Report #13251 check_circle

  • Creation Date: Aug. 20, 2021, 2:16 a.m.
  • Last Update: Aug. 20, 2021, 12:35 p.m.
  • File: mtstocom.exe
  • Results:
Binary
DLL
False cancel
Size
110.50KB
trid
61.7% Win64 Executable
14.7% Win32 Dynamic Link Library
10.0% Win32 Executable
4.5% OS/2 Executable
4.4% Generic Win/DOS Executable
type
PE
wordsize
32
Subsystem
Windows CLI
Hashes
md5
5930c59472f42b5f237500c999727441
sha1
3d41ac230b7fb2a467804d5341a54491d8af0530
crc32
0xc9831073
sha224
9e69c9a63769427ab54937cac82ba105b82aaa904a98fe56119d2a79
sha256
9db938cb9989a1882dbc0f344e510e76bafc4358b2aadb5dbb66a11d763a7ae6
sha384
b18838650060405d4b1609d469a3fbd414c34df31338a7ae461b96b1374fde65fe75fb56f37075931d481de0fe7846f6
sha512
c2e76cc6f64f32bffbf280c6e89fde42874cda4601048a9525c960d659d789199813157948a9661e379b4ac088142921974eefa20bfc69f79b99b48d7dc6008d
ssdeep
3072:W2CFzMuka9O72YrrR97xU60rYPbFOgu3o:W1FQuc2YrjO6TTFOA
Community
Google
False cancel
HashLib
False cancel
YARA
Matches
VC8_Microsoft_Corporation, win_registry, domain, anti_dbg, screenshot, win_token, contentis_base64, Microsoft_Visual_Cpp_8, Visual_Cpp_2005_Release_Microsoft, HasDebugData, IsConsole, win_files_operation, IsPE32, HasRichSignature, possible_includes_base64_packed_functions, IP

Suspicious
True check_circle

Imports
ntdll.dll
wcsrchr, _wcsnicmp
USER32.dll
CharNextA, CharPrevA
msvcrt.dll
_initterm, _except_handler4_common, __setusermatherr, _cexit, ?terminate@@YAXXZ, _controlfp, _lock, _unlock, __dllonexit, _onexit, memcpy, __p__fmode, _exit, exit, __set_app_type, memcmp, _local_unwind4, _waccess, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, _strtime, _stricmp, wcsstr, wcschr, wcstombs, _wcsicmp, clock, _vsnwprintf, __CxxFrameHandler3, realloc, free, malloc, memset
SspiCli.dll
LogonUserExExW
ADVAPI32.dll
RegSetValueExW, RegCreateKeyExW, RegCloseKey, BuildSecurityDescriptorW, BuildTrusteeWithNameW, BuildTrusteeWithSidW, LsaLookupNames, ReportEventW, RegisterEventSourceW, DeregisterEventSource, RegConnectRegistryW
KERNEL32.dll
GetVersionExA, CloseHandle, HeapSetInformation, CreateFileA, GetLocalTime, MoveFileExW, GetFileSize, LocalSize, DelayLoadFailureHook, ResolveDelayLoadedAPI, GetLastError, OpenEventW, CreateFileW, SetFilePointer, GetModuleFileNameW, WriteFile, SetEvent, GetWindowsDirectoryA, GetComputerNameW
OLEAUT32.dll
SysAllocString, SysFreeString, VariantInit, VariantClear
api-ms-win-core-com-l1-1-0.dll
CoTaskMemFree, CoTaskMemRealloc, CoGetObjectContext, StringFromGUID2, CoTaskMemAlloc, CoUninitialize, CoCreateInstance, CLSIDFromString, CoInitializeEx
api-ms-win-core-file-l1-1-0.dll
FindClose, DeleteFileW, CreateDirectoryW, SetFileAttributesW, FindNextFileW, FindFirstFileW
api-ms-win-core-heap-l2-1-0.dll
LocalAlloc, LocalReAlloc, LocalFree
api-ms-win-core-debug-l1-1-0.dll
OutputDebugStringW, DebugBreak, IsDebuggerPresent
api-ms-win-core-synch-l1-1-0.dll
LeaveCriticalSection, WaitForSingleObject, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, EnterCriticalSection
api-ms-win-core-synch-l1-2-0.dll
Sleep
api-ms-win-core-string-l1-1-0.dll
CompareStringW
api-ms-win-core-string-l2-1-0.dll
IsCharAlphaNumericW, CharNextW, CharPrevW, IsCharAlphaW
api-ms-win-core-profile-l1-1-0.dll
QueryPerformanceCounter
api-ms-win-core-sysinfo-l1-1-0.dll
GetSystemTimeAsFileTime, GetTickCount, GetSystemWindowsDirectoryW
api-ms-win-core-version-l1-1-0.dll
VerQueryValueW
api-ms-win-core-registry-l1-1-0.dll
RegEnumKeyExW, RegOpenKeyExW, RegQueryInfoKeyW, RegFlushKey, RegEnumValueW, RegDeleteTreeW, RegQueryValueExW, RegDeleteValueW
api-ms-win-security-base-l1-1-0.dll
GetTokenInformation, CopySid, IsWellKnownSid, AllocateAndInitializeSid, GetSidSubAuthorityCount, GetSidLengthRequired, InitializeAcl, GetLengthSid, AddAccessAllowedAce, GetSecurityDescriptorDacl, CreatePrivateObjectSecurityEx, GetSecurityDescriptorLength, GetSidSubAuthority, DestroyPrivateObjectSecurity, FreeSid, AddAce, IsValidSecurityDescriptor
api-ms-win-security-sddl-l1-1-0.dll
ConvertStringSidToSidW, ConvertSidToStringSidW
api-ms-win-core-localization-l1-2-0.dll
FormatMessageW
api-ms-win-core-errorhandling-l1-1-0.dll
UnhandledExceptionFilter, SetUnhandledExceptionFilter
api-ms-win-core-libraryloader-l1-2-0.dll
GetModuleHandleW, LockResource, FreeLibrary, GetProcAddress, FindResourceExW, LoadLibraryExW, LoadStringW, LoadResource
api-ms-win-security-lsalookup-l1-1-0.dll
LookupAccountSidLocalW, LookupAccountNameLocalW
api-ms-win-security-lsapolicy-l1-1-0.dll
LsaEnumerateAccountRights, LsaQueryInformationPolicy, LsaClose, LsaFreeMemory, LsaAddAccountRights, LsaRemoveAccountRights, LsaStorePrivateData, LsaRetrievePrivateData, LsaOpenPolicy
api-ms-win-core-processthreads-l1-1-0.dll
GetExitCodeProcess, OpenThreadToken, CreateProcessW, GetCurrentThread, GetCurrentThreadId, GetCurrentProcessId, GetCurrentProcess, SetThreadToken, TerminateProcess, OpenProcessToken
api-ms-win-core-processenvironment-l1-1-0.dll
ExpandEnvironmentStringsW
Strings
List
mtstocom.pdb
Comsvcs.dll file version info: %s %s %s
%s\%s_%04d_%02d_%02d_%02d_%02d_%02d.dmp
api-ms-win-security-sddl-l1-1-0.dll
Software\Microsoft\COM3\Debug
api-ms-win-core-registry-l1-1-0.dll
api-ms-win-security-lsalookup-l1-1-0.dll
api-ms-win-security-lsapolicy-l1-1-0.dll
api-ms-win-core-debug-l1-1-0.dll
api-ms-win-security-base-l1-1-0.dll
RunDll32 comsvcs.dll,MiniDump
netutils.dll
SspiCli.dll
logoncli.dll
comsvcs.dll
catsrvut.dll
\mtstocom.log
\mtstocom.log
ntdll.dll
mtstocom.exe
SOFTWARE\Microsoft\Transaction Server
comres.dll
SYSTEM\CurrentControlSet\Control\Session Manager
com\complus\src\comcat\mtstocom\mtstocom.cpp
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\CATSRVUT
SetRolesOnComponentAndItsInterfaces returned false did not set any roles
Interface index is %i
Total install tlbs called = %i
Total install dlls called = %i
Setup started - [DATE:%02d,%02d,%d TIME: %02d:%02d %s]
name="Microsoft.Windows.COM.MTSToCOM"
RegReadDWORD returned (shutdownafter) false -- key didn't exist
**Error** Failed with exception %08x during AddWinLogonHook
Total Interfaces on Components = %i
**ERROR** components inproc server was greater than max_path
%s\%s*.dmp
api-ms-win-core-localization-l1-2-0.dll
pIRNTransServer->MoveToDescendantOrReply (looking for postpased) failed
CleanUpCOMRegistryEntries failed
api-ms-win-core-processthreads-l1-1-0.dll
api-ms-win-core-processenvironment-l1-1-0.dll
AssociateRole failed
RegReadDWORD failed
api-ms-win-core-version-l1-1-0.dll
api-ms-win-core-sysinfo-l1-1-0.dll
QI failed
DeleteAKey failed
PostMigrationPassed
Deleteable
Deleteable
api-ms-win-core-libraryloader-l1-2-0.dll
api-ms-win-core-errorhandling-l1-1-0.dll
api-ms-win-core-string-l2-1-0.dll
api-ms-win-core-string-l1-1-0.dll
api-ms-win-core-profile-l1-1-0.dll
*** Error Code = 0x%08x : %s
WasCompInstalled failed
Component index is %i
api-ms-win-core-file-l1-1-0.dll
pRoleColl->GetUtilInterface failed
api-ms-win-core-synch-l1-1-0.dll
api-ms-win-core-synch-l1-2-0.dll
File: %s:%d
api-ms-win-core-heap-l2-1-0.dll
api-ms-win-core-com-l1-1-0.dll
RegReadWriteString returned false, could just of not had a LocalServer32 key
%s %d %s full
File: %s, Line: %d
WasCompInstalled returned false: it was imported
SaveChanges (on packages after setting the identity and password) failed
Getting the mtstocom.exe module name failed
Total Methods on Interfaces = %i
MigrateInterfaceRoles failed
SOFTWARE\Classes
GetSecurityAdmin failed
SOFTWARE\Microsoft
TLB is %s
DLL is %s
Key is %s
Node is %s
MoveFileEx to delete the mtstocom.exe failed
Role name is %s
Orig Val is %s
Role id is %s
InstallNewPackage failed
DeleteTransactionServerKey failed
New Val is %s
AdminSetProperty failed
User name is %s
Main is returning hr = %x
Role index is %i
Module name was %s
Package id is %s
Inteface id is %s
Method index is %i
Package index is %i
Method name is %s
User index is %i
DeleteTransactionServerKey returned false -- post mode may have failed
AdminSetDWORDProperty (shutdownafter) failed

Foremost
Matches
0.exe, 110 KB
Suspicious
True check_circle
Heuristics
IPs
hasIPs: False cancel
Allowed
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

URLs
Allowed
hasURLs: False cancel
Suspicious
hasAllowed: False cancel
hasSuspicious: False cancel

Files
Allowed: comsvcs.dll, catsrvut.dll, comres.dll, user32.dll, api-ms-win-core-string-l1-1-0.dll, api-ms-win-core-version-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-com-l1-1-0.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-debug-l1-1-0.dll, ADVAPI32.dll, SspiCli.dll, api-ms-win-security-lsapolicy-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, OLEAUT32.dll, api-ms-win-security-base-l1-1-0.dll, ntdll.dll, netutils.dll, api-ms-win-core-processenvironment-l1-1-0.dll, api-ms-win-core-string-l2-1-0.dll, msvcrt.dll, api-ms-win-core-libraryloader-l1-2-0.dll, logoncli.dll, api-ms-win-security-lsalookup-l1-1-0.dll, api-ms-win-security-sddl-l1-1-0.dll, KERNEL32.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-heap-l2-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasFiles: True check_circle
Suspicious: \mtstocom.log
hasAllowed: True check_circle
hasSuspicious: True check_circle

Binary
Sizes
RVA
RVA: 16
Suspicious: False cancel
Code
Size: 47104
Suspicious: False cancel
Image
Address: 4194304
Suspicious: False cancel
Stack
Stack: 8192
Suspicious: False cancel
Headers
Headers: 1024
Suspicious: False cancel
Suspicious: False cancel

Symbols
Number
Number: 0
Suspicious: True check_circle
Pointer
Pointer: 0
Suspicious: True check_circle
Directories
Number: 16
Suspicious: False cancel

Checksum
Value: 165092
Suspicous: False cancel

Sections
Allowed: .text, .data, .idata, .didat, .rsrc, .reloc
Suspicious
hasAllowed: True check_circle
hasSections: True check_circle
hasSuspicious: False cancel

Versions
OS
Version: 10
Suspicious: False cancel
Image
Version: False cancel
Suspicious: 10
Linker
Version: 14.20
Suspicious: False cancel
Subsystem
Version: 10.0
Suspicious: False cancel
Suspicious: False cancel

EntryPoint
Address: 96528
Suspicious: False cancel

Anomalies
Anomalies
hasAnomalies: False cancel

Libraries
Allowed: comsvcs.dll, catsrvut.dll, comres.dll, user32.dll, api-ms-win-core-string-l1-1-0.dll, api-ms-win-core-version-l1-1-0.dll, api-ms-win-core-synch-l1-2-0.dll, api-ms-win-core-localization-l1-2-0.dll, api-ms-win-core-com-l1-1-0.dll, api-ms-win-core-file-l1-1-0.dll, api-ms-win-core-synch-l1-1-0.dll, api-ms-win-core-debug-l1-1-0.dll, advapi32.dll, sspicli.dll, api-ms-win-security-lsapolicy-l1-1-0.dll, api-ms-win-core-processthreads-l1-1-0.dll, api-ms-win-core-sysinfo-l1-1-0.dll, oleaut32.dll, api-ms-win-security-base-l1-1-0.dll, ntdll.dll, netutils.dll, api-ms-win-core-processenvironment-l1-1-0.dll, api-ms-win-core-string-l2-1-0.dll, msvcrt.dll, logoncli.dll, api-ms-win-security-lsalookup-l1-1-0.dll, api-ms-win-security-sddl-l1-1-0.dll, kernel32.dll, api-ms-win-core-registry-l1-1-0.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-errorhandling-l1-1-0.dll
hasLibs: True check_circle
Suspicious: api-ms-win-core-libraryloader-l1-2-0.dll, api-ms-win-core-heap-l2-1-0.dll
hasAllowed: True check_circle
hasSuspicious: True check_circle

Timestamp
Past: True check_circle
Valid: True check_circle
Value: 1986-11-17 19:37:55
Future: False cancel

Compilation
Packed: False cancel
Missing: False cancel
Packers
Compiled: True check_circle
Compilers: Microsoft Visual C++ 8, VC8 -> Microsoft Corporation

Obfuscation
XOR: False cancel
Fuzzing: False cancel

PEDetector
Matches
None
Suspicious
False cancel
Disassembly
hasTricks
True check_circle
Tricks
pushret
.text: 4

pushpopmath
.text: 3
.reloc: 3

garbagebytes
.text: 3

software breakpoint
.text: 1

programcontrolflowchange
.text: 3

cpuinstructionsresultscomparison
.text: 1
.idata: 1

AVclass
None
1
VirusTotal
md5
5930c59472f42b5f237500c999727441
sha1
3d41ac230b7fb2a467804d5341a54491d8af0530
SCANS (DETECTION RATE = 0.00%)
CMC
update: 20210624
version: 2.10.2019.1
detected: False cancel

MAX
update: 20210703
version: 2019.9.16.1
detected: False cancel

APEX
update: 20210701
version: 6.180
detected: False cancel

Bkav
update: 20210703
version: 1.3.0.9899
detected: False cancel

K7GW
update: 20210702
version: 11.191.37614
detected: False cancel

Avira
update: 20210703
version: 8.3.3.12
detected: False cancel

Cynet
update: 20210703
version: 4.0.0.27
detected: False cancel

Cyren
update: 20210703
version: 6.3.0.2
detected: False cancel

DrWeb
update: 20210703
version: 7.0.49.9080
detected: False cancel

GData
update: 20210703
version: A:25.30151B:27.23578
detected: False cancel

Panda
update: 20210702
version: 4.6.4.2
detected: False cancel

VBA32
update: 20210702
version: 5.0.0
detected: False cancel

VIPRE
update: 20210702
version: 93724
detected: False cancel

Zoner
update: 20210702
version: 0.0.0.0
detected: False cancel

ClamAV
update: 20210702
version: 0.103.3.0
detected: False cancel

Comodo
update: 20210703
version: 33677
detected: False cancel

Ikarus
update: 20210702
version: 0.1.5.2
detected: False cancel

Lionic
update: 20210703
version: 4.2
detected: False cancel

Rising
update: 20210703
version: 25.0.0.26
detected: False cancel

Sophos
update: 20210702
version: 1.3.0.0
detected: False cancel

Yandex
update: 20210702
version: 5.5.2.24
detected: False cancel

Zillya
update: 20210702
version: 2.0.0.4400
detected: False cancel

Acronis
update: 20210512
version: 1.1.1.82
detected: False cancel

Alibaba
update: 20190527
version: 0.3.0.5
detected: False cancel

Arcabit
update: 20210703
version: 1.0.0.886
detected: False cancel

Elastic
update: 20210524
version: 4.0.22
detected: False cancel

FireEye
update: 20210703
version: 32.44.1.0
detected: False cancel

TACHYON
update: 20210702
version: 2021-07-02.02
detected: False cancel

Tencent
update: 20210703
version: 1.0.0.1
detected: False cancel

ViRobot
update: 20210702
version: 2014.3.20.0
detected: False cancel

Webroot
update: 20210703
version: 1.0.0.403
detected: False cancel

Ad-Aware
update: 20210703
version: 3.0.21.179
detected: False cancel

Emsisoft
update: 20210703
version: 2018.12.0.1641
detected: False cancel

F-Secure
update: 20210703
version: 12.0.86.52
detected: False cancel

Fortinet
update: 20210703
version: 6.2.142.0
detected: False cancel

Jiangmin
update: 20210702
version: 16.0.100
detected: False cancel

Kingsoft
update: 20210703
version: 2017.9.26.565
detected: False cancel

Paloalto
update: 20210703
version: 1.0
detected: False cancel

Symantec
update: 20210702
version: 1.15.0.0
detected: False cancel

AhnLab-V3
update: 20210703
version: 3.20.3.10145
detected: False cancel

Antiy-AVL
update: 20210703
version: 3.0.0.1
detected: False cancel

Kaspersky
update: 20210703
version: 21.0.1.45
detected: False cancel

MaxSecure
update: 20210702
version: 1.0.0.1
detected: False cancel

Microsoft
update: 20210703
version: 1.1.18300.4
detected: False cancel

Qihoo-360
update: 20210703
version: 1.0.0.1300
detected: False cancel

ZoneAlarm
update: 20210703
version: 1.0
detected: False cancel

Cybereason
update: 20210330
version: 1.2.449
detected: False cancel

ESET-NOD32
update: 20210703
version: 23563
detected: False cancel

Gridinsoft
update: 20210703
version: 1.0.46.139
detected: False cancel

BitDefender
update: 20210703
version: 7.2
detected: False cancel

CrowdStrike
update: 20210203
version: 1.0
detected: False cancel

K7AntiVirus
update: 20210702
version: 11.191.37613
detected: False cancel

SentinelOne
update: 20210518
version: 5.1.0.5
detected: False cancel

Malwarebytes
update: 20210703
version: 4.2.2.27
detected: False cancel

CAT-QuickHeal
update: 20210621
version: 14.00
detected: False cancel

NANO-Antivirus
update: 20210703
version: 1.0.146.25311
detected: False cancel

BitDefenderTheta
update: 20210702
version: 7.2.37796.0
detected: False cancel

MicroWorld-eScan
update: 20210703
version: 14.0.409.0
detected: False cancel

SUPERAntiSpyware
update: 20210626
version: 5.6.0.1032
detected: False cancel

McAfee-GW-Edition
update: 20210703
version: v2019.1.2+3728
detected: False cancel

TrendMicro-HouseCall
update: 20210703
version: 10.0.0.1040
detected: False cancel

total
61
sha256
9db938cb9989a1882dbc0f344e510e76bafc4358b2aadb5dbb66a11d763a7ae6
scan_id
9db938cb9989a1882dbc0f344e510e76bafc4358b2aadb5dbb66a11d763a7ae6-1625288537
resource
5930c59472f42b5f237500c999727441
positives
0
scan_date
2021-07-03 05:02:17
verbose_msg
Scan finished, information embedded
response_code
1
File
Trace
20/8/2021 - 11:45:43.465Unknown4C:\Users\Behemot\Desktop\desktop.ini
20/8/2021 - 11:45:43.465Unknown4C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:45.481Write4C:\Windows
20/8/2021 - 11:45:47.262Write4C:\Monitor
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Windows\Temp\TMP000000A2F27954F4B4C5FD26
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Windows\Temp\TMP000000A2F27954F4B4C5FD26TMP000000A2F27954F4B4C5FD26
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Read2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Read2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Read2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Read2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Windows\Temp\TMP000000A30415A103D3F52066
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Windows\Temp\TMP000000A30415A103D3F52066TMP000000A30415A103D3F52066
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe:Zone.Identifier
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe:Zone.Identifier
20/8/2021 - 11:45:47.856Read2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe:Zone.Identifier
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Windows\Temp\TMP000000A30415A103D3F52066TMP000000A30415A103D3F52066
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Open2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:47.856Unknown2928C:\Windows\System32\svchost.exeC:\Windows\Temp\TMP000000A2F27954F4B4C5FD26TMP000000A2F27954F4B4C5FD26
20/8/2021 - 11:45:47.872Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:45:49.465Unknown4C:\Monitor\WKCD_Load_Use.exeWKCD_Load_Use.exe
20/8/2021 - 11:45:49.465Write4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:45:49.465Unknown4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:45:52.434Open796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C7827.pf
20/8/2021 - 11:45:52.434Open796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C7827.pf
20/8/2021 - 11:45:52.434Write796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C7827.pfWKCD_LOAD_USE.EXE-695C7827.pf
20/8/2021 - 11:45:52.434Unknown796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C7827.pfWKCD_LOAD_USE.EXE-695C7827.pf
20/8/2021 - 11:45:52.450Open796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:52.450Unknown796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:52.450Open796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:52.450Write796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:52.450Unknown796C:\Windows\System32\svchost.exeC:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:52.856Open2928C:\Windows\System32\svchost.exeC:\Windows\System32\conhost.exe
20/8/2021 - 11:45:52.856Open2928C:\Windows\System32\svchost.exeC:\Windows\System32\conhost.exe
20/8/2021 - 11:45:52.856Open2928C:\Windows\System32\svchost.exeC:\Windows\System32\conhost.exe
20/8/2021 - 11:45:52.856Open2928C:\Windows\System32\svchost.exeC:\Windows\System32\conhost.exe
20/8/2021 - 11:45:52.856Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:45:52.856Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:45:53.497Write4C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C7827.pfWKCD_LOAD_USE.EXE-695C7827.pf
20/8/2021 - 11:45:53.497Write4C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:53.497Write4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:45:53.497Unknown4C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C7827.pfWKCD_LOAD_USE.EXE-695C7827.pf
20/8/2021 - 11:45:53.497Unknown4C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:53.497Unknown4C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pfCONHOST.EXE-1F3E9D7E.pf
20/8/2021 - 11:45:53.497Unknown4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:46:11.497Write4C:\Windows\Temp
20/8/2021 - 11:46:17.465Write684C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
20/8/2021 - 11:46:19.465Write4C:\Windows
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM.LOG1
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM.LOG1
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM.LOG1
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM.LOG1
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM
20/8/2021 - 11:46:27.418Write4C:\Windows\System32\config\SYSTEM
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve.LOG1
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:32.418Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:46:32.497Write4C:\System Volume Information\Syscache.hve
20/8/2021 - 11:46:35.450Write4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:46:35.450Unknown4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:46:55.747Open528C:\Windows\System32\SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data
20/8/2021 - 11:46:55.747Unknown528C:\Windows\System32\SearchIndexer.exeC:\ProgramData\Microsoft\Search\Data
20/8/2021 - 11:47:17.497Write684C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
20/8/2021 - 11:47:27.559Open1864C:\Windows\explorer.exeC:\
20/8/2021 - 11:47:27.559Unknown1864C:\Windows\explorer.exeC:\
20/8/2021 - 11:47:32.809Open1864C:\Windows\explorer.exeC:\Users\Behemot
20/8/2021 - 11:47:32.809Open1864C:\Windows\explorer.exeC:\Users\Behemot
20/8/2021 - 11:47:32.809Unknown1864C:\Windows\explorer.exeC:\Users\Behemot
20/8/2021 - 11:47:32.809Open1864C:\Windows\explorer.exeC:\Users\Behemot\AppData\Roaming
20/8/2021 - 11:47:32.809Open1864C:\Windows\explorer.exeC:\Users\Behemot\AppData\Roaming
20/8/2021 - 11:47:32.809Unknown1864C:\Windows\explorer.exeC:\Users\Behemot\AppData\Roaming
20/8/2021 - 11:47:32.809Open1864C:\Windows\explorer.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Themes
20/8/2021 - 11:47:32.809Open1864C:\Windows\explorer.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
20/8/2021 - 11:47:35.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:47:35.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:47:35.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:47:35.856Open796C:\Windows\System32\svchost.exe\Device\Mup\.\.\
20/8/2021 - 11:47:35.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:47:35.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:47:35.856Unknown796C:\Windows\System32\svchost.exe\Device\Mup\.\.\
20/8/2021 - 11:47:35.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:47:41.372Read1232C:\Program Files\Windows Media Player\wmpnetwk.exeC:\Program Files\Windows Media Player\wmpnetwk.exe
20/8/2021 - 11:48:11.309Open4\Device\HarddiskVolume1\System Volume Information
20/8/2021 - 11:48:11.309Unknown4\Device\HarddiskVolume1\System Volume Information
20/8/2021 - 11:48:11.309Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:48:11.309Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:48:13.59Open4C:\System Volume Information
20/8/2021 - 11:48:13.59Open4C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
20/8/2021 - 11:48:13.59Open4C:\System Volume Information\{bcf7d7ec-4f18-11e8-8b8a-525400842a13}{3808876b-c176-4e48-b7ae-04046e6cc752}
20/8/2021 - 11:48:13.59Open4C:\System Volume Information\{bcf7d7f0-4f18-11e8-8b8a-525400842a13}{3808876b-c176-4e48-b7ae-04046e6cc752}
20/8/2021 - 11:48:13.59Unknown4C:\System Volume Information
20/8/2021 - 11:48:14.309Write4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:48:14.309Unknown4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:48:17.481Write684C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
20/8/2021 - 11:48:30.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Open796C:\Windows\System32\svchost.exe\Device\Mup\.\.\
20/8/2021 - 11:48:30.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exe\Device\Mup\.\.\
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:48:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Feeds Cache\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Feeds Cache\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\IECompatCache\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\IECompatCache\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\IECompatUACache\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\IECompatUACache\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\DNTException\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\DNTException\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\Cookies\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Internet Explorer\EmieUserList\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Internet Explorer\EmieUserList\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Internet Explorer\DOMStore\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Internet Explorer\DOMStore\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018050320180504\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018050320180504\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\AppCache\B2419NGQ\container.dat
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\AppCache\B2419NGQ\container.datcontainer.dat
20/8/2021 - 11:49:20.715Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:20.715Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:20.715Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:20.715Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:20.762Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.762Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.856Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.856Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.950Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.950Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.950Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.log
20/8/2021 - 11:49:20.950Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.log
20/8/2021 - 11:49:20.950Read1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:20.997Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.log
20/8/2021 - 11:49:20.997Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.log
20/8/2021 - 11:49:20.997Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.log
20/8/2021 - 11:49:20.997Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.log
20/8/2021 - 11:49:21.43Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:21.43Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:21.90Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat
20/8/2021 - 11:49:21.90Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.datcontainer.dat
20/8/2021 - 11:49:21.90Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:21.90Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:21.90Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.dat
20/8/2021 - 11:49:21.90Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\container.datcontainer.dat
20/8/2021 - 11:49:21.90Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:23.715Write4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:23.715Unknown4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:25.872Unknown2360C:\Windows\System32\audiodg.exeC:\Windows
20/8/2021 - 11:49:30.762Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:30.762Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:30.809Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:30.809Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
20/8/2021 - 11:49:30.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:30.856Open796C:\Windows\System32\svchost.exe\Device\Mup\.\.\
20/8/2021 - 11:49:30.856Open796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:30.856Unknown796C:\Windows\System32\svchost.exe\Device\Mup\.\.\
20/8/2021 - 11:49:30.856Unknown796C:\Windows\System32\svchost.exeC:\Windows\CSC\v2.0.6\namespace
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users\Behemot
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Open1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Unknown1796C:\Windows\System32\taskhost.exeC:\Users
20/8/2021 - 11:49:30.856Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:30.856Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:30.856Write1796C:\Windows\System32\taskhost.exeC:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Write4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:30.856Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:30.872Write1928C:\Monitor\WKCD_Load_Use.exeC:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:31.465Write4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:31.465Unknown4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:31.465Unknown4C:\Users\Behemot\AppData\Local\Microsoft\Windows\WebCache\V01.chk
20/8/2021 - 11:49:31.465Unknown4C:\Monitor\Files\Logs\File.log
20/8/2021 - 11:49:32.481Write684C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat

Process
Trace
20/8/2021 - 11:49:25.872Terminate684C:\Windows\System32\svchost.exe2360C:\Windows\System32\audiodg.exe

Analysis
Reason
Timeout

Status
Sucessfully Executed

Results
1

Registry
Trace
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruListCurrentLru
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000EDObjectId
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000EDObjectLru
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\ObjectTable\1E_ObjectLru_
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000E8ObjectId
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000E8ObjectLru
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\ObjectTable\3E_ObjectLru_
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000EBObjectId
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000EBObjectLru
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\ObjectTable\3F_ObjectLru_
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000F0ObjectId
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\LruList\00000000000000F0ObjectLru
20/8/2021 - 11:46:22.418Write4\REGISTRY\A\{BCF7D7EA-4F18-11E8-8B8A-525400842A13}\DefaultObjectStore\ObjectTable\40_ObjectLru_
20/8/2021 - 11:46:24.75Write4\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\22
20/8/2021 - 11:46:24.75Write4\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24ffffffffffffffffffffffffffffff00
20/8/2021 - 11:46:24.75Write4\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24ffffffffffffffffffffffffffffff01
20/8/2021 - 11:46:24.75Write4\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24ffffffffffffffffffffffffffffff02
20/8/2021 - 11:46:24.75Write4\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nsi\{eb004a03-9b1a-11d4-9123-0050047759bc}\24ffffffffffffffffffffffffffffff03

File Summary
Created
Identified: True check_circle

Deleted
Identified: False cancel

Process Summary
Created
Identified: False cancel

Deleted
Identified: True check_circle

Registry Summary
Proxy
Identified: False cancel

AutoRun
Identified: False cancel

Created
Identified: True check_circle

Deleted
Identified: False cancel

Browsers
Identified: False cancel

Internet
Identified: False cancel

Loading...

DNS
Query

Response

TCP
Info

UDP
Info

HTTP
Info

Summary
DNS
False cancel

TCP
False cancel

UDP
False cancel

HTTP
False cancel

Results
BINARY
NFS 2.0 (Threshold = 0.8)
confidence: 75.00%
suspicious: False cancel

NFS 3.0 (Threshold = 0.75)
confidence: 76.67%
suspicious: True check_circle

Decision Tree (NFS-BRMalware)
confidence: 100.00%
suspicious: False cancel

MalConv (Ember: Raw Bytes, Threshold=0.5)
confidence: 76.79%
suspicious: True check_circle

Random Forest (100 estimators, NFS-BRMalware)
confidence: 70.00%
suspicious: False cancel

Non-Negative MalConv (Ember: Raw Bytes, Threshold=0.35)
confidence: 73.45%
suspicious: False cancel

LightGDM (Ember: File Characteristics, Threshold=0.8336)
confidence: 100.00%
suspicious: False cancel

Add to Collection
Download