12 .465

Wri

te 4 C:\Windows

20/8/2021 - 16:46:17 .481

Wri te

6 8 4

svchost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat

20/8/2021 - 16:46:27 .418

Wri

te 4 C:\System Volume Information\Syscache.hve.LOG1

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

te 4 C:\System Volume Information\Syscache.hve

(17)

20/8/2021 - 16:46:27 .418

Wri te

2 9 4 8

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .418

Wri

20/8/2021 - 16:46:27 .512

Wri

20/8/2021 - 16:46:30 .450

Wri

20/8/2021 - 16:46:30 .450

Un kn ow n

20/8/2021 - 16:46:37 .512

Wri

te 4 C:\Windows\System32\config\SYSTEM.LOG1

(18)

20/8/2021 - 16:46:37 .512

Wri

20/8/2021 - 16:46:37 .512

Wri

20/8/2021 - 16:46:37 .512

Wri

20/8/2021 - 16:46:37 .512

Wri

te 4 C:\Windows\System32\config\SYSTEM

20/8/2021 - 16:46:37 .512

Wri

20/8/2021 - 16:46:37 .512

Wri

20/8/2021 - 16:46:37 .512

Wri

20/8/2021 - 16:46:55 .747

Op en

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 16:46:55 .747

Un kn ow n

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 16:47:17 .465

Wri te

6 8 4

svchost.exe

20/8/2021 - 16:47:27 .559

Op en

1 8 6 4

C:\Windows\explorer.ex

e C:\

20/8/2021 - 16:47:27 .559

Un kn ow n

1 8 6 4

e C:\

20/8/2021 - 16:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot

(19)

20/8/2021 - 16:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 16:47:32 .809

Un kn ow n

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 16:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot\AppData\Roaming

20/8/2021 - 16:47:32 .809

Op en

1 8 6 4

20/8/2021 - 16:47:32 .809

Un kn ow n

1 8 6 4

20/8/2021 - 16:47:32 .809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes

20/8/2021 - 16:47:32 .809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes\slideshow.ini

20/8/2021 - 16:47:35 .856

Op en

7 9 6

svchost.exe C:\Windows\CSC\v2.0.6\namespace

20/8/2021 - 16:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 16:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 16:47:35 .856

Op en

7 9 6

svchost.exe \Device\Mup\.\.\

20/8/2021 - 16:47:35 Op

en 7

(20)

.856 6

20/8/2021 - 16:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 16:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 16:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 16:47:35 .856

Wri te

2 9 4 8

20/8/2021 - 16:47:35 .856

Wri te

2 9 4 8

20/8/2021 - 16:47:38 .856

Wri

20/8/2021 - 16:47:38 .856

Un kn ow n

20/8/2021 - 16:47:40 .872

Re ad

1 2 3 2

C:\Program Files\Windo ws Media Player\wmpn etwk.exe

C:\Program Files\Windows Media Player\wmpnetwk.e xe

20/8/2021 - 16:47:58 .122

Op en

1 8 6 4

e C:\Windows\System32\netprofm.dll

20/8/2021 - 16:47:58 .122

Op en

1 8 6 4

e C:\Windows\System32\netprofm.dll

20/8/2021 - 16:47:58 .403

Wri te

2 9 4 8

Use.exe C:\Monitor\Files\Logs\Registry.log

(21)

20/8/2021 - 16:47:59 .481

Re ad

6 8 4

svchost.exe

C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 16:48:1.

403

Wri

te 4 C:\Monitor\Files\Logs\Registry.log

20/8/2021 - 16:48:1.

403

Un kn ow n

4 C:\Monitor\Files\Logs\Registry.log

20/8/2021 - 16:48:3.

309

Wri

te 4 C:\Users\Behemot\ntuser.dat.LOG1

20/8/2021 - 16:48:3.

309

Wri

20/8/2021 - 16:48:3.

309

Wri

20/8/2021 - 16:48:3.

309

Wri

20/8/2021 - 16:48:3.

309

Wri

te 4 C:\Users\Behemot\NTUSER.DAT

20/8/2021 - 16:48:3.

309

Wri

20/8/2021 - 16:48:3.

309

Wri

20/8/2021 - 16:48:3.

309

Wri

20/8/2021 - 16:48:11 .309

Op

en 4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021 - 16:48:11 .309

Un kn ow n

4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021

(22)

- 16:48:13 .59

Op en

4 C:\System Volume Information

20/8/2021 - 16:48:13 .59

Op

en 4 C:\System Volume Information\{3808876b-c176-4e4 8-b7ae-04046e6cc752}

20/8/2021 - 16:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7ec-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 - 16:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7f0-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 - 16:48:13 .59

Un kn ow n

4 C:\System Volume Information

20/8/2021 - 16:48:13 .59

Wri te

2 9 4 8

20/8/2021 - 16:48:14 .465

Wri

20/8/2021 - 16:48:14 .465

Un kn ow n

20/8/2021 - 16:48:17 .481

Wri te

6 8 4

svchost.exe

20/8/2021 - 16:48:25 .887

Op en

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:25 .887

Op en

7 9 6

(23)

20/8/2021 - 16:48:25 .887

Op en

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:25 .887

Op en

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:25 .887

Un kn ow n

7 9 6

20/8/2021 - 16:48:29 .59

Wri

te 4 C:\Users\Behemot

20/8/2021 - 16:48:29 .528

Wri te

6 8 4

svchost.exe

20/8/2021 - 16:48:29 .528

Wri te

6 8 4

svchost.exe

20/8/2021 - 16:48:29 .528

Wri te

6 8 4

svchost.exe

20/8/2021 - 16:48:32 .481

Wri

te 4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021

Wri C:\Windows\System32\winevt\Logs\Microsoft-Window

(24)

- 16:48:32 .575

te 4 s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 16:48:32 .575

Un kn ow n

4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Windows\System32\t askhost.exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

Temporary Internet Files\Content.IE5\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

History\History.IE5\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

History\History.IE5\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca che\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca

che\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatCache\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo

ws\IECompatCache\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatUACache\container.dat

20/8/2021 - 16:49:20

Un kn ow

1 7 9

ws\IECompatUACache\container.dat container.dat

(25)

.700 n 6

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\DNTException\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

ws\DNTException\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

ws\Cookies\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieSiteList\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E

xplorer\EmieSiteList\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieUserList\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

xplorer\EmieUserList\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\DOMStore\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

xplorer\DOMStore\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9

History\History.IE5\MSHist012018050320180504\con tainer.dat

(26)

6

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IEDownloadHistory\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

ws\IEDownloadHistory\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

AppCache\B2419NGQ\container.dat

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

AppCache\B2419NGQ\container.dat container.dat

20/8/2021 - 16:49:20 .700

Op en

1 7 9 6

WebCache

20/8/2021 - 16:49:20 .700

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 16:49:20 .700

Wri te

2 9 4 8

20/8/2021 - 16:49:20 .700

Wri te

2 9 4 8

20/8/2021 - 16:49:20 .747

Wri te

1 7 9 6

WebCache\WebCacheV01.dat

20/8/2021 - 16:49:20 .747

Wri

te 4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

(27)

20/8/2021 - 16:49:20 .840

Wri te

1 7 9 6

20/8/2021 - 16:49:20 .840

Wri

20/8/2021 - 16:49:20 .934

Wri te

1 7 9 6

20/8/2021 - 16:49:20 .934

Wri

20/8/2021 - 16:49:20 .934

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 16:49:20 .934

Wri

WebCache\V01.log

20/8/2021 - 16:49:20 .934

Re ad

1 7 9 6

20/8/2021 - 16:49:20 .981

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 16:49:20 .981

Wri

WebCache\V01.log

20/8/2021 - 16:49:20 .981

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 16:49:20 .981

Wri

WebCache\V01.log

20/8/2021 - 16:49:21 .28

Wri te

1 7 9 6

(28)

20/8/2021 - 16:49:21 .28

Wri

20/8/2021 - 16:49:21 .75

Op en

1 7 9 6

20/8/2021 - 16:49:21 .75

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:21 .75

Op en

1 7 9 6

WebCache

20/8/2021 - 16:49:21 .75

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 16:49:21 .75

Op en

1 7 9 6

20/8/2021 - 16:49:21 .75

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:21 .75

Wri te

2 9 4 8

20/8/2021 - 16:49:21 .75

Wri te

2 9 4 8

20/8/2021 - 16:49:23 .731

Wri

20/8/2021 - 16:49:23 .731

Un kn ow n

20/8/2021 - 16:49:25

Un kn ow

2 3 6

audiodg.exe C:\Windows

(29)

.887 n 0

20/8/2021 - 16:49:30 .762

Wri te

1 7 9 6

20/8/2021 - 16:49:30 .762

Wri

20/8/2021 - 16:49:30 .809

Wri te

1 7 9 6

20/8/2021 - 16:49:30 .809

Wri

20/8/2021 - 16:49:30 .856

Op en

7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 16:49:30 .856

Op en

7 9 6

20/8/2021 - 16:49:30 .856

Op en

7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 16:49:30

Un kn ow

7

(30)

.856 n 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 16:49:30 Op

en 1 7 9

WebCache

(31)

.856 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

C:\Windows\System32\t

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9

(32)

6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local

(33)

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

(34)

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

askhost.exe C:\Users\Behemot

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

1

(35)

20/8/2021 - 16:49:30 .856

Op en

7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

askhost.exe C:\Users

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Op en

1 7 9 6

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 1

(36)

- 16:49:30 .856

Op en

7 9 6

C:\Users

20/8/2021 - 16:49:30 .856

Un kn ow n

1 7 9 6

20/8/2021 - 16:49:30 .856

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Wri

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Wri te

2 9 4 8

20/8/2021 - 16:49:30 .856

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Wri

WebCache\V01.chk

20/8/2021 - 16:49:30 .856

Wri te

2 9 4 8

20/8/2021 - 16:49:30 .872

Wri te

2 9 4 8

20/8/2021 - 16:49:31 .497

Wri

20/8/2021 - 16:49:31 .497

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

20/8/2021 - 16:49:31 .497

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

(37)

20/8/2021 - 16:49:31 .497

Un kn ow n

20/8/2021 - 16:49:32 .481

Wri te

6 8 4

svchost.exe

Process

Trace

20/8/2021 - 16:49:25.8 87

Terminat e

68 4

C:\Windows\System32\svchost.e xe

236 0

C:\Windows\System32\audiodg.e xe

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

20/8/2021 - 1 6:46:22.418

W rit e

4 \REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\D

efaultObjectStore\LruList CurrentLru

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000ED ObjectId

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000ED ObjectLru

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\ObjectTable\1E _ObjectLru_

(38)

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000E8 ObjectId

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000E8 ObjectLru

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\ObjectTable\3E _ObjectLru_

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000EB ObjectId

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000EB ObjectLru

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\ObjectTable\3F _ObjectLru_

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000F0 ObjectId

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000F0 ObjectLru

20/8/2021 - 1 6:46:22.418

W rit e

efaultObjectStore\ObjectTable\40 _ObjectLru_

20/8/2021 - 1 6:46:29.372

W rit e

4 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb0 04a03-9b1a-11d4-9123-0050047759bc}\22

20/8/2021 - 1 6:46:29.372

W rit e

fffffffffffffffffff fffffffffff00

20/8/2021 - 1 6:46:29.372

W rit e

20/8/2021 - 1 6:46:29.372

W rit e

20/8/2021 - 1 6:46:29.372

W rit e

(39)

20/8/2021 - 1 6:47:58.403

W rit e

1 8 6 4

C:\Windows\e xplorer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\HomeGrou

p\UIStatusCache UIStatus

20/8/2021 - 1 6:47:58.403

W rit e

1 8 6 4

p\UIStatusCache OnlyMember

20/8/2021 - 1 6:47:58.403

W rit e

1 8 6 4

p\UIStatusCache Modifier

20/8/2021 - 1 6:47:58.403

W rit e

1 8 6 4

HKCU\Software\Microsoft\Windows\CurrentVersion\HomeGrou p\UIStatusCache

ModifierSyst em

File Summary

Created Identified: True

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: True

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: True

Deleted Identified: False

(40)

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

UDP False

HTTP False

(41)

Results

BINARY

NFS 2.0 (Threshold = 0.8) confidence: 90.00%

suspicious: False

NFS 3.0 (Threshold = 0.75) confidence: 71.81%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 70.93%

Random Forest (100 estimators, NFS-BRMalware) confidence: 84.00%

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 73.21%

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 100.00%