Report #13346

(1)

Binary

DLL False

Size 355.00KB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 74d2a3fd3a44f96810b267534383e715

sha1 f55932cf4ea926c306a42e447401954b6488d409

crc32 0xca0338f5

sha224 d08fe951d21131979215a3e0dda40ad7c76c1d04788762be1c431fe8

sha256 b8975bd5b2623c9dd5189fbddbf8801924e8c28e03e5a1fec980ae4d1995df eb

sha384 c8b159fb351aad621720f0c9c2dc22bd25f76849559418218d0edc29aee0d1 ebb7edf48f8d60cbfc5beea80bc7df9bca

sha512 976a69e139d3bf8eed97ca6f1a6e01b779ff434e8d018b1afe1eaa19e805db d8bdaf46d9129674983316fbef25fddf6290331337139fbcafc23726edd41e4 cae

ssdeep 6144:3lVIr0sT7JscaJlJ/hLEHKPRAF15KgiT6x:jIr0OhavBdEHKPRs18Fg

Community

Report #13346

Creation Date: Aug. 20, 2021, 1:39 p.m.

Last Update: Aug. 20, 2021, 7:39 p.m.

File:

rdpclip.exe Results:

(2)

Google False

HashLib False

YARA

Matches win_files_operation, domain, contentis_base64, anti_dbg, IP, url, HasRichSig nature, win_mutex, win_registry, HasDebugData, migrate_apc, IsPE32, IsWi ndowsGUI

Suspicious True

Imports

ntdll.dll NtClose, RtlNtStatusToDosError, NtCreateFile, EtwEventActivityIdControl, Rtl MultiByteToUnicodeN, RtlInitUnicodeString

DEVOBJ.dll DevObjGetClassDevs, DevObjCreateDeviceInfoList, DevObjDestroyDeviceIn foList, DevObjGetDeviceInterfaceDetail, DevObjEnumDeviceInterfaces

USER32.dll RegisterClassExW, CreateWindowExW, PostMessageW, DefWindowProcW, L oadCursorW, LoadStringW, UnregisterDeviceNotification, RegisterClassW, R egisterDeviceNotificationW, EnumDisplaySettingsW, SetWindowLongW, Get WindowRgn, OpenDesktopW, GetUserObjectInformationW, GetLayeredWind owAttributes, ChangeDisplaySettingsExW, GetSystemMetrics, EnumDisplay DevicesW, PostQuitMessage, SystemParametersInfoW, SetWinEventHook, G etClassInfoExW, UnhookWinEvent, MonitorFromWindow, GetWindowLongW, CloseDesktop, GetWindowTextLengthW

WINSTA.dll WinStationFreePropertyValue, WinStationVirtualOpenEx, WinStationGetCon nectionProperty, WinStationIsCurrentSessionRemoteable, WinStationNameF romLogonIdW, WinStationIsSessionRemoteable, WinStationQueryInformatio nW

dwmapi.dll DwmGetWindowAttribute

msvcrt.dll ??0exception@@QAE@XZ, ??0exception@@QAE@ABV0@@Z, ??1type_info

@@UAE@XZ, ??1exception@@UAE@XZ, ?what@exception@@UBEPBDXZ, memcpy, __CxxFrameHandler3, memcmp, _ftol2_sse, _CxxThrowException, strnlen, _strnicmp, isalpha, _wcsnicmp, _vsnwprintf, _wmakepath_s, swprint f_s, _wsplitpath_s, memcpy_s, _purecall, _wcsicmp, malloc, _callnewh, wcsr chr, memset, _controlfp, ?terminate@@YAXXZ, _except_handler4_common, _onexit, __dllonexit, _unlock, _lock, wcsnlen, wcschr, _vsnprintf_s, _acmdln, _initterm, __setusermatherr, _ismbblead, __p__fmode, _cexit, _exit, exit, __s et_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, free

CRYPT32.dll CryptBinaryToStringW

KERNEL32.dll EnterCriticalSection, LeaveCriticalSection, GetCurrentThread, LoadLibraryW , DeleteCriticalSection, GetModuleHandleExA, DebugBreak, GetProcessHea p, CreateMutexExW, HeapAlloc, HeapSetInformation, OpenSemaphoreW, W

(3)

aitForSingleObjectEx, OutputDebugStringW, FormatMessageW, ReleaseMut ex, GetCurrentThreadId, WaitForSingleObject, InitializeCriticalSection, Relea seSemaphore, SetLastError, HeapFree, CreateSemaphoreExW, GetModuleFil eNameA, IsDebuggerPresent, GetLastError, GetModuleHandleW, GetProcAd dress, FreeLibrary, ResetEvent, SetEvent, DefineDosDeviceW, ProcessIdToS essionId, DeviceIoControl, GetModuleHandleExW, QueryDosDeviceW, Quer yFullProcessImageNameW, GetCurrentProcessId, CreateMutexW, CreateEve ntW, CloseHandle, GetCurrentProcess

WTSAPI32.dll WTSRegisterSessionNotification, WTSVirtualChannelOpen, WTSVirtualChan nelQuery, WTSVirtualChannelWrite, WTSQuerySessionInformationW, WTSVi rtualChannelOpenEx, WTSFreeMemory, WTSUnRegisterSessionNotification, WTSVirtualChannelClose

setupapi.dll SetupDiCreateDeviceInfoList, SetupDiGetDeviceRegistryPropertyW, SetupDi GetClassDevsW, SetupDiGetDeviceInterfaceDetailW, SetupDiEnumDeviceIn terfaces, SetupDiOpenDeviceInterfaceW, SetupDiDestroyDeviceInfoList, Set upDiGetDevicePropertyW

api-ms-win-core-io-l1-1-0.dll GetOverlappedResult

api-ms-win-core-com-l1-1-0.dll CoInitializeEx, CoCreateFreeThreadedMarshaler, CoUninitialize api-ms-win-core-path-l1-1-0.dll PathCchCanonicalize

api-ms-win-core-psapi-l1-1-0.dll K32GetModuleFileNameExW api-ms-win-core-winrt-l1-1-0.dll RoGetActivationFactory

api-ms-win-core-string-l1-1-0.dll WideCharToMultiByte, CompareStringW, MultiByteToWideChar

api-ms-win-core-profile-l1-1-0.dl l

QueryPerformanceCounter

api-ms-win-core-registry-l1-1-0.

dll

RegEnumValueW

api-ms-win-core-localization-l1- 2-0.dll

GetCPInfo, IsDBCSLeadByte

api-ms-win-core-heap-obsolete-l 1-1-0.dll

GlobalUnlock, GlobalLock, GlobalSize

api-ms-win-core-string-obsolete -l1-1-0.dll

lstrcmpW

api-ms-win-rtcore-ntuser-windo w-l1-1-0.dll

GetAncestor, DispatchMessageW, GetWindowTextW, SetTimer, ClientToScre en, GetWindowRect, IsWindow, GetMessageW, GetParent, DestroyWindow, GetClassNameW, SendMessageW, IsChild, EnumWindows, IsWindowVisible, GetDesktopWindow, GetWindowThreadProcessId, UnregisterClassW, PostTh readMessageW, TranslateMessage, KillTimer, PeekMessageW, EnumChildWi ndows, GetClientRect

api-ms-win-rtcore-ole32-clipboa rd-l1-1-0.dll

OleIsCurrentClipboard, OleGetClipboard, OleSetClipboard

(4)

api-ms-win-rtcore-ntuser-clipbo ard-l1-1-0.dll

RegisterClipboardFormatW, GetClipboardFormatNameW, IsClipboardFormat Available

api-ms-win-security-isolatedcon tainer-l1-1-1.dll

IsProcessInWDAGContainer

Strings

List

<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">

RDP.Graphics rdpclip.pdb

Windows.Security.EnterpriseData.ProtectionPolicyManager

onecoreuap\termsrv\rdpplatform\common\rdplibs\edp\rdpedppolicymanager.cpp Software\Microsoft\Terminal Server\%d\Drive Letter Cache\

rdpclip.exe rdpclip.exe rdpinit.exe CRYPT32.dll WINSTA.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server\ServerLevels\

name="Microsoft.Windows.rdpclip"

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp GetActivationFactory<IProtectionPolicyManagerStatics2> failed. hr[0x%x]

[Unknown]

api-ms-win-core-registry-l1-1-0.dll

api-ms-win-security-isolatedcontainer-l1-1-1.dll api-ms-win-security-systemfunctions-l1-1-0.dll UMRdpEndpoint_%d

DEVOBJ.dll

api-ms-win-security-base-l1-1-0.dll

Software\Microsoft\Terminal Server Client\DefaultPrinter WTSAPI32.dll

FAdvapi32.dll ishcore.dll

api-ms-win-core-io-l1-1-1.dll 3ntdll.dll

sole32.dll printui.dll kernelbase.dll srpapi.dll ntdll.dll dwmapi.dll

Software\Microsoft\Terminal Server Client

RdpNamedPipeHandler::CreateInstance failed. Non-fatal GetProtectionEnabled failed. hr[0x%x]

OOM on RdpEdpPolicyManager

System\CurrentControlSet\Control\Terminal Server\WinStations\

SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations RdpEdpPolicyManager

MPR.dll

SYSTEM\CurrentControlSet\Control\Terminal Server STREAM_ENTRY

CServerHdropPacker

(5)

Software\Policies\Microsoft\Windows NT\Terminal Services\

OnClose failed!

IsProtectionEnabled failed. hr[0x%x]

OnConnected failed!

RdpEdpPolicyManager::IsProtectionEnabled OnChannelOpened failed!

RdpEdpSrpApi::Initialize failed. hr[0x%x]

Windows.Foundation.IReference`1<Windows.Devices.Geolocation.BasicGeoposition>

SendToRDPUDD failed. Try to change the resolution anyway

=O=T=Y=s=

Failed to copy "RDPClip-Reconnect" event name!

Failed to get the device name for RDPUDD CreateClipboardPdu failed!

SendClipboardPdu failed!

Failed to bind the main RDPClip thread to the current thread!

I/O failed with RDPIDD AddCallback failed

GetOpenClipboardProcess failed Start failed!

Write failed!

Seek failed!

Stop failed!

Read failed!

Close failed!

%hs(%u)\%hs!%p:

GetFgd failed!

%hs!%p:

api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-winrt-l1-1-0.dll r%hpm@

GetSize failed!

GetItem failed!

SetData failed.

api-ms-win-core-heap-obsolete-l1-1-0.dll SendCaps failed!

api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-string-obsolete-l1-1-0.dll GetBuffer failed!

api-ms-win-core-shlwapi-obsolete-l1-1-0.dll (caller: %p)

CreateThread failed!

GetClientRect failed ValidateFilePaths failed.

FillReceiveBuffer failed!

Initialize event filters list failed SendReadyPdu failed!

SendClipCaps failed!

api-ms-win-rtcore-ntuser-synch-l1-1-0.dll RdpLocationHandler

CServerHdropPacker::CreateInstance failed!

RunQueueEvent failed

spHintManager->GetStartMenuRect failed api-ms-win-rtcore-ntuser-clipboard-l1-1-0.dll

Foremost

(6)

Matches 0.exe, 355 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed: http://schemas.microsoft.com/smi/2005/windowssettings, http://s chemas.microsoft.com/smi/2011/windowssettings

hasURLs: True Suspicious

hasAllowed: True hasSuspicious: False

Files Allowed: srpapi.dll, advapi32.dll, sole32.dll, kernelbase.dll, 3ntdll.dll, user3 2.dll, gdi32.dll, printui.dll, ishcore.dll, api-ms-win-eventing-provider-l1-1-0.dl l, api-ms-win-core-string-l1-1-0.dll, api-ms-win-core-com-l1-1-0.dll, api-ms-w in-security-systemfunctions-l1-1-0.dll, SHELL32.dll, api-ms-win-core-registry -l1-1-0.dll, api-ms-win-core-string-obsolete-l1-1-0.dll, api-ms-win-core-profil e-l1-1-0.dll, api-ms-win-core-winrt-l1-1-0.dll, RPCRT4.dll, api-ms-win-core-io- l1-1-0.dll, WTSAPI32.dll, api-ms-win-core-heap-obsolete-l1-1-0.dll, api-ms-wi n-core-synch-l1-2-1.dll, dwmapi.dll, api-ms-win-core-psapi-l1-1-0.dll, api-ms -win-ntuser-sysparams-l1-1-0.dll, setupapi.dll, api-ms-win-core-errorhandlin g-l1-1-0.dll, api-ms-win-security-isolatedcontainer-l1-1-1.dll, WINSTA.dll, ntd ll.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-file-l1-1-0.dll, OLE32.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-core-shlwapi-obsol ete-l1-1-0.dll, DEVOBJ.dll, api-ms-win-security-base-l1-1-0.dll, CRYPT32.dll, api-ms-win-core-processthreads-l1-1-1.dll, api-ms-win-core-stringansi-l1-1-0 .dll, msvcrt.dll, api-ms-win-core-io-l1-1-1.dll, api-ms-win-rtcore-ntuser-synch -l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-rtcore-ntuser-clipbo ard-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms-win-core-pa th-l1-1-0.dll, MPR.dll, api-ms-win-core-winrt-string-l1-1-0.dll, api-ms-win-ntu ser-rectangle-l1-1-0.dll, FAdvapi32.dll, api-ms-win-rtcore-ole32-clipboard-l1- 1-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll, KERNEL32.dll, api-ms-win-rt core-ntuser-window-l1-1-0.dll, api-ms-win-core-heap-l2-1-0.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 64000

Suspicious: False

(7)

Image

Address: 4194304 Suspicious: False Stack

Stack: 8192 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 384769

Suspicous: False

Sections Allowed: .text, .data, .idata, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 10

Suspicious: False Image

Version: False Suspicious: 10 Linker

Version: 14.20 Suspicious: False Subsystem

Version: 10.0 Suspicious: False Suspicious: False

EntryPoint Address: 318144

Suspicious: False

Anomalies Anomalies

hasAnomalies: False

(8)

Libraries Allowed: advapi32.dll, kernelbase.dll, user32.dll, gdi32.dll, printui.dll, api- ms-win-eventing-provider-l1-1-0.dll, api-ms-win-core-string-l1-1-0.dll, api-m s-win-core-com-l1-1-0.dll, api-ms-win-security-systemfunctions-l1-1-0.dll, sh ell32.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-string-obsolete -l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-winrt-l1-1-0.dll , rpcrt4.dll, api-ms-win-core-io-l1-1-0.dll, wtsapi32.dll, api-ms-win-core-heap -obsolete-l1-1-0.dll, dwmapi.dll, api-ms-win-core-psapi-l1-1-0.dll, api-ms-win -ntuser-sysparams-l1-1-0.dll, setupapi.dll, api-ms-win-core-errorhandling-l1- 1-0.dll, winsta.dll, ntdll.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-wi n-core-file-l1-1-0.dll, ole32.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win -core-shlwapi-obsolete-l1-1-0.dll, devobj.dll, api-ms-win-security-base-l1-1-0 .dll, crypt32.dll, api-ms-win-core-processthreads-l1-1-1.dll, api-ms-win-core- stringansi-l1-1-0.dll, msvcrt.dll, api-ms-win-core-io-l1-1-1.dll, api-ms-win-cor e-synch-l1-2-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms-win-cor e-path-l1-1-0.dll, mpr.dll, api-ms-win-core-winrt-string-l1-1-0.dll, api-ms-win- ntuser-rectangle-l1-1-0.dll, kernel32.dll

hasLibs: True

Suspicious: srpapi.dll, sole32.dll, 3ntdll.dll, ishcore.dll, api-ms-win-core-sy nch-l1-2-1.dll, api-ms-win-security-isolatedcontainer-l1-1-1.dll, api-ms-win-rt core-ntuser-synch-l1-1-0.dll, api-ms-win-rtcore-ntuser-clipboard-l1-1-0.dll, fa dvapi32.dll, api-ms-win-rtcore-ole32-clipboard-l1-1-0.dll, api-ms-win-core-lib raryloader-l1-2-0.dll, api-ms-win-rtcore-ntuser-window-l1-1-0.dll, api-ms-win -core-heap-l2-1-0.dll

hasAllowed: True hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2022-02-12 08:09:22 Future: True

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ 8

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

(9)

pushret .text: 6

pushpopmath .text: 19

.reloc: 19

garbagebytes .text: 2

hookdetection .text: 1

.reloc: 2

software breakpoint .reloc: 8

programcontrolflowchange .text: 2

AVclass

File

Trace

20/8/2021 - 18:45:43 .465

Un kn ow n

4 C:\Users\Behemot\Desktop\desktop.ini

20/8/2021 - 18:45:43 .465

Un kn ow n

4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 18:45:45 .497

Wri

te 4 C:\Windows

20/8/2021 - 18:45:47 .262

Wri

te 4 C:\Monitor

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

C:\Windows\System32\

svchost.exe C:\Monitor\WKCD_Load_Use.exe

20/8/2021 - 18:45:47

Un kn ow

2 9 2

svchost.exe C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

(10)

.856 n 8

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A2F27954F4B4C5FD26

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

20/8/2021 - 18:45:47 Op

en 2 9

2 C:\Windows\System32\

(11)

.856 8

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Re ad

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A30415A103D3F52066

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Re ad

2 9 2 8

20/8/2021 - 18:45:47

Un kn ow

2 9 2

TMP000000A3 0415A103D3F5

(12)

.856 n 8 2066

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Op en

2 9 2 8

20/8/2021 - 18:45:47 .856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 18:45:47 .856

Wri te

1 3 4 4

C:\Monitor\WKCD_Load_

Use.exe C:\Monitor\Files\Logs\File.log

20/8/2021 - 18:45:47 .903

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

20/8/2021 - 18:45:49 .481

Un kn ow n

4 C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 18:45:49 .481

Wri

te 4 C:\Monitor\Files\Logs\File.log

(13)

20/8/2021 - 18:45:49 .481

Un kn ow n

4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 18:45:52 .418

Op en

7 9 6

svchost.exe

C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782 7.pf

20/8/2021 - 18:45:52 .418

Op en

7 9 6

svchost.exe

20/8/2021 - 18:45:52 .418

Wri te

7 9 6

svchost.exe

WKCD_LOAD_U SE.EXE-695C7 827.pf

20/8/2021 - 18:45:52 .418

Un kn ow n

7 9 6

svchost.exe

20/8/2021 - 18:45:52 .450

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 18:45:52 .450

Un kn ow n

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 18:45:52 .450

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 18:45:52 .450

Wri te

7 9 6

20/8/2021 - 18:45:52 .450

Un kn ow n

7 9 6

20/8/2021 - 18:45:52 .856

Op en

2 9 2 8

svchost.exe C:\Windows\System32\conhost.exe

20/8/2021 - 18:45:52 .856

Op en

2 9 2 8

(14)

20/8/2021 - 18:45:52 .856

Op en

2 9 2 8

20/8/2021 - 18:45:52 .856

Op en

2 9 2 8

20/8/2021 - 18:45:52 .856

Wri te

1 3 4 4

20/8/2021 - 18:45:52 .856

Wri te

1 3 4 4

20/8/2021 - 18:45:53 .465

Wri

te 4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

20/8/2021 - 18:45:53 .465

Wri

te 4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 18:45:53 .465

Wri

20/8/2021 - 18:45:53 .465

Un kn ow n

4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

20/8/2021 - 18:45:53 .465

Un kn ow n

20/8/2021 - 18:45:53 .465

Un kn ow n

20/8/2021 - 18:45:53 .465

Un kn ow n

20/8/2021 - 18:46:11 .497

Wri

te 4 C:\Windows\Temp

(15)

20/8/2021 - 18:46:17 .465

Wri te

6 8 4

svchost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat

20/8/2021 - 18:46:19 .481

Wri

te 4 C:\Windows

20/8/2021 - 18:46:27 .418

Wri

te 4 C:\Windows\System32\config\SYSTEM.LOG1

20/8/2021 - 18:46:27 .418

Wri

20/8/2021 - 18:46:27 .418

Wri

20/8/2021 - 18:46:27 .418

Wri

20/8/2021 - 18:46:27 .418

Wri

te 4 C:\Windows\System32\config\SYSTEM

20/8/2021 - 18:46:27 .418

Wri

20/8/2021 - 18:46:27 .418

Wri

20/8/2021 - 18:46:27 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

te 4 C:\System Volume Information\Syscache.hve.LOG1

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

(16)

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

te 4 C:\System Volume Information\Syscache.hve

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 Wri

4 C:\System Volume Information\Syscache.hve

(17)

.418 te

20/8/2021 - 18:46:32 .418

Wri

20/8/2021 - 18:46:32 .418

Wri te

1 3 4 4

20/8/2021 - 18:46:32 .512

Wri

20/8/2021 - 18:46:35 .450

Wri

20/8/2021 - 18:46:35 .450

Un kn ow n

20/8/2021 - 18:46:55 .731

Op en

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 18:46:55 .731

Un kn ow n

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 18:47:17 .465

Wri te

6 8 4

svchost.exe

20/8/2021 - 18:47:27 .575

Op en

1 8 6 4

C:\Windows\explorer.ex

e C:\

20/8/2021 - 18:47:27 .575

Un kn ow n

1 8 6 4

e C:\

20/8/2021 - 18:47:32 .825

Op en

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 18:47:32 Op

en 1 8 6

e C:\Users\Behemot

(18)

.825 4

20/8/2021 - 18:47:32 .825

Un kn ow n

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 18:47:32 .825

Op en

1 8 6 4

e C:\Users\Behemot\AppData\Roaming

20/8/2021 - 18:47:32 .825

Op en

1 8 6 4

20/8/2021 - 18:47:32 .825

Un kn ow n

1 8 6 4

20/8/2021 - 18:47:32 .825

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes

20/8/2021 - 18:47:32 .825

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes\slideshow.ini

20/8/2021 - 18:47:35 .856

Op en

7 9 6

svchost.exe C:\Windows\CSC\v2.0.6\namespace

20/8/2021 - 18:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 18:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 18:47:35 .856

Op en

7 9 6

svchost.exe \Device\Mup\.\.\

20/8/2021 - 18:47:35 .856

Op en

7 9 6

Un

(19)

20/8/2021 - 18:47:35 .856

kn ow n

7 9 6

20/8/2021 - 18:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 18:47:35 .856

Un kn ow n

7 9 6

20/8/2021 - 18:47:40 .934

Re ad

1 2 3 2

C:\Program Files\Windo ws Media Player\wmpn etwk.exe

C:\Program Files\Windows Media Player\wmpnetwk.e xe

20/8/2021 - 18:47:58 .137

Op en

1 8 6 4

e C:\Windows\System32\netprofm.dll

20/8/2021 - 18:47:58 .137

Op en

1 8 6 4

e C:\Windows\System32\netprofm.dll

20/8/2021 - 18:47:58 .153

Wri te

1 3 4 4

20/8/2021 - 18:47:58 .153

Wri te

1 3 4 4

20/8/2021 - 18:47:58 .434

Wri te

1 3 4 4

Use.exe C:\Monitor\Files\Logs\Registry.log

20/8/2021 - 18:47:59 .512

Re ad

6 8 4

svchost.exe

C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 18:48:1.

153

Wri

20/8/2021 - 18:48:1.

153

Wri

te 4 C:\Monitor\Files\Logs\Registry.log

(20)

20/8/2021 - 18:48:1.

153

Un kn ow n

20/8/2021 - 18:48:1.

153

Un kn ow n

4 C:\Monitor\Files\Logs\Registry.log

20/8/2021 - 18:48:3.

340

Wri

te 4 C:\Users\Behemot\ntuser.dat.LOG1

20/8/2021 - 18:48:3.

340

Wri

20/8/2021 - 18:48:3.

340

Wri

20/8/2021 - 18:48:3.

340

Wri

20/8/2021 - 18:48:3.

340

Wri

te 4 C:\Users\Behemot\NTUSER.DAT

20/8/2021 - 18:48:3.

340

Wri

20/8/2021 - 18:48:3.

340

Wri

20/8/2021 - 18:48:3.

340

Wri

20/8/2021 - 18:48:8.

481

Wri

te 4 C:\Users\Behemot

20/8/2021 - 18:48:11 .309

Op

en 4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021 - 18:48:11 .309

Un kn ow n

4 \Device\HarddiskVolume1\System Volume Informatio n

(21)

20/8/2021 - 18:48:13 .59

Op

en 4 C:\System Volume Information

20/8/2021 - 18:48:13 .59

Op

en 4 C:\System Volume Information\{3808876b-c176-4e4 8-b7ae-04046e6cc752}

20/8/2021 - 18:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7ec-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 - 18:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7f0-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 - 18:48:13 .59

Un kn ow n

4 C:\System Volume Information

20/8/2021 - 18:48:17 .465

Wri te

6 8 4

svchost.exe

20/8/2021 - 18:48:25 .903

Op en

7 9 6

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Op en

7 9 6

20/8/2021 - 18:48:25 .903

Op en

7 9 6

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Op en

7 9 6

(22)

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Un kn ow n

7 9 6

20/8/2021 - 18:48:25 .903

Wri te

1 3 4 4

20/8/2021 - 18:48:26 .465

Wri

20/8/2021 - 18:48:26 .465

Un kn ow n

20/8/2021 - 18:48:29 .559

Wri te

6 8 4

svchost.exe

20/8/2021 - 18:48:29 .559

Wri te

6 8 4

svchost.exe

20/8/2021 - 18:48:29 .559

Wri te

6 8 4

svchost.exe

20/8/2021 - 18:48:32 .465

Wri

te 4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 18:48:32 .559

Wri

te 4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

Un

(23)

20/8/2021 - 18:48:32 .559

kn ow n

4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Windows\System32\t askhost.exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

Temporary Internet Files\Content.IE5\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

History\History.IE5\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

History\History.IE5\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca che\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca

che\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatCache\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo

ws\IECompatCache\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatUACache\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

ws\IECompatUACache\container.dat container.dat

20/8/2021 1

(24)

- 18:49:20 .715

Op en

7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\DNTException\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

ws\DNTException\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

ws\Cookies\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieSiteList\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E

xplorer\EmieSiteList\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieUserList\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

xplorer\EmieUserList\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\DOMStore\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

xplorer\DOMStore\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

20/8/2021 Un 1

(25)

- 18:49:20 .715

kn ow n

7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IEDownloadHistory\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

ws\IEDownloadHistory\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

AppCache\B2419NGQ\container.dat

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

AppCache\B2419NGQ\container.dat container.dat

20/8/2021 - 18:49:20 .715

Op en

1 7 9 6

WebCache

20/8/2021 - 18:49:20 .715

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 18:49:20 .715

Wri te

1 3 4 4

20/8/2021 - 18:49:20 .762

Wri te

1 7 9 6

WebCache\WebCacheV01.dat

20/8/2021 - 18:49:20 .762

Wri

te 4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

20/8/2021 - 18:49:20 .762

Wri te

1 3 4 4

20/8/2021 - 18:49:20 Wri

te 1 7 9

(26)

.856 6

20/8/2021 - 18:49:20 .856

Wri

20/8/2021 - 18:49:20 .950

Wri te

1 7 9 6

20/8/2021 - 18:49:20 .950

Wri

20/8/2021 - 18:49:20 .950

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 18:49:20 .950

Wri

WebCache\V01.log

20/8/2021 - 18:49:20 .950

Re ad

1 7 9 6

20/8/2021 - 18:49:20 .997

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 18:49:20 .997

Wri

WebCache\V01.log

20/8/2021 - 18:49:20 .997

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 18:49:20 .997

Wri

WebCache\V01.log

20/8/2021 - 18:49:21 .43

Wri te

1 7 9 6

20/8/2021 - 18:49:21 .43

Wri

(27)

20/8/2021 - 18:49:21 .90

Op en

1 7 9 6

20/8/2021 - 18:49:21 .90

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:21 .90

Op en

1 7 9 6

WebCache

20/8/2021 - 18:49:21 .90

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 18:49:21 .90

Op en

1 7 9 6

20/8/2021 - 18:49:21 .90

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:23 .747

Wri

20/8/2021 - 18:49:23 .747

Un kn ow n

20/8/2021 - 18:49:25 .856

Un kn ow n

2 3 6 0

audiodg.exe C:\Windows

20/8/2021 - 18:49:30 .778

Wri te

1 7 9 6

20/8/2021 - 18:49:30 .778

Wri

20/8/2021 - 18:49:30 Wri

1

3 C:\Monitor\WKCD_Load_

C:\Monitor\Files\Logs\File.log

(28)

.778 te 4 4

Use.exe

20/8/2021 - 18:49:30 .778

Wri te

1 3 4 4

20/8/2021 - 18:49:30 .825

Wri te

1 7 9 6

20/8/2021 - 18:49:30 .825

Wri

20/8/2021 - 18:49:30 .856

Op en

7 9 6

20/8/2021 - 18:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 18:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 18:49:30 .856

Op en

7 9 6

20/8/2021 - 18:49:30 .856

Op en

7 9 6

20/8/2021 - 18:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 18:49:30 .856

Un kn ow n

7 9 6

20/8/2021 - 18:49:30 .856

Un kn ow n

7 9 6

20/8/2021 1

(29)

- 18:49:30 .872

Op en

7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache

20/8/2021 Un 1

(30)

- 18:49:30 .872

kn ow n

7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

C:\Windows\System32\t

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 Un kn

1

7 C:\Windows\System32\t

(31)

- 18:49:30 .872

ow n

9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local

20/8/2021 - 18:49:30 Op

1

C:\Users\Behemot\AppData\Local

(32)

.872 en 9 6

askhost.exe

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 Op

1

C:\Users\Behemot\AppData

(33)

.872 en 9 6

askhost.exe

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 Op

1

C:\Users\Behemot

(34)

.872 en 9 6

askhost.exe

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Op en

1 7 9 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 Op

en 1 7 9

(35)

.872 6

20/8/2021 - 18:49:30 .872

Un kn ow n

1 7 9 6

20/8/2021 - 18:49:30 .872

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Wri

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Wri te

1 3 4 4

20/8/2021 - 18:49:30 .872

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Wri

WebCache\V01.chk

20/8/2021 - 18:49:30 .872

Wri te

1 3 4 4

20/8/2021 - 18:49:30 .887

Wri te

1 3 4 4

20/8/2021 - 18:49:31 .481

Wri

20/8/2021 - 18:49:31 .481

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

20/8/2021 - 18:49:31 .481

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

20/8/2021 Un

(36)

- 18:49:31 .481

kn ow n

20/8/2021 - 18:49:32 .450

Wri te

6 8 4

svchost.exe

Process

Trace

20/8/2021 - 18:49:25.8 56

Terminat e

68 4

C:\Windows\System32\svchost.e xe

236 0

C:\Windows\System32\audiodg.e xe

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

20/8/2021 - 1 8:46:22.418

W rit e

4 \REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\D

efaultObjectStore\LruList CurrentLru

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000ED ObjectId

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000ED ObjectLru

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\ObjectTable\1E _ObjectLru_

20/8/2021 - 1 W

rit 4 \REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\D

ObjectId

(37)

8:46:22.418 e efaultObjectStore\LruList\00000000000000E8

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000E8 ObjectLru

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\ObjectTable\3E _ObjectLru_

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000EB ObjectId

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000EB ObjectLru

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\ObjectTable\3F _ObjectLru_

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000F0 ObjectId

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\LruList\00000000000000F0 ObjectLru

20/8/2021 - 1 8:46:22.418

W rit e

efaultObjectStore\ObjectTable\40 _ObjectLru_

20/8/2021 - 1 8:46:23.918

W rit e

4 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb0 04a03-9b1a-11d4-9123-0050047759bc}\22

20/8/2021 - 1 8:46:23.918

W rit e

fffffffffffffffffff fffffffffff00

20/8/2021 - 1 8:46:23.918

W rit e

20/8/2021 - 1 8:46:23.918

W rit e

20/8/2021 - 1 8:46:23.918

W rit e

1

(38)

20/8/2021 - 1 8:47:58.434

W rit e

8 6 4

C:\Windows\e xplorer.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\HomeGrou

p\UIStatusCache UIStatus

20/8/2021 - 1 8:47:58.434

W rit e

1 8 6 4

p\UIStatusCache OnlyMember

20/8/2021 - 1 8:47:58.434

W rit e

1 8 6 4

p\UIStatusCache Modifier

20/8/2021 - 1 8:47:58.434

W rit e

1 8 6 4

HKCU\Software\Microsoft\Windows\CurrentVersion\HomeGrou p\UIStatusCache

ModifierSyst em

File Summary

Created Identified: True

Deleted Identified: False

Process Summary

Created Identified: False

Deleted Identified: True

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: True

Deleted Identified: False

Browsers Identified: False

(39)

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

HTTP

Info

Summary

DNS False

TCP False

UDP False

HTTP False

Results

(40)

BINARY

NFS 2.0 (Threshold = 0.8) confidence: 85.00%

suspicious: False

NFS 3.0 (Threshold = 0.75) confidence: 70.00%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

suspicious: True

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 95.39%

Random Forest (100 estimators, NFS-BRMalware) confidence: 87.00%

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 72.47%

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 100.00%