Report #13561

(1)

Binary

DLL False

Size 209.50KB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows CLI

Hashes

md5 85757c358e6d2652333c4f9a758e4bf3

sha1 74f38b48e303e9b2da66ad46f304d033da3f3a29

crc32 0x8ef7eca2

sha224 9a1eaf587ffefe7b4c1ac4c534dc7929353f45e7e248f3d0acd3d48c

sha256 b8dd6e17401df6a0dfeadcc65ed79936b2ad57d655593aacbf5b73071cc457 83

sha384 7db55441d86867e3a5471596871fe6a8ef5a4a73b157b9ad591232e19c659 c7b3a55350d525702d1fd4ebb6f6240889c

sha512 149b58882afb623d1699d9ca24fa872be19d90be7410e75e6ccceafb5cfb00 4f391b22e2bd7af2f772a66d4bcc172e71bc2923e1a502ff9b051b63b8bbebc 978

ssdeep 6144:tf+/SNUXNYGv+Y/jjVciSbuxhvnnv0ZSm9U6ZHl:tf+/S+9f2YnVPSCxNn ncSr6ZF

Report #13561

Creation Date: Aug. 20, 2021, 2:48 p.m.

Last Update: Aug. 21, 2021, 11:43 a.m.

File:

WpcTok.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches VC8_Microsoft_Corporation, domain, contentis_base64, url, win_mutex, Micr osoft_Visual_Cpp_8, HasDebugData, IsConsole, IsPE32, HasRichSignature, B ig_Numbers1

Suspicious True

Imports

ntdll.dll EtwGetTraceEnableFlags, EtwRegisterTraceGuidsW, EtwUnregisterTraceGuid s, EtwGetTraceEnableLevel, EtwGetTraceLoggerHandle, EtwTraceMessage

msvcp_win.dll ??1_Lockit@std@@QAE@XZ, ??0_Locinfo@std@@QAE@PBD@Z, ??0_Lockit

@std@@QAE@H@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12

@XZ, ?id@?$ctype@G@std@@2V0locale@2@A, ??Bid@locale@std@@QAEI XZ, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, ?id@?$collate@G@st d@@2V0locale@2@A, ?_Xbad_function_call@std@@YAXXZ, ??1_Locinfo@st d@@QAE@XZ, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ , ?_Getcoll@_Locinfo@std@@QBE?AU_Collvec@@XZ, ?is@?$ctype@G@std

@@QBE_NFG@Z, ?_Getcat@?$ctype@G@std@@SAIPAPBVfacet@locale@2

@PBV42@@Z, ?_Incref@facet@locale@std@@UAEXXZ, _Wcscoll, ?tolower

@?$ctype@G@std@@QBEPBGPAGPBG@Z, ?tolower@?$ctype@G@std@@Q BEGG@Z, _Wcsxfrm, ??1facet@locale@std@@MAE@XZ, ??0facet@locale@

std@@IAE@I@Z, ?_Xbad_alloc@std@@YAXXZ, ?_Xout_of_range@std@@YA XPBD@Z, ?_Xregex_error@std@@YAXW4error_type@regex_constants@1@

@Z, ?_Xlength_error@std@@YAXPBD@Z

api-ms-win-core-com-l1-1-0.dll CoUninitialize, CoWaitForMultipleHandles, CoCreateFreeThreadedMarshaler, CoInitializeEx

api-ms-win-core-url-l1-1-0.dll UrlEscapeW api-ms-win-core-file-l1-1-0.dll CompareFileTime

api-ms-win-core-heap-l1-1-0.dll GetProcessHeap, HeapFree, HeapAlloc api-ms-win-core-heap-l2-1-0.dll LocalFree

api-ms-win-core-debug-l1-1-0.dl l

DebugBreak, IsDebuggerPresent, OutputDebugStringW

api-ms-win-core-synch-l1-1-0.dll LeaveCriticalSection, SleepEx, OpenSemaphoreW, WaitForSingleObject, Del eteCriticalSection, InitializeCriticalSectionEx, EnterCriticalSection, AcquireS

(3)

RWLockShared, AcquireSRWLockExclusive, WaitForSingleObjectEx, Release SRWLockExclusive, ReleaseMutex, CreateEventExW, SetEvent, ReleaseSem aphore, CreateMutexExW, CreateSemaphoreExW, ReleaseSRWLockShared, InitializeCriticalSection, InitializeSRWLock

api-ms-win-core-synch-l1-2-0.dll SleepConditionVariableSRW, WakeAllConditionVariable, InitOnceBeginInitiali ze, InitOnceComplete

api-ms-win-core-winrt-l1-1-0.dll RoInitialize, RoGetActivationFactory, RoUninitialize api-ms-win-crt-string-l1-1-0.dll memset

api-ms-win-core-handle-l1-1-0.d ll

CloseHandle

api-ms-win-core-string-l1-1-0.dll WideCharToMultiByte

api-ms-win-crt-private-l1-1-0.dll _o__get_initial_wide_environment, _o__i64tow_s, _o__initialize_onexit_table, _o__initialize_wide_environment, _o__invalid_parameter_noinfo, _o__invalid_

parameter_noinfo_noreturn, _o__itoa_s, _o__purecall, _o__register_onexit_fu nction, _o__seh_filter_exe, _o__set_app_type, _o__set_errno, _o__set_fmode, _o__set_new_mode, _o___p__commode, _o__ui64tow_s, memmove, _o__wcs toui64, _o_exit, _o_free, _o_malloc, _o_realloc, _o_strncpy_s, _o_strtol, _o_te rminate, _o_towlower, _except_handler4_common, _CxxThrowException, _o ___p___wargv, _o___p___argc, _o__cexit, _o__callnewh, _o__exit, _o__errno, _ o__crt_atexit, _o__controlfp_s, _o__configure_wide_argv, _o___stdio_common _vswprintf, _o__configthreadlocale, _o___stdio_common_vsnprintf_s, _o___st dio_common_vfwprintf, _o___std_type_info_name, _o___std_exception_destr oy, _o___std_exception_copy, _o___acrt_iob_func, __std_terminate, __CxxFra meHandler3, memcmp, memcpy, wcschr, __std_type_info_compare, strchr

api-ms-win-crt-runtime-l1-1-0.dl l

_initterm_e, _c_exit, _register_thread_local_exe_atexit_callback, _initterm

api-ms-win-core-profile-l1-1-0.dl l

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0.d ll

GetSystemTimeAsFileTime, GetTickCount

api-ms-win-core-apiquery-l1-1-0 .dll

ApiSetQueryApiSetPresence

api-ms-win-core-registry-l1-1-0.

dll

RegQueryValueExW, RegSetValueExW, RegDeleteTreeW, RegCreateKeyExW, RegOpenKeyExW, RegCloseKey, RegGetValueW, RegEnumKeyExW, RegEnu mValueW, RegDeleteValueW

api-ms-win-core-timezone-l1-1- 0.dll

SystemTimeToFileTime, FileTimeToSystemTime

api-ms-win-security-base-l1-1-0.

dll

CopySid, CreateWellKnownSid, GetTokenInformation

api-ms-win-security-sddl-l1-1-0.

dll

ConvertSidToStringSidW

(4)

api-ms-win-core-delayload-l1-1- 0.dll

DelayLoadFailureHook

api-ms-win-core-delayload-l1-1- 1.dll

ResolveDelayLoadedAPI

api-ms-win-service-winsvc-l1-1- 0.dll

ControlService

api-ms-win-core-threadpool-l1-2 -0.dll

CreateThreadpoolTimer, CloseThreadpool, SetThreadpoolTimer, WaitForThr eadpoolTimerCallbacks, CloseThreadpoolTimer

api-ms-win-shcore-obsolete-l1-1 -0.dll

CommandLineToArgvW

api-ms-win-core-interlocked-l1- 1-0.dll

InitializeSListHead

api-ms-win-core-localization-l1- 2-0.dll

FormatMessageW

api-ms-win-core-winrt-string-l1- 1-0.dll

WindowsCreateStringReference, WindowsGetStringRawBuffer, WindowsDel eteString

api-ms-win-eventing-provider-l1 -1-0.dll

EventRegister, EventSetInformation, EventActivityIdControl, EventUnregiste r, EventWriteTransfer

api-ms-win-core-errorhandling-l 1-1-0.dll

RaiseException, SetUnhandledExceptionFilter, GetLastError, UnhandledExce ptionFilter, SetLastError

api-ms-win-core-libraryloader-l1 -2-0.dll

GetModuleHandleW, GetModuleFileNameA, GetProcAddress, GetModuleHan dleExW

api-ms-win-service-managemen t-l1-1-0.dll

OpenServiceW, OpenSCManagerW

api-ms-win-core-processthreads -l1-1-0.dll

GetCurrentThreadId, TlsGetValue, TlsSetValue, TlsAlloc, TlsFree, OpenProce ssToken, GetCurrentThread, TerminateProcess, GetCurrentProcess, OpenThr eadToken, GetCurrentProcessId

api-ms-win-core-processthreads -l1-1-1.dll

IsProcessorFeaturePresent

api-ms-win-core-processenviron ment-l1-1-0.dll

GetCommandLineW

Strings

List

https://login.microsoft.com wpctok.pdb

Windows.Security.Authentication.Web.Core.WebAuthenticationCoreManager Microsoft.FamilySafety.Dev

(5)

Microsoft.FamilySafety.Dev ext-ms-win-shell-shell32-l1-2-0.dll

Windows.Security.Authentication.Web.Core.WebTokenRequest api-ms-win-security-sddl-l1-1-0.dll

api-ms-win-core-registry-l1-1-0.dll api-ms-win-core-debug-l1-1-0.dll api-ms-win-security-base-l1-1-0.dll 3ntdll.dll

kernelbase.dll ntdll.dll msvcp_win.dll WpcTok.exe WpcTok.exe

Microsoft.Windows.FamilySafety.Reliability Local\SM0:%d:%d:%hs

api-ms-win-core-interlocked-l1-1-0.dll

%hs(%u)\%hs!%p:

%hs!%p:

api-ms-win-core-localization-l1-2-0.dll api-ms-win-core-winrt-l1-1-0.dll

api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-processthreads-l1-1-1.dll api-ms-win-core-threadpool-l1-2-0.dll (caller: %p)

api-ms-win-shcore-obsolete-l1-1-0.dll

api-ms-win-core-processenvironment-l1-1-0.dll

Software\Microsoft\Windows\CurrentVersion\Parental Controls api-ms-win-core-apiquery-l1-1-0.dll

api-ms-win-core-sysinfo-l1-1-0.dll

Software\Microsoft\Windows\CurrentVersion\Store api-ms-win-core-libraryloader-l1-2-0.dll

api-ms-win-core-errorhandling-l1-1-0.dll api-ms-win-core-string-l1-1-0.dll

api-ms-win-core-timezone-l1-1-0.dll api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-delayload-l1-1-0.dll api-ms-win-core-delayload-l1-1-1.dll api-ms-win-service-management-l1-1-0.dll

%hs(%d) tid(%x) %08X %ws api-ms-win-core-file-l1-1-0.dll api-ms-win-core-synch-l1-1-0.dll api-ms-win-core-url-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll MBI_SSL

api-ms-win-core-heap-l1-1-0.dll api-ms-win-core-heap-l2-1-0.dll api-ms-win-service-winsvc-l1-1-0.dll api-ms-win-core-winrt-string-l1-1-0.dll api-ms-win-core-com-l1-1-0.dll

api-ms-win-eventing-provider-l1-1-0.dll api-ms-win-crt-runtime-l1-1-0.dll api-ms-win-crt-string-l1-1-0.dll api-ms-win-core-handle-l1-1-0.dll api-ms-win-crt-private-l1-1-0.dll ext-ms-win-shell-shell32-l1-2-2 ext-ms-win-shell-shell32-l1-2-3 ext-ms-win-shell-shell32-l1-2-0 ext-ms-win-shell-shell32-l1-3-0 ext-ms-win-shell-shell32-l1-2-1

(6)

.?AV_Root_node@std@@

_o__register_onexit_function _o___std_exception_destroy ms-wpc://HandleMsaVerification CallContext:[%hs]

.?AU?$ImplementsHelper@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$0A@U?$IAsyncOperationCompleted Handler@PAVWebAccountProvider@Credentials@Security@Windows@@@Foundation@Windows@@VFtmBase@23

@@Details@WRL@Microsoft@@

.?AV?$RuntimeClassImpl@U?$RuntimeClassFlags@$01@WRL@Microsoft@@$00$0A@$0A@U?$IAsyncOperationCo mpletedHandler@PAVWebAccountProvider@Credentials@Security@Windows@@@Foundation@Windows@@VFtmB ase@23@@Details@WRL@Microsoft@@

.?AV?$RuntimeClass@U?$RuntimeClassFlags@$01@WRL@Microsoft@@U?$IAsyncOperationCompletedHandler@PA VWebAccountProvider@Credentials@Security@Windows@@@Foundation@Windows@@VFtmBase@23@@WRL@M icrosoft@@

IsProcessorFeaturePresent GetProcAddress

RunUserProxy AccountID

IsDebuggerPresent TerminateProcess OpenProcessToken ShellExecuteExW lstd::exception: %hs

.?AU?$IAsyncOperationCompletedHandler@PAVWebAccountProvider@Credentials@Security@Windows@@@Found ation@Windows@@

ControlService OpenServiceW RegCreateKeyExW

QueryPerformanceCounter RegQueryValueExW RegEnumKeyExW RegSetValueExW RegOpenKeyExW GetModuleFileNameA RegDeleteValueW RegGetValueW GetModuleHandleW OpenSCManagerW

GetTickCount

MSATokenBroker::GetTicket AccountProviderNotAvailable hr={0}

.?AU?$IAsyncOperationCompletedHandler_impl@U?$AggregateType@PAVWebAccountProvider@Credentials@Secur ity@Windows@@PAUIWebAccountProvider@234@@Internal@Foundation@Windows@@@Foundation@Windows@

@

.?AVFTMEventDelegate@?1???$WaitForCompletion@U?$IAsyncOperationCompletedHandler@PAVWebAccountProvi der@Credentials@Security@Windows@@@Foundation@Windows@@U?$IAsyncOperation@PAVWebAccountProvide r@Credentials@Security@Windows@@@23@@@YGJPAU?$IAsyncOperation@PAVWebAccountProvider@Credentials

@Security@Windows@@@Foundation@Windows@@W4tagCOWAIT_FLAGS@@PAX@Z@

SleepEx

Foremost

Matches 0.exe, 209 KB

Suspicious True

(7)

Heuristics

IPs hasIPs: False

Allowed Suspicious

hasAllowed: False hasSuspicious: False

URLs Allowed: https://login.microsoft.com

hasURLs: True Suspicious

hasAllowed: True hasSuspicious: False

Files Allowed: kernelbase.dll, 3ntdll.dll, api-ms-win-core-string-l1-1-0.dll, api-ms- win-core-handle-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-co re-delayload-l1-1-0.dll, api-ms-win-core-timezone-l1-1-0.dll, api-ms-win-core -profile-l1-1-0.dll, api-ms-win-core-winrt-l1-1-0.dll, msvcp_win.dll, api-ms-wi n-core-processenvironment-l1-1-0.dll, api-ms-win-service-management-l1-1 -0.dll, api-ms-win-core-threadpool-l1-2-0.dll, api-ms-win-security-sddl-l1-1-0.

dll, api-ms-win-core-errorhandling-l1-1-0.dll, ntdll.dll, api-ms-win-core-locali zation-l1-2-0.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-crt-string-l1-1-0.

dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-security-base-l1-1-0.dll, a pi-ms-win-core-delayload-l1-1-1.dll, api-ms-win-core-heap-l1-1-0.dll, api-ms- win-core-processthreads-l1-1-1.dll, api-ms-win-shcore-obsolete-l1-1-0.dll, ap i-ms-win-core-url-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-cor e-synch-l1-1-0.dll, api-ms-win-core-interlocked-l1-1-0.dll, api-ms-win-core-d ebug-l1-1-0.dll, ext-ms-win-shell-shell32-l1-2-0.dll, api-ms-win-core-processt hreads-l1-1-0.dll, api-ms-win-eventing-provider-l1-1-0.dll, api-ms-win-servic e-winsvc-l1-1-0.dll, api-ms-win-core-com-l1-1-0.dll, api-ms-win-crt-runtime-l 1-1-0.dll, api-ms-win-crt-private-l1-1-0.dll, api-ms-win-core-apiquery-l1-1-0.

dll, api-ms-win-core-winrt-string-l1-1-0.dll, api-ms-win-core-libraryloader-l1- 2-0.dll, api-ms-win-core-heap-l2-1-0.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 49152

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 8192 Suspicious: False Headers

(8)

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 224789

Suspicous: False

Sections Allowed: .text, .data, .idata, .didat, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 10

Suspicious: False Image

Version: False Suspicious: 10 Linker

Version: 14.20 Suspicious: False Subsystem

Version: 10.0 Suspicious: False Suspicious: False

EntryPoint Address: 145088

Suspicious: False

Anomalies Anomalies

hasAnomalies: False

Libraries Allowed: kernelbase.dll, api-ms-win-core-string-l1-1-0.dll, api-ms-win-core- handle-l1-1-0.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-delayl oad-l1-1-0.dll, api-ms-win-core-timezone-l1-1-0.dll, api-ms-win-core-profile-l 1-1-0.dll, api-ms-win-core-winrt-l1-1-0.dll, api-ms-win-core-processenvironm ent-l1-1-0.dll, api-ms-win-service-management-l1-1-0.dll, api-ms-win-core-t hreadpool-l1-2-0.dll, api-ms-win-security-sddl-l1-1-0.dll, api-ms-win-core-err orhandling-l1-1-0.dll, ntdll.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms

(9)

-win-core-file-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, api-ms-win-securi ty-base-l1-1-0.dll, api-ms-win-core-delayload-l1-1-1.dll, api-ms-win-core-hea p-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-1.dll, api-ms-win-shcore-o bsolete-l1-1-0.dll, api-ms-win-core-url-l1-1-0.dll, api-ms-win-core-synch-l1-2- 0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-interlocked-l1-1-0.dl l, api-ms-win-core-debug-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.d ll, api-ms-win-eventing-provider-l1-1-0.dll, api-ms-win-service-winsvc-l1-1-0.

dll, api-ms-win-core-com-l1-1-0.dll, api-ms-win-core-apiquery-l1-1-0.dll, api- ms-win-core-winrt-string-l1-1-0.dll

hasLibs: True

Suspicious: 3ntdll.dll, msvcp_win.dll, api-ms-win-crt-string-l1-1-0.dll, ext-m s-win-shell-shell32-l1-2-0.dll, api-ms-win-crt-runtime-l1-1-0.dll, api-ms-win-c rt-private-l1-1-0.dll, api-ms-win-core-libraryloader-l1-2-0.dll, api-ms-win-cor e-heap-l2-1-0.dll

hasAllowed: True hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2054-11-02 19:28:26 Future: True

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation XOR: False

Fuzzing: False

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .text: 1

pushpopmath .data: 25

.text: 15 .reloc: 12

(10)

ss register .reloc: 1

garbagebytes .text: 1

hookdetection .reloc: 3

stealthimport .idata: 1

software breakpoint .reloc: 2

programcontrolflowchange .text: 1

cpuinstructionsresultscomparison .text: 2 .idata: 2

AVclass

File

Trace

21/8/2021 - 10:45:43 .497

Un kn ow n

4 C:\Users\Behemot\Desktop\desktop.ini

21/8/2021 - 10:45:43 .497

Un kn ow n

4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

21/8/2021 - 10:45:47 .481

Wri

te 4 C:\Windows

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

C:\Windows\System32\

svchost.exe C:\Monitor\WKCD_Load_Use.exe

21/8/2021 - 10:45:48 .856

Un kn ow n

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

(11)

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

21/8/2021 - 10:45:48 .856

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

21/8/2021 - 10:45:48 .856

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

21/8/2021 - 10:45:48 .856

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

21/8/2021 - 10:45:48 .856

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A2F27954F4B4C5FD26

21/8/2021 - 10:45:48 .856

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

2

(12)

21/8/2021 - 10:45:48 .856

Op en

9 2 8

21/8/2021 - 10:45:48 .856

Re ad

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Re ad

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Re ad

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Re ad

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .856

Op en

2 9 2 8

svchost.exe C:\Windows\Temp\TMP000000A30415A103D3F52066

21/8/2021 - 10:45:48 .872

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

21/8/2021 - 10:45:48 .872

Op en

2 9 2 8

svchost.exe C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

21/8/2021 - 10:45:48 .872

Op en

2 9 2 8

21/8/2021 - 10:45:48 .872

Re ad

2 9 2 8

21/8/2021 - 10:45:48 .872

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

21/8/2021 Un 2

(13)

- 10:45:48 .872

kn ow n

9 2 8

svchost.exe

C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us e.exe

21/8/2021 - 10:45:48 .872

Op en

2 9 2 8

21/8/2021 - 10:45:48 .872

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .872

Op en

2 9 2 8

21/8/2021 - 10:45:48 .872

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .872

Op en

2 9 2 8

21/8/2021 - 10:45:48 .872

Un kn ow n

2 9 2 8

e.exe

21/8/2021 - 10:45:48 .872

Wri te

2 5 7 6

C:\Monitor\WKCD_Load_

Use.exe C:\Monitor\Files\Logs\File.log

21/8/2021 - 10:45:48 .918

Un kn ow n

2 9 2 8

TMP000000A2 F27954F4B4C5 FD26

21/8/2021 - 10:45:49 .481

Un kn ow n

4 C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

21/8/2021 - 10:45:49 .481

Wri

te 4 C:\Monitor\Files\Logs\File.log

21/8/2021 - 10:45:49

Un kn

ow 4 C:\Monitor\Files\Logs\File.log

(14)

.481 n

21/8/2021 - 10:45:53 .372

Op en

7 9 6

svchost.exe

C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782 7.pf

21/8/2021 - 10:45:53 .372

Op en

7 9 6

svchost.exe

21/8/2021 - 10:45:53 .372

Wri te

7 9 6

svchost.exe

WKCD_LOAD_U SE.EXE-695C7 827.pf

21/8/2021 - 10:45:53 .372

Un kn ow n

7 9 6

svchost.exe

21/8/2021 - 10:45:53 .387

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

21/8/2021 - 10:45:53 .387

Un kn ow n

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

21/8/2021 - 10:45:53 .387

Op en

7 9 6

svchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

21/8/2021 - 10:45:53 .387

Wri te

7 9 6

21/8/2021 - 10:45:53 .387

Un kn ow n

7 9 6

21/8/2021 - 10:45:53 .465

Wri

te 4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

21/8/2021 - 10:45:53 .465

Wri

te 4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

21/8/2021 - 10:45:53 .465

Un kn ow n

4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

Un

(15)

21/8/2021 - 10:45:53 .465

kn ow n

21/8/2021 - 10:45:53 .465

Un kn ow n

21/8/2021 - 10:45:53 .465

Wri te

2 5 7 6

21/8/2021 - 10:45:53 .465

Wri te

2 5 7 6

21/8/2021 - 10:45:53 .856

Op en

2 9 2 8

svchost.exe C:\Windows\System32\conhost.exe

21/8/2021 - 10:45:53 .856

Op en

2 9 2 8

21/8/2021 - 10:45:53 .856

Op en

2 9 2 8

21/8/2021 - 10:45:53 .856

Op en

2 9 2 8

21/8/2021 - 10:45:55 .481

Wri

21/8/2021 - 10:45:55 .481

Un kn ow n

4 C:\Monitor\Files\Logs\File.log

21/8/2021 - 10:45:59 .465

Wri

te 4 C:\Monitor

21/8/2021 - 10:46:11 .465

Wri

te 4 C:\Windows\Temp

(16)

21/8/2021 - 10:46:17 .481

Wri te

6 8 4

svchost.exe

C:\Windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat

21/8/2021 - 10:46:18 .262

Wri

te 4 C:\Windows

21/8/2021 - 10:46:19 .465

Wri

te 4 C:\Windows

21/8/2021 - 10:46:27 .418

Wri

te 4 C:\Windows\System32\config\SYSTEM.LOG1

21/8/2021 - 10:46:27 .418

Wri

21/8/2021 - 10:46:27 .418

Wri

21/8/2021 - 10:46:27 .418

Wri

21/8/2021 - 10:46:27 .418

Wri

te 4 C:\Windows\System32\config\SYSTEM

21/8/2021 - 10:46:27 .418

Wri

21/8/2021 - 10:46:27 .418

Wri

21/8/2021 - 10:46:27 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

te 4 C:\System Volume Information\Syscache.hve.LOG1

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

(17)

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

te 4 C:\System Volume Information\Syscache.hve

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 Wri

(18)

.418

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .418

Wri

21/8/2021 - 10:46:32 .434

Wri te

2 5 7 6

21/8/2021 - 10:46:32 .528

Wri

21/8/2021 - 10:46:35 .434

Wri

21/8/2021 - 10:46:35 .434

Un kn ow n

21/8/2021 - 10:46:55 .715

Op en

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

21/8/2021 - 10:46:55 .715

Un kn ow n

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

21/8/2021 - 10:47:17 .481

Wri te

6 8 4

svchost.exe

21/8/2021 - 10:47:27 .559

Op en

1 8 6 4

C:\Windows\explorer.ex

e C:\

21/8/2021 - 10:47:27 .559

Un kn ow n

1 8 6 4

e C:\

21/8/2021 - 10:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot

(19)

21/8/2021 - 10:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot

21/8/2021 - 10:47:32 .809

Un kn ow n

1 8 6 4

e C:\Users\Behemot

21/8/2021 - 10:47:32 .809

Op en

1 8 6 4

e C:\Users\Behemot\AppData\Roaming

21/8/2021 - 10:47:32 .809

Op en

1 8 6 4

21/8/2021 - 10:47:32 .809

Un kn ow n

1 8 6 4

21/8/2021 - 10:47:32 .809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes

21/8/2021 - 10:47:32 .809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes\slideshow.ini

21/8/2021 - 10:47:35 .856

Op en

7 9 6

svchost.exe C:\Windows\CSC\v2.0.6\namespace

21/8/2021 - 10:47:35 .856

Un kn ow n

7 9 6

21/8/2021 - 10:47:35 .856

Un kn ow n

7 9 6

21/8/2021 - 10:47:35 .856

Op en

7 9 6

svchost.exe \Device\Mup\.\.\

21/8/2021 - 10:47:35 .856

Op en

7 9 6

(20)

21/8/2021 - 10:47:35 .856

Un kn ow n

7 9 6

21/8/2021 - 10:47:35 .856

Un kn ow n

7 9 6

21/8/2021 - 10:47:35 .856

Un kn ow n

7 9 6

21/8/2021 - 10:47:41 .403

Re ad

1 2 3 2

C:\Program Files\Windo ws Media Player\wmpn etwk.exe

C:\Program Files\Windows Media Player\wmpnetwk.e xe

21/8/2021 - 10:47:41 .403

Wri te

2 5 7 6

21/8/2021 - 10:47:41 .403

Wri te

2 5 7 6

21/8/2021 - 10:47:44 .403

Wri

21/8/2021 - 10:47:44 .403

Un kn ow n

21/8/2021 - 10:48:11 .309

Op

en 4 \Device\HarddiskVolume1\System Volume Informatio n

21/8/2021 - 10:48:11 .309

Un kn ow n

4 \Device\HarddiskVolume1\System Volume Informatio n

21/8/2021 - 10:48:13 .59

Op

en 4 C:\System Volume Information

21/8/2021 - 10:48:13 Op

en 4 C:\System Volume Information\{3808876b-c176-4e4 8-b7ae-04046e6cc752}

(21)

.59

21/8/2021 - 10:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7ec-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

21/8/2021 - 10:48:13 .59

Op en 4

C:\System Volume Information\{bcf7d7f0-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

21/8/2021 - 10:48:13 .59

Un kn ow n

4 C:\System Volume Information

21/8/2021 - 10:48:17 .497

Wri te

6 8 4

svchost.exe

21/8/2021 - 10:48:25 .903

Op en

7 9 6

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

21/8/2021 - 10:48:25 .903

Op en

7 9 6

21/8/2021 - 10:48:25 .903

Op en

7 9 6

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

21/8/2021 - 10:48:25 .903

Op en

7 9 6

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

(22)

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

21/8/2021 - 10:48:25 .903

Un kn ow n

7 9 6

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Windows\System32\t askhost.exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

Temporary Internet Files\Content.IE5\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

History\History.IE5\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

History\History.IE5\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca che\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca

che\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatCache\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo

ws\IECompatCache\container.dat container.dat

21/8/2021 1

(23)

- 10:49:20 .715

Op en

7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatUACache\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

ws\IECompatUACache\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\DNTException\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

ws\DNTException\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

ws\Cookies\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieSiteList\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E

xplorer\EmieSiteList\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieUserList\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E

xplorer\EmieUserList\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\DOMStore\container.dat

21/8/2021 - 10:49:20

Un kn

1

7 C:\Windows\System32\t C:\Users\Behemot\AppData\Local\Microsoft\Internet E container.dat

(24)

.715 ow n

9 6

askhost.exe xplorer\DOMStore\container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

History\History.IE5\MSHist012018050320180504\con tainer.dat

container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IEDownloadHistory\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

ws\IEDownloadHistory\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

AppCache\B2419NGQ\container.dat

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

AppCache\B2419NGQ\container.dat container.dat

21/8/2021 - 10:49:20 .715

Op en

1 7 9 6

WebCache

21/8/2021 - 10:49:20 .715

Un kn ow n

1 7 9 6

WebCache

21/8/2021 - 10:49:20 .715

Wri te

2 5 7 6

21/8/2021 - 10:49:20 .715

Wri te

2 5 7 6

21/8/2021 - 10:49:20 Wri

te 1 7 9

WebCache\WebCacheV01.dat

(25)

.762 6

21/8/2021 - 10:49:20 .762

Wri

te 4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

21/8/2021 - 10:49:20 .856

Wri te

1 7 9 6

21/8/2021 - 10:49:20 .856

Wri

21/8/2021 - 10:49:20 .950

Wri te

1 7 9 6

21/8/2021 - 10:49:20 .950

Wri

21/8/2021 - 10:49:20 .950

Wri te

1 7 9 6

WebCache\V01.log

21/8/2021 - 10:49:20 .950

Wri

WebCache\V01.log

21/8/2021 - 10:49:20 .950

Re ad

1 7 9 6

21/8/2021 - 10:49:20 .997

Wri te

1 7 9 6

WebCache\V01.log

21/8/2021 - 10:49:20 .997

Wri

WebCache\V01.log

21/8/2021 - 10:49:20 .997

Wri te

1 7 9 6

WebCache\V01.log

21/8/2021 - 10:49:20 .997

Wri

WebCache\V01.log

(26)

21/8/2021 - 10:49:21 .43

Wri te

1 7 9 6

21/8/2021 - 10:49:21 .43

Wri

21/8/2021 - 10:49:21 .90

Op en

1 7 9 6

21/8/2021 - 10:49:21 .90

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:21 .90

Op en

1 7 9 6

WebCache

21/8/2021 - 10:49:21 .90

Un kn ow n

1 7 9 6

WebCache

21/8/2021 - 10:49:21 .90

Op en

1 7 9 6

21/8/2021 - 10:49:21 .90

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:21 .90

Wri te

2 5 7 6

21/8/2021 - 10:49:23 .747

Wri

21/8/2021 - 10:49:23 .747

Un kn ow n

21/8/2021 Un kn

2

3 C:\Windows\System32\

(27)

- 10:49:25 .856

ow n

6 0

audiodg.exe C:\Windows

21/8/2021 - 10:49:30 .778

Wri te

1 7 9 6

21/8/2021 - 10:49:30 .778

Wri

21/8/2021 - 10:49:30 .825

Wri te

1 7 9 6

21/8/2021 - 10:49:30 .825

Wri

21/8/2021 - 10:49:30 .856

Op en

7 9 6

21/8/2021 - 10:49:30 .856

Un kn ow n

7 9 6

21/8/2021 - 10:49:30 .856

Un kn ow n

7 9 6

21/8/2021 - 10:49:30 .856

Op en

7 9 6

21/8/2021 - 10:49:30 .856

Op en

7 9 6

21/8/2021 - 10:49:30 .856

Un kn ow n

7 9 6

21/8/2021 - 10:49:30 .856

Un kn ow n

7 9 6

21/8/2021 - 10:49:30

Un kn 7

9 C:\Windows\System32\ C:\Windows\CSC\v2.0.6\namespace

(28)

.856 ow n

6 svchost.exe

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

WebCache

21/8/2021 - 10:49:30 Op

en 1 7 9

WebCache

(29)

.872 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

WebCache

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

C:\Windows\System32\t

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 Op

en 1 7

9 C:\Windows\System32\t

(30)

.872 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9

askhost.exe C:\Users\Behemot\AppData\Local

(31)

6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

(32)

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users\Behemot

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

(33)

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

askhost.exe C:\Users

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Op en

1 7 9 6

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 1

(34)

- 10:49:30 .872

Op en

7 9 6

C:\Users

21/8/2021 - 10:49:30 .872

Un kn ow n

1 7 9 6

21/8/2021 - 10:49:30 .872

Wri te

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Wri

WebCache\V01.chk

21/8/2021 - 10:49:30 .872

Wri te

2 5 7 6

21/8/2021 - 10:49:30 .872

Wri te

2 5 7 6

21/8/2021 - 10:49:30 .872

Wri te

1 7 9 6

WebCache\V01.chk

21/8/2021 - 10:49:30 .887

Wri

WebCache\V01.chk

21/8/2021 - 10:49:30 .887

Wri te

2 5 7 6

21/8/2021 - 10:49:30 .887

Wri te

2 5 7 6

21/8/2021 - 10:49:31 .497

Wri

21/8/2021 - 10:49:31 .497

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

(35)

21/8/2021 - 10:49:31 .497

Un kn ow n

4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

WebCache\V01.chk

21/8/2021 - 10:49:31 .497

Un kn ow n

21/8/2021 - 10:49:32 .481

Wri te

6 8 4

svchost.exe

Process

Trace

21/8/2021 - 10:49:25.8 56

Terminat e

68 4

C:\Windows\System32\svchost.e xe

236 0

C:\Windows\System32\audiodg.e xe

Analysis

Reason Timeout

Status Sucessfully Executed

Results 1

Registry

Trace

21/8/2021 - 10:4 6:22.418

Wr

ite 4 \REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObj

ectStore\LruList CurrentLru

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000ED ObjectId

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000ED ObjectLru

21/8/2021 - 10:4 6:22.418

Wr

ectStore\ObjectTable\1E _ObjectLru_

(36)

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000E8 ObjectId

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000E8 ObjectLru

21/8/2021 - 10:4 6:22.418

Wr

ectStore\ObjectTable\3E _ObjectLru_

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000EB ObjectId

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000EB ObjectLru

21/8/2021 - 10:4 6:22.418

Wr

ectStore\ObjectTable\3F _ObjectLru_

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000F0 ObjectId

21/8/2021 - 10:4 6:22.418

Wr

ectStore\LruList\00000000000000F0 ObjectLru

21/8/2021 - 10:4 6:22.418

Wr

ectStore\ObjectTable\40 _ObjectLru_

21/8/2021 - 10:4 6:23.934

Wr

ite 4 \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b 1a-11d4-9123-0050047759bc}\22

21/8/2021 - 10:4 6:23.934

Wr

ffffffffffffffffffffff ffffffff00

21/8/2021 - 10:4 6:23.934

Wr

21/8/2021 - 10:4 6:23.934

Wr

21/8/2021 - 10:4 6:23.934

Wr

File Summary

Created Identified: True

Deleted Identified: False

Process Summary

(37)

Created Identified: False

Deleted Identified: True

Registry Summary

Proxy Identified: False

AutoRun Identified: False

Created Identified: True

Deleted Identified: False

Browsers Identified: False

Internet Identified: False

DNS

Query

Response

TCP

Info

UDP

Info

(38)

HTTP

Info

Summary

DNS False

TCP False

UDP False

HTTP False

Results

BINARY

NFS 2.0 (Threshold = 0.8) confidence: 82.50%

suspicious: False

NFS 3.0 (Threshold = 0.75) confidence: 71.33%

suspicious: True

Decision Tree (NFS-BRMalware) confidence: 100.00%

MalConv (Ember: Raw Bytes, Threshold=0.5) confidence: 79.90%

Random Forest (100 estimators, NFS-BRMalware) confidence: 85.00%

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35) confidence: 59.89%

(39)

LightGDM (Ember: File Characteristics, Threshold=0.8336) confidence: 100.00%