Установлен SS 12, в настройках запрещен доступ к микрофону и веб камере, но для SkypeApp.exe сделано исключение - доступ разрешен.
Когда запускаю скаип и перхожу в настройки микрофона и камеры получаю сообщение от веба что доступ к веб-камере запрещен для процесса svchost.exe.
Как настроить доступ к камере только скайпу?
Spoiler
Снимок экрана (53).jpg 76,42К 1 Скачано раз
Снимок экрана (55).jpg 244,05К 0 Скачано раз
Spoiler
2019-Mar-02 21:12:42.248351 [ 8744] [INF] [arkdll] [5808] id: 10420, timestamp: 21:12:42.247, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7040/7044:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe context: start addr: 0xf31fe2, image: 0xf20000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe created process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe:7040 => \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe:11872 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" uninstall "C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.IO\4321857b81e9fb153dd0539c6958c374\System.IO.ni.dll" /noroot /LegacyServiceBehavior status: signed_microsoft / signed_microsoft / clean / unknown id: 10420 ==> allowed [2], time: 0.395700 ms 2019-Mar-02 21:12:42.276204 [ 8744] [INF] [arkdll] [5808] id: 10423, timestamp: 21:12:42.275, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 2888/6076:\Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeApp.exe context: start addr: 0x7ffc44d8b110, image: 0x7ffc44d50000:\Device\HarddiskVolume4\Windows\System32\msvcrt.dll terminated win process: \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeApp.exe:2888 fileinfo: size: 21504, easize: 180, attr: 0x20, buildtime: 22.02.2019 03:06:15.000, ctime: 01.03.2019 15:35:24.805, atime: 02.03.2019 21:12:20.133, mtime: 01.03.2019 15:35:50.163, descr: SkypeApp, ver: 8.40.0.70, company: Microsoft Corporation, oname: SkypeApp.exe signer: C=LU|ST=Luxembourg|L=Luxembourg|O=Microsoft Corporation|CN=Skype Software Sarl, timestamp: 26.02.2019 03:35:08.000, thumbprint: 638db8116efd6c9c8a332a56b3a0f0bf91d28f78 file sha1: e9b0facbc5246c258c22d5ad3f2b8beb0b49aab6 status: signed_winstore, pe64, new_pe / signed_winstore / unknown / unknown id: 10423 ==> undefined [1], time: 0.131500 ms 2019-Mar-02 21:12:42.357400 [ 8744] [INF] [arkdll] [5808] id: 10429, timestamp: 21:12:42.356, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 11872/10328:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe context: start addr: 0x3169e0, image: 0x310000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe created process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe:11872 => \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:9116 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 228 -Pipe 1c8 -Comment "NGen Worker Process" status: signed_microsoft / signed_microsoft / clean / unknown id: 10429 ==> allowed [2], time: 0.363100 ms 2019-Mar-02 21:12:42.405861 [ 8716] [INF] [arkdll] [5808] id: 10436, timestamp: 21:12:42.405, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 9116/2356:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe context: start addr: 0x1328d0, image: 0x130000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe terminated win process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:9116 fileinfo: size: 107592, easize: 1024, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:57.435, atime: 02.03.2019 21:09:11.258, mtime: 15.09.2018 11:29:57.435, descr: .NET Runtime Optimization Service, ver: 4.7.3190.0 built by: NET472REL1LAST_C, company: Microsoft Corporation, oname: mscorsvw.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 10436 ==> undefined [1], time: 0.103600 ms 2019-Mar-02 21:12:42.407284 [ 8716] [INF] [arkdll] [5808] id: 10437, timestamp: 21:12:42.407, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 11872/10328:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe context: start addr: 0x3169e0, image: 0x310000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe terminated win process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe:11872 fileinfo: size: 141904, easize: 1016, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:58.748, atime: 02.03.2019 21:09:09.885, mtime: 15.09.2018 11:29:58.748, descr: Microsoft Common Language Runtime native compiler, ver: 4.7.3190.0 built by: NET472REL1LAST_C, company: Microsoft Corporation, oname: ngen.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 10437 ==> undefined [1], time: 0.104900 ms 2019-Mar-02 21:12:42.435249 [ 8716] [INF] [arkdll] [5808] id: 10441, timestamp: 21:12:42.434, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7040/7044:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe context: start addr: 0xf31fe2, image: 0xf20000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe created process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe:7040 => \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe:4824 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" uninstall "C:\WINDOWS\assembly\NativeImages_v4.0.30319_32\System.Threading\ae153be3919c36552b45c15b1dbf34f0\System.Threading.ni.dll" /noroot /LegacyServiceBehavior status: signed_microsoft / signed_microsoft / clean / unknown id: 10441 ==> allowed [2], time: 0.351700 ms 2019-Mar-02 21:12:42.461200 [ 8716] [INF] [arkdll] [5936] id: 10444, timestamp: 21:12:42.460, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7056/7060:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe context: start addr: 0x16e13440000, image: 0x16e13440000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe terminated win process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe:7056 fileinfo: size: 84560, easize: 1024, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:50.357, atime: 02.03.2019 21:09:15.002, mtime: 15.09.2018 11:29:50.372, descr: Microsoft .NET Framework optimization service, ver: 4.7.3190.0 built by: NET472REL1LAST_C, company: Microsoft Corporation, oname: NGenTask.exe status: signed_microsoft / signed_microsoft / unknown / unknown id: 10444 ==> undefined [1], time: 0.111500 ms 2019-Mar-02 21:12:42.462922 [ 8716] [INF] [arkdll] [5936] id: 10445, timestamp: 21:12:42.462, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7064/7152:\Device\HarddiskVolume4\Windows\System32\conhost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll terminated win process: \Device\HarddiskVolume4\Windows\System32\conhost.exe:7064 fileinfo: size: 822784, easize: 1092, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:44.232, atime: 02.03.2019 21:09:12.880, mtime: 15.09.2018 11:28:44.232, descr: Console Window Host, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: CONHOST.EXE status: signed_microsoft / signed_microsoft / clean / unknown id: 10445 ==> undefined [1], time: 0.105900 ms 2019-Mar-02 21:12:42.514752 [ 8716] [INF] [arkdll] [5936] id: 10451, timestamp: 21:12:42.514, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 4824/11288:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe context: start addr: 0x3169e0, image: 0x310000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe created process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe:4824 => \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:9280 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 214 -Pipe 220 -Comment "NGen Worker Process" status: signed_microsoft / signed_microsoft / clean / unknown id: 10451 ==> allowed [2], time: 0.338500 ms 2019-Mar-02 21:12:42.556647 [ 8716] [INF] [arkdll] [5808] id: 10458, timestamp: 21:12:42.556, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 9280/10264:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe context: start addr: 0x1328d0, image: 0x130000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe terminated win process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe:9280 fileinfo: size: 107592, easize: 1024, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:57.435, atime: 02.03.2019 21:09:11.258, mtime: 15.09.2018 11:29:57.435, descr: .NET Runtime Optimization Service, ver: 4.7.3190.0 built by: NET472REL1LAST_C, company: Microsoft Corporation, oname: mscorsvw.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 10458 ==> undefined [1], time: 0.111400 ms 2019-Mar-02 21:12:42.557984 [ 8716] [INF] [arkdll] [5808] id: 10459, timestamp: 21:12:42.557, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 4824/11288:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe context: start addr: 0x3169e0, image: 0x310000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe terminated win process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe:4824 fileinfo: size: 141904, easize: 1016, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:58.748, atime: 02.03.2019 21:09:09.885, mtime: 15.09.2018 11:29:58.748, descr: Microsoft Common Language Runtime native compiler, ver: 4.7.3190.0 built by: NET472REL1LAST_C, company: Microsoft Corporation, oname: ngen.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 10459 ==> undefined [1], time: 0.089600 ms 2019-Mar-02 21:12:42.740491 [ 8716] [INF] [arkdll] [5936] id: 10464, timestamp: 21:12:42.740, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7040/7044:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe context: start addr: 0xf31fe2, image: 0xf20000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe terminated win process: \Device\HarddiskVolume4\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe:7040 fileinfo: size: 85080, easize: 1024, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:57.545, atime: 02.03.2019 21:09:14.975, mtime: 15.09.2018 11:29:57.545, descr: Microsoft .NET Framework optimization service, ver: 4.7.3190.0 built by: NET472REL1LAST_C, company: Microsoft Corporation, oname: NGenTask.exe status: signed_microsoft / signed_microsoft / unknown / unknown id: 10464 ==> undefined [1], time: 0.096400 ms 2019-Mar-02 21:12:42.742674 [ 8744] [INF] [arkdll] [5808] id: 10466, timestamp: 21:12:42.742, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7048/7156:\Device\HarddiskVolume4\Windows\System32\conhost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll terminated win process: \Device\HarddiskVolume4\Windows\System32\conhost.exe:7048 fileinfo: size: 822784, easize: 1092, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:44.232, atime: 02.03.2019 21:09:12.880, mtime: 15.09.2018 11:28:44.232, descr: Console Window Host, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: CONHOST.EXE status: signed_microsoft / signed_microsoft / clean / unknown id: 10466 ==> undefined [1], time: 0.099300 ms 2019-Mar-02 21:12:42.750315 [ 8744] [INF] [arkdll] [5936] id: 10473, timestamp: 21:12:42.749, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 4888/4404:\Device\HarddiskVolume4\Windows\System32\taskhostw.exe context: start addr: 0x7ff6650a5570, image: 0x7ff6650a0000:\Device\HarddiskVolume4\Windows\System32\taskhostw.exe terminated win process: \Device\HarddiskVolume4\WINDOWS\system32\taskhostw.exe:4888 fileinfo: size: 86744, easize: 1088, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:44.357, atime: 02.03.2019 21:09:11.169, mtime: 15.09.2018 11:28:44.357, descr: Host Process for Windows Tasks, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: taskhostw.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 10473 ==> undefined [1], time: 0.104300 ms 2019-Mar-02 21:12:43.342492 [ 8732] [INF] [email] Message to address 'sinelnikovip@yandex.ru' (from: 'sinelnikovip@yandex.ru') was successfully sent. 2019-Mar-02 21:12:47.313978 [ 8744] [INF] [arkdll] [5808] id: 10516, timestamp: 21:12:47.313, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 11916/11920:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ff72a2e4510, image: 0x7ff72a2e0000:\Device\HarddiskVolume4\Windows\System32\svchost.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:11916 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:10:16.646, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 10516 ==> undefined [1], time: 0.200800 ms 2019-Mar-02 21:12:48.964056 [ 8716] [INF] [arkdll] [5808] id: 10527, timestamp: 21:12:48.963, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 9596/1316:\Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Roaming\Yandex\YandexDisk2\3.0.9.2548\YandexDiskScreenshotEditor.exe context: start addr: 0x7ff681d62abc, image: 0x7ff681b50000:\Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Roaming\Yandex\YandexDisk2\3.0.9.2548\YandexDiskScreenshotEditor.exe terminated win process: \Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Roaming\Yandex\YandexDisk2\3.0.9.2548\YandexDiskScreenshotEditor.exe:9596 fileinfo: size: 5655544, easize: 40, attr: 0x20, buildtime: 06.02.2019 18:50:03.000, ctime: 17.02.2019 14:56:27.395, atime: 02.03.2019 21:12:36.159, mtime: 06.02.2019 18:50:23.452, descr: Скриншоты в Яндекс.Диске, ver: 3.0.9.2548, company: Яндекс, oname: YandexDiskScreenshotEditor.exe signer: C=RU|ST=Moscow|L=Moscow|O=YANDEX LLC|CN=YANDEX LLC, timestamp: 06.02.2019 18:50:22.000, thumbprint: b1a1f7b52cd31acd1542fadf9cf0ee41d7614f75 file sha1: 2a5dddbbae979d43d21e99e54e8be03be8b596ad status: db_cert_white_list, signed, pe64, db_cert_protected / signed / unknown / unknown id: 10527 ==> undefined [1], time: 0.132100 ms 2019-Mar-02 21:12:49.871156 [ 8744] [INF] [arkdll] [4732] path: \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\WinStore.App.exe, size: 16384, hash: f440a3571e2a1a53622547dae7d226f2dfd0fa9d, cert name: 9c6e45331303c6db4dfdbe0d4b7a890211f143d5, type: 80, status: 5 ==> send info to cloud 2019-Mar-02 21:12:49.871490 [ 8744] [INF] [arkdll] [5808] id: 10541, timestamp: 21:12:49.867, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 992/2404:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:992 => \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\WinStore.App.exe:6568 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: appcontainer, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\, cmd: "C:\Program Files\WindowsApps\Microsoft.WindowsStore_11811.1001.18.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca fileinfo: size: 16384, easize: 140, attr: 0x20, buildtime: 18.01.2019 00:38:11.000, ctime: 30.01.2019 17:46:12.103, atime: 02.03.2019 21:12:49.867, mtime: 30.01.2019 17:46:23.390, descr: Store, ver: 11811.1001.18.0, company: Microsoft Corporation, oname: WinStore.App.exe signer: C=US|ST=Washington|L=Redmond|O=Microsoft Corporation|CN=Microsoft Corporation, timestamp: 19.01.2019 04:39:57.000, thumbprint: 9c6e45331303c6db4dfdbe0d4b7a890211f143d5 file sha1: f440a3571e2a1a53622547dae7d226f2dfd0fa9d status: signed_winstore, pe64 / signed_winstore / unknown / unknown id: 10541 ==> undefined [1], time: 3.240200 ms 2019-Mar-02 21:12:50.629160 [ 8716] [INF] [arkdll] [5936] id: 10637, timestamp: 21:12:50.628, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 992/556:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:992 => \Device\HarddiskVolume4\Windows\System32\RuntimeBroker.exe:11704 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: medium, sesion id: 1, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\Windows\System32\RuntimeBroker.exe -Embedding status: signed_microsoft / signed_microsoft / unknown / unknown id: 10637 ==> allowed [2], time: 0.320600 ms 2019-Mar-02 21:12:51.286935 [ 8744] [INF] [arkdll] [5936] id: 10664, timestamp: 21:12:51.286, type: ServiceStart (58), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/4476:\Device\HarddiskVolume4\Windows\System32\services.exe request by: \Device\HarddiskVolume4\WINDOWS\system32\svchost.exe:992 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.707, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost svc name: XblAuthManager, wow64: 0 cmd: id: 10664 ==> allowed [2], time: 0.088500 ms 2019-Mar-02 21:12:51.290859 [ 8744] [INF] [arkdll] [5936] id: 10667, timestamp: 21:12:51.289, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/4476:\Device\HarddiskVolume4\Windows\System32\services.exe created process: \Device\HarddiskVolume4\Windows\System32\services.exe:788 => \Device\HarddiskVolume4\Windows\System32\svchost.exe:12152 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 14, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s XblAuthManager status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 10667 ==> allowed [2], time: 0.744400 ms 2019-Mar-02 21:12:53.610023 [ 8716] [INF] [arkdll] [5936] id: 10780, timestamp: 21:12:53.609, type: ServiceStart (58), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/1060:\Device\HarddiskVolume4\Windows\System32\services.exe request by: \Device\HarddiskVolume4\WINDOWS\system32\svchost.exe:992 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.707, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost svc name: InstallService, wow64: 0 cmd: id: 10780 ==> allowed [2], time: 0.085900 ms 2019-Mar-02 21:12:53.614343 [ 8716] [INF] [arkdll] [5936] id: 10783, timestamp: 21:12:53.613, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/1060:\Device\HarddiskVolume4\Windows\System32\services.exe created process: \Device\HarddiskVolume4\Windows\System32\services.exe:788 => \Device\HarddiskVolume4\Windows\System32\svchost.exe:2816 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 14, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\svchost.exe -k netsvcs -p status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 10783 ==> allowed [2], time: 0.684700 ms 2019-Mar-02 21:12:55.777187 [ 8740] [INF] [arkdll] [5936] id: 10884, timestamp: 21:12:55.772, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 992/6112:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:992 => \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeApp.exe:2608 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: appcontainer, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0 curdir: C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\, cmd: "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeApp.exe" -ServerName:App.AppXffn3yxqvgawq9fpmnhy90fr3y01d1t5b.mca fileinfo: size: 21504, easize: 180, attr: 0x20, buildtime: 22.02.2019 03:06:15.000, ctime: 01.03.2019 15:35:24.805, atime: 02.03.2019 21:12:55.772, mtime: 01.03.2019 15:35:50.163, descr: SkypeApp, ver: 8.40.0.70, company: Microsoft Corporation, oname: SkypeApp.exe signer: C=LU|ST=Luxembourg|L=Luxembourg|O=Microsoft Corporation|CN=Skype Software Sarl, timestamp: 26.02.2019 03:35:08.000, thumbprint: 638db8116efd6c9c8a332a56b3a0f0bf91d28f78 file sha1: e9b0facbc5246c258c22d5ad3f2b8beb0b49aab6 status: signed_winstore, pe64, new_pe / signed_winstore / unknown / unknown id: 10884 ==> undefined [1], time: 4.045600 ms 2019-Mar-02 21:12:56.728360 [ 8716] [WRN] [arkdll] [5888] Detected process reparenting for process (\Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe:9712): new parent: \Device\HarddiskVolume4\Windows\System32\RuntimeBroker.exe:9084 real parent: \Device\HarddiskVolume4\Windows\System32\svchost.exe:5156 2019-Mar-02 21:12:56.810284 [ 8740] [INF] [arkdll] [5888] id: 11000, timestamp: 21:12:56.725, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 5156/9504:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\RuntimeBroker.exe:9084 => \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe:9712 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: medium, sesion id: 1, type: 0, reason: 1, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe" /InvokerPRAID: App fileinfo: size: 557056, easize: 304, attr: 0x20, buildtime: 22.02.2019 02:58:47.000, ctime: 01.03.2019 15:35:24.807, atime: 02.03.2019 21:12:56.724, mtime: 01.03.2019 15:35:50.177, descr: SkypeBridge, ver: 8.40.0.70, company: Microsoft Corporation, oname: SkypeBridge.exe file sha1: 74cf2e3feb005c5f22eb3ea56c7ce7af6480b369 status: unsigned, pe64, new_pe, dot_net / unsigned / unknown / unknown id: 11000 ==> undefined [1], time: 21.287300 ms 2019-Mar-02 21:12:57.046885 [ 8740] [INF] [arkdll] [5808] id: 11041, timestamp: 21:12:57.043, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 9712/1716:\Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe context: start addr: 0x7ffc3394ef70, image: 0x7ffc33790000:\Device\HarddiskVolume4\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll terminated win process: \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe:9712 fileinfo: size: 557056, easize: 304, attr: 0x20, buildtime: 22.02.2019 02:58:47.000, ctime: 01.03.2019 15:35:24.807, atime: 02.03.2019 21:12:56.724, mtime: 01.03.2019 15:35:50.177, descr: SkypeBridge, ver: 8.40.0.70, company: Microsoft Corporation, oname: SkypeBridge.exe file sha1: 74cf2e3feb005c5f22eb3ea56c7ce7af6480b369 status: unsigned, pe64, new_pe, dot_net / unsigned / unknown / unknown id: 11041 ==> undefined [1], time: 0.163000 ms 2019-Mar-02 21:12:58.960310 [ 8744] [INF] [arkdll] [5936] id: 11114, timestamp: 21:12:58.959, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-19, cid: 7812/12192:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ff72a2e4510, image: 0x7ff72a2e0000:\Device\HarddiskVolume4\Windows\System32\svchost.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:7812 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:12:28.165, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 11114 ==> undefined [1], time: 0.260000 ms 2019-Mar-02 21:13:03.648413 [ 8740] [INF] [arkdll] [5808] id: 11249, timestamp: 21:13:03.647, type: ServiceStart (58), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/4488:\Device\HarddiskVolume4\Windows\System32\services.exe request by: \Device\HarddiskVolume4\WINDOWS\system32\services.exe:788 fileinfo: size: 679424, easize: 284, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.608, atime: 02.03.2019 21:09:10.179, mtime: 15.09.2018 11:28:45.623, descr: Services and Controller app, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: services.exe status: signed_microsoft / signed_microsoft / clean / unknown svc name: FrameServer, wow64: 0 cmd: TriggerStarted id: 11249 ==> allowed [2], time: 0.077400 ms 2019-Mar-02 21:13:03.652615 [ 8740] [INF] [arkdll] [5808] id: 11252, timestamp: 21:13:03.651, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/4488:\Device\HarddiskVolume4\Windows\System32\services.exe created process: \Device\HarddiskVolume4\Windows\System32\services.exe:788 => \Device\HarddiskVolume4\Windows\System32\svchost.exe:10828 sid: S-1-5-19, bitness: 64, ilevel: system, sesion id: 0, type: 14, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\svchost.exe -k Camera -s FrameServer status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 11252 ==> allowed [2], time: 0.735300 ms 2019-Mar-02 21:13:06.796232 [ 8716] [INF] [arkdll] [5892] id: 11339, timestamp: 21:13:06.781, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/2252:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Windows\System32\taskhostw.exe:11088 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: taskhostw.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 11339 ==> allowed [2], time: 0.663400 ms 2019-Mar-02 21:13:06.801686 [ 8744] [INF] [arkdll] [5892] id: 11341, timestamp: 21:13:06.784, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/1644:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe:5756 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /c fileinfo: size: 153168, easize: 784, attr: 0x120, buildtime: 09.05.2018 02:44:45.000, ctime: 04.12.2018 23:01:13.937, atime: 02.03.2019 21:09:11.101, mtime: 04.12.2018 23:01:12.954, descr: Установщик Google, ver: 1.3.33.17, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 09.05.2018 02:44:47.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 8c0d2a1cf79e9e34107e2e1aaafa818ecf1f6943 status: db_cert_white_list, signed, pe32, db_cert_protected / signed / unknown / unknown id: 11341 ==> undefined [1], time: 0.820400 ms 2019-Mar-02 21:13:06.801727 [ 8744] [INF] [arkdll] [5892] id: 11344, timestamp: 21:13:06.786, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/1636:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe:2888 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler fileinfo: size: 153168, easize: 784, attr: 0x120, buildtime: 09.05.2018 02:44:45.000, ctime: 04.12.2018 23:01:13.937, atime: 02.03.2019 21:09:11.101, mtime: 04.12.2018 23:01:12.954, descr: Установщик Google, ver: 1.3.33.17, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 09.05.2018 02:44:47.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 8c0d2a1cf79e9e34107e2e1aaafa818ecf1f6943 status: db_cert_white_list, signed, pe32, db_cert_protected / signed / unknown / unknown id: 11344 ==> undefined [1], time: 0.814000 ms 2019-Mar-02 21:13:06.801756 [ 8744] [INF] [arkdll] [5852] id: 11343, timestamp: 21:13:06.786, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/3752:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Windows\System32\wsqmcons.exe:8676 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\wsqmcons.exe status: signed_microsoft / signed_microsoft / unknown / unknown id: 11343 ==> allowed [2], time: 1.355200 ms 2019-Mar-02 21:13:06.801779 [ 8744] [INF] [arkdll] [5852] id: 11345, timestamp: 21:13:06.789, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/4608:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Windows\System32\sc.exe:8772 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\sc.exe start pushtoinstall registration status: signed_microsoft / signed_microsoft / unknown / unknown id: 11345 ==> allowed [2], time: 1.625900 ms 2019-Mar-02 21:13:06.803185 [ 8716] [INF] [arkdll] [5852] id: 11347, timestamp: 21:13:06.799, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/956:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Windows\System32\UsoClient.exe:6852 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\usoclient.exe StartScan status: signed_microsoft / signed_microsoft / unknown / unknown id: 11347 ==> allowed [2], time: 1.356800 ms 2019-Mar-02 21:13:06.804753 [ 8716] [INF] [arkdll] [4732] path: \Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Local\MEGAsync\MEGAupdater.exe, size: 615160, hash: 00bd3ca460af3e989a61a66bef0f8443b55f20e0, cert name: d0ac9eb6f7959eb8ad4199fa23ff4a25b1f0f9be, type: 80, status: 2 ==> send info to cloud 2019-Mar-02 21:13:06.813132 [ 8716] [INF] [arkdll] [5852] id: 11349, timestamp: 21:13:06.812, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 8772/10596:\Device\HarddiskVolume4\Windows\System32\sc.exe context: start addr: 0x7ff6db912050, image: 0x7ff6db910000:\Device\HarddiskVolume4\Windows\System32\sc.exe created process: \Device\HarddiskVolume4\Windows\System32\sc.exe:8772 => \Device\HarddiskVolume4\Windows\System32\conhost.exe:2000 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS, cmd: \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 status: signed_microsoft / signed_microsoft / clean / unknown id: 11349 ==> allowed [2], time: 0.320000 ms 2019-Mar-02 21:13:06.823697 [ 8744] [INF] [arkdll] [5936] id: 11367, timestamp: 21:13:06.823, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 8676/10196:\Device\HarddiskVolume4\Windows\System32\wsqmcons.exe context: start addr: 0x7ff746af7710, image: 0x7ff746af0000:\Device\HarddiskVolume4\Windows\System32\wsqmcons.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\wsqmcons.exe:8676 fileinfo: size: 92160, easize: 1072, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.326, atime: 02.03.2019 21:13:06.785, mtime: 15.09.2018 11:28:45.326, descr: Windows SQM Consolidator, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: wsqmcons.exe status: signed_microsoft / signed_microsoft / unknown / unknown id: 11367 ==> undefined [1], time: 0.089500 ms 2019-Mar-02 21:13:06.848334 [ 8716] [INF] [arkdll] [5936] id: 11396, timestamp: 21:13:06.847, type: ServiceStart (58), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/4488:\Device\HarddiskVolume4\Windows\System32\services.exe request by: \Device\HarddiskVolume4\Windows\System32\sc.exe:8772 fileinfo: size: 69632, easize: 1048, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:14.657, atime: 02.03.2019 21:13:06.787, mtime: 15.09.2018 11:29:14.657, descr: Service Control Manager Configuration Tool, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: sc.exe status: signed_microsoft / signed_microsoft / unknown / unknown svc name: pushtoinstall, wow64: 0 cmd: registration id: 11396 ==> allowed [2], time: 0.076000 ms 2019-Mar-02 21:13:06.852711 [ 8716] [INF] [arkdll] [5888] id: 11403, timestamp: 21:13:06.851, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/4488:\Device\HarddiskVolume4\Windows\System32\services.exe created process: \Device\HarddiskVolume4\Windows\System32\services.exe:788 => \Device\HarddiskVolume4\Windows\System32\svchost.exe:7904 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 14, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s PushToInstall status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 11403 ==> allowed [2], time: 0.626000 ms 2019-Mar-02 21:13:06.856446 [ 8716] [INF] [arkdll] [5888] id: 11408, timestamp: 21:13:06.855, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 5756/8416:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe context: start addr: 0x9572f0, image: 0x950000:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe created process: \Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe:5756 => \Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler.exe:10692 sid: S-1-5-18, bitness: 32, ilevel: system, sesion id: 0, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\Program Files (x86)\Google\Update\1.3.33.23\, cmd: "C:\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler.exe" fileinfo: size: 292648, easize: 784, attr: 0x120, buildtime: 05.12.2018 06:03:05.000, ctime: 20.12.2018 18:07:05.179, atime: 02.03.2019 21:09:21.542, mtime: 20.12.2018 18:07:03.900, descr: Google Crash Handler, ver: 1.3.33.23, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 05.12.2018 06:03:10.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 8efec0871a9bc4e2c31322b1fe04896262b64a65 status: db_cert_white_list, signed, pe32, db_cert_protected / signed / unknown / unknown id: 11408 ==> undefined [1], time: 0.493800 ms 2019-Mar-02 21:13:06.868208 [ 8716] [INF] [arkdll] [5888] id: 11413, timestamp: 21:13:06.867, type: ServiceStart (58), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/1060:\Device\HarddiskVolume4\Windows\System32\services.exe request by: \Device\HarddiskVolume4\WINDOWS\system32\svchost.exe:992 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.707, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost svc name: WaaSMedicSvc, wow64: 0 cmd: id: 11413 ==> allowed [2], time: 0.080000 ms 2019-Mar-02 21:13:06.871821 [ 8716] [INF] [arkdll] [5888] id: 11422, timestamp: 21:13:06.871, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 2888/11540:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe context: start addr: 0x77b8e230, image: 0x77b40000:\Device\HarddiskVolume4\Windows\SysWOW64\ntdll.dll terminated win process: \Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe:2888 fileinfo: size: 153168, easize: 784, attr: 0x120, buildtime: 09.05.2018 02:44:45.000, ctime: 04.12.2018 23:01:13.937, atime: 02.03.2019 21:09:11.101, mtime: 04.12.2018 23:01:12.954, descr: Установщик Google, ver: 1.3.33.17, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 09.05.2018 02:44:47.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 8c0d2a1cf79e9e34107e2e1aaafa818ecf1f6943 status: db_cert_white_list, signed, pe32, db_cert_protected / signed / unknown / unknown id: 11422 ==> undefined [1], time: 0.116800 ms 2019-Mar-02 21:13:06.873039 [ 8716] [INF] [arkdll] [5888] id: 11423, timestamp: 21:13:06.872, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/1060:\Device\HarddiskVolume4\Windows\System32\services.exe created process: \Device\HarddiskVolume4\Windows\System32\services.exe:788 => \Device\HarddiskVolume4\Windows\System32\svchost.exe:11484 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 14, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\svchost.exe -k wusvcs -p -s WaaSMedicSvc status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 11423 ==> allowed [2], time: 0.643900 ms 2019-Mar-02 21:13:06.874192 [ 8716] [INF] [arkdll] [5888] id: 11424, timestamp: 21:13:06.873, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 5756/8416:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe context: start addr: 0x9572f0, image: 0x950000:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe created process: \Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe:5756 => \Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exe:8208 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\Program Files (x86)\Google\Update\1.3.33.23\, cmd: "C:\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exe" fileinfo: size: 369960, easize: 784, attr: 0x120, buildtime: 05.12.2018 06:12:34.000, ctime: 20.12.2018 18:07:05.187, atime: 02.03.2019 21:09:21.644, mtime: 20.12.2018 18:07:03.986, descr: Google Crash Handler, ver: 1.3.33.23, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 05.12.2018 06:12:40.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 00a44ba18164aceeacabe5384c661e9fe52411ac status: db_cert_white_list, signed, pe64, db_cert_protected / signed / unknown / unknown id: 11424 ==> undefined [1], time: 0.456700 ms 2019-Mar-02 21:13:06.882343 [ 8716] [INF] [arkdll] [5888] id: 11427, timestamp: 21:13:06.881, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 8772/10596:\Device\HarddiskVolume4\Windows\System32\sc.exe context: start addr: 0x7ff6db912050, image: 0x7ff6db910000:\Device\HarddiskVolume4\Windows\System32\sc.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\sc.exe:8772 fileinfo: size: 69632, easize: 1048, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:29:14.657, atime: 02.03.2019 21:13:06.787, mtime: 15.09.2018 11:29:14.657, descr: Service Control Manager Configuration Tool, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: sc.exe status: signed_microsoft / signed_microsoft / unknown / unknown id: 11427 ==> undefined [1], time: 0.153500 ms 2019-Mar-02 21:13:06.886113 [ 8716] [INF] [arkdll] [5888] id: 11435, timestamp: 21:13:06.885, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 2000/10932:\Device\HarddiskVolume4\Windows\System32\conhost.exe context: start addr: 0x7ff7695469c0, image: 0x7ff769530000:\Device\HarddiskVolume4\Windows\System32\conhost.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\conhost.exe:2000 fileinfo: size: 822784, easize: 1092, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:44.232, atime: 02.03.2019 21:09:12.880, mtime: 15.09.2018 11:28:44.232, descr: Console Window Host, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: CONHOST.EXE status: signed_microsoft / signed_microsoft / clean / unknown id: 11435 ==> undefined [1], time: 0.095100 ms 2019-Mar-02 21:13:06.917969 [ 8716] [INF] [arkdll] [5888] id: 11457, timestamp: 21:13:06.917, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 6852/10116:\Device\HarddiskVolume4\Windows\System32\UsoClient.exe context: start addr: 0x7ff643a24a70, image: 0x7ff643a20000:\Device\HarddiskVolume4\Windows\System32\UsoClient.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\UsoClient.exe:6852 fileinfo: size: 48128, easize: 1068, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:39.779, atime: 02.03.2019 21:13:06.797, mtime: 15.09.2018 11:28:39.779, descr: UsoClient, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: UsoClient status: signed_microsoft / signed_microsoft / unknown / unknown id: 11457 ==> undefined [1], time: 0.102700 ms 2019-Mar-02 21:13:06.920741 [ 8716] [INF] [arkdll] [5888] id: 11459, timestamp: 21:13:06.920, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 10692/8384:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler.exe context: start addr: 0x77b8e230, image: 0x77b40000:\Device\HarddiskVolume4\Windows\SysWOW64\ntdll.dll terminated win process: \Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler.exe:10692 fileinfo: size: 292648, easize: 784, attr: 0x120, buildtime: 05.12.2018 06:03:05.000, ctime: 20.12.2018 18:07:05.179, atime: 02.03.2019 21:09:21.542, mtime: 20.12.2018 18:07:03.900, descr: Google Crash Handler, ver: 1.3.33.23, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 05.12.2018 06:03:10.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 8efec0871a9bc4e2c31322b1fe04896262b64a65 status: db_cert_white_list, signed, pe32, db_cert_protected / signed / unknown / unknown id: 11459 ==> undefined [1], time: 0.131700 ms 2019-Mar-02 21:13:06.923688 [ 8716] [INF] [arkdll] [5888] id: 11461, timestamp: 21:13:06.923, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 5756/9540:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe context: start addr: 0x77b8e230, image: 0x77b40000:\Device\HarddiskVolume4\Windows\SysWOW64\ntdll.dll terminated win process: \Device\HarddiskVolume4\Program Files (x86)\Google\Update\GoogleUpdate.exe:5756 fileinfo: size: 153168, easize: 784, attr: 0x120, buildtime: 09.05.2018 02:44:45.000, ctime: 04.12.2018 23:01:13.937, atime: 02.03.2019 21:09:11.101, mtime: 04.12.2018 23:01:12.954, descr: Установщик Google, ver: 1.3.33.17, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 09.05.2018 02:44:47.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 8c0d2a1cf79e9e34107e2e1aaafa818ecf1f6943 status: db_cert_white_list, signed, pe32, db_cert_protected / signed / unknown / unknown id: 11461 ==> undefined [1], time: 0.115600 ms 2019-Mar-02 21:13:06.929205 [ 8716] [INF] [arkdll] [5888] id: 11464, timestamp: 21:13:06.928, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 8208/8648:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exe context: start addr: 0x7ff637770538, image: 0x7ff637750000:\Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exe terminated win process: \Device\HarddiskVolume4\Program Files (x86)\Google\Update\1.3.33.23\GoogleCrashHandler64.exe:8208 fileinfo: size: 369960, easize: 784, attr: 0x120, buildtime: 05.12.2018 06:12:34.000, ctime: 20.12.2018 18:07:05.187, atime: 02.03.2019 21:09:21.644, mtime: 20.12.2018 18:07:03.986, descr: Google Crash Handler, ver: 1.3.33.23, company: Google Inc., oname: GoogleUpdate.exe signer: C=US|ST=California|L=Mountain View|O=Google Inc|CN=Google Inc, timestamp: 05.12.2018 06:12:40.000, thumbprint: 1a6ac0549a4a44264deb6ff003391da2f285b19f file sha1: 00a44ba18164aceeacabe5384c661e9fe52411ac status: db_cert_white_list, signed, pe64, db_cert_protected / signed / unknown / unknown id: 11464 ==> undefined [1], time: 0.124800 ms 2019-Mar-02 21:13:06.933766 [ 8716] [INF] [arkdll] [5888] id: 11465, timestamp: 21:13:06.933, type: ServiceStart (58), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/1060:\Device\HarddiskVolume4\Windows\System32\services.exe request by: \Device\HarddiskVolume4\WINDOWS\system32\svchost.exe:992 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.707, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost svc name: wisvc, wow64: 0 cmd: id: 11465 ==> allowed [2], time: 0.076800 ms 2019-Mar-02 21:13:06.937905 [ 8716] [INF] [arkdll] [5888] id: 11467, timestamp: 21:13:06.937, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 788/1060:\Device\HarddiskVolume4\Windows\System32\services.exe created process: \Device\HarddiskVolume4\Windows\System32\services.exe:788 => \Device\HarddiskVolume4\Windows\System32\svchost.exe:9328 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 14, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s wisvc status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 11467 ==> allowed [2], time: 0.638200 ms 2019-Mar-02 21:13:07.111305 [ 8716] [INF] [arkdll] [5936] id: 11515, timestamp: 21:13:07.110, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 1524/1868:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:1524 => \Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Local\MEGAsync\MEGAupdater.exe:12180 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 32, ilevel: medium, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\Users\IPSinelnikov_1\AppData\Local\MEGAsync\MEGAupdater.exe fileinfo: size: 615160, easize: 772, attr: 0x20, buildtime: 08.02.2019 01:43:16.000, ctime: 17.11.2017 20:39:51.735, atime: 02.03.2019 14:40:05.647, mtime: 19.02.2019 21:44:26.020, descr: MEGAupdater, ver: , company: Mega Limited, oname: MEGAupdater.exe signer: SERIALNUMBER=4136598|C=NZ|ST=Auckland|L=Auckland|O=Mega Limited|CN=Mega Limited, timestamp: 08.02.2019 02:24:20.000, thumbprint: d0ac9eb6f7959eb8ad4199fa23ff4a25b1f0f9be file sha1: 00bd3ca460af3e989a61a66bef0f8443b55f20e0 status: signed, pe32 / signed / unknown / unknown id: 11515 ==> undefined [1], time: 0.474200 ms 2019-Mar-02 21:13:07.247229 [ 8716] [INF] [arkdll] [5888] id: 11542, timestamp: 21:13:07.245, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 2300/4128:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:2300 => \Device\HarddiskVolume4\Windows\System32\wbem\WMIADAP.exe:10256 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: wmiadap.exe /F /T /R status: signed_microsoft / signed_microsoft / unknown / unknown id: 11542 ==> allowed [2], time: 1.963900 ms 2019-Mar-02 21:13:07.363063 [ 8744] [INF] [arkdll] [5888] id: 11572, timestamp: 21:13:07.361, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 992/552:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:992 => \Device\HarddiskVolume4\Windows\System32\dllhost.exe:8360 sid: S-1-5-18, bitness: 64, ilevel: system, sesion id: 0, type: 0, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E} status: signed_microsoft, system_file_host / signed_microsoft / unknown / dllhost id: 11572 ==> allowed [2], time: 0.742600 ms 2019-Mar-02 21:13:07.616126 [ 8744] [INF] [arkdll] [5888] id: 11592, timestamp: 21:13:07.615, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 12180/10636:\Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Local\MEGAsync\MEGAupdater.exe context: start addr: 0x77b8e230, image: 0x77b40000:\Device\HarddiskVolume4\Windows\SysWOW64\ntdll.dll terminated win process: \Device\HarddiskVolume4\Users\IPSinelnikov_1\AppData\Local\MEGAsync\MEGAupdater.exe:12180 fileinfo: size: 615160, easize: 772, attr: 0x20, buildtime: 08.02.2019 01:43:16.000, ctime: 17.11.2017 20:39:51.735, atime: 02.03.2019 14:40:05.647, mtime: 19.02.2019 21:44:26.020, descr: MEGAupdater, ver: , company: Mega Limited, oname: MEGAupdater.exe signer: SERIALNUMBER=4136598|C=NZ|ST=Auckland|L=Auckland|O=Mega Limited|CN=Mega Limited, timestamp: 08.02.2019 02:24:20.000, thumbprint: d0ac9eb6f7959eb8ad4199fa23ff4a25b1f0f9be file sha1: 00bd3ca460af3e989a61a66bef0f8443b55f20e0 status: signed, pe32 / signed / unknown / unknown id: 11592 ==> undefined [1], time: 0.180900 ms 2019-Mar-02 21:13:07.779570 [ 8744] [INF] [arkdll] [5888] id: 11599, timestamp: 21:13:07.779, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 4256/4260:\Device\HarddiskVolume4\Windows\System32\SearchFilterHost.exe context: start addr: 0x7ff6abb16680, image: 0x7ff6abb10000:\Device\HarddiskVolume4\Windows\System32\SearchFilterHost.exe terminated win process: \Device\HarddiskVolume4\WINDOWS\system32\SearchFilterHost.exe:4256 fileinfo: size: 240640, easize: 1036, attr: 0x20, buildtime: 0, ctime: 12.12.2018 16:43:57.311, atime: 02.03.2019 21:09:09.587, mtime: 12.12.2018 16:43:57.345, descr: Microsoft Windows Search Filter Host, ver: 7.0.17763.168 (WinBuild.160101.0800), company: Microsoft Corporation, oname: SearchFilterHost.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 11599 ==> undefined [1], time: 0.103900 ms 2019-Mar-02 21:13:10.384957 [ 8716] [INF] [email] Template name: devguard_texts.access_to_image_blocked 2019-Mar-02 21:13:10.385021 [ 8716] [INF] [email] Template not expanded header: Dr.Web: процессу запрещен доступ Рє веб-камере not expanded body: Dr.Web заблокировал доступ Рє веб-камере РІ соответствии СЃ настройками.<br/>Процесс: $(base.process_exe). 2019-Mar-02 21:13:12.454147 [ 8716] [INF] [arkdll] [5888] id: 11702, timestamp: 21:13:12.453, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 8360/8540:\Device\HarddiskVolume4\Windows\System32\dllhost.exe context: start addr: 0x7ff74c641490, image: 0x7ff74c640000:\Device\HarddiskVolume4\Windows\System32\dllhost.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\dllhost.exe:8360 fileinfo: size: 21304, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.482, atime: 02.03.2019 21:13:07.360, mtime: 15.09.2018 11:28:45.482, descr: COM Surrogate, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: dllhost.exe status: signed_microsoft, system_file_host / signed_microsoft / unknown / dllhost id: 11702 ==> undefined [1], time: 0.105300 ms 2019-Mar-02 21:13:12.666595 [ 8732] [INF] [email] Message to address 'sinelnikovip@yandex.ru' (from: 'sinelnikovip@yandex.ru') was successfully sent. 2019-Mar-02 21:13:13.277753 [ 8744] [INF] [arkdll] [5888] id: 11713, timestamp: 21:13:13.277, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 7904/11896:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ff72a2e4510, image: 0x7ff72a2e0000:\Device\HarddiskVolume4\Windows\System32\svchost.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:7904 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:13:06.851, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 11713 ==> undefined [1], time: 0.105500 ms 2019-Mar-02 21:13:17.695746 [ 8748] [INF] [arkdll] [5888] id: 11754, timestamp: 21:13:17.693, type: PsInject (43), flags: 1 (wait: 1) sid: S-1-5-18, cid: 2560/2752:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll hips: type: 18, action: deny [5] curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s ShellHWDetection fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.872, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost inject: QueueApc [8], flags: 0x0, start addr: 0x7ffc476dff30, addr: 0x0, param: 0x7ffc45632c10, len: 0, target: bitness: 64, init: 1, image: \Device\HarddiskVolume4\Windows\explorer.exe:6440 fileinfo: size: 4245280, easize: 1072, attr: 0x20, buildtime: 0, ctime: 14.11.2018 18:09:53.074, atime: 02.03.2019 21:09:13.964, mtime: 14.11.2018 18:09:53.166, descr: Windows Explorer, ver: 10.0.17763.107 (WinBuild.160101.0800), company: Microsoft Corporation, oname: EXPLORER.EXE status: signed_microsoft / signed_microsoft / unknown / unknown apc info: 0x7ffc476dff30:\Device\HarddiskVolume4\Windows\System32\ntdll.dll ==> 0x7ffc45632c10:\Device\HarddiskVolume4\Windows\System32\shell32.dll id: 11754 ==> allowed [2], time: 0.275100 ms 2019-Mar-02 21:13:17.698819 [ 8748] [INF] [arkdll] [5888] id: 11755, timestamp: 21:13:17.698, type: PsInject (43), flags: 1 (wait: 1) sid: S-1-5-18, cid: 2560/2736:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll hips: type: 18, action: deny [5] curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s ShellHWDetection fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.872, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost inject: QueueApc [8], flags: 0x0, start addr: 0x7ffc476dff30, addr: 0x0, param: 0x7ffc45632c10, len: 0, target: bitness: 64, init: 1, image: \Device\HarddiskVolume4\Windows\explorer.exe:6440 fileinfo: size: 4245280, easize: 1072, attr: 0x20, buildtime: 0, ctime: 14.11.2018 18:09:53.074, atime: 02.03.2019 21:09:13.964, mtime: 14.11.2018 18:09:53.166, descr: Windows Explorer, ver: 10.0.17763.107 (WinBuild.160101.0800), company: Microsoft Corporation, oname: EXPLORER.EXE status: signed_microsoft / signed_microsoft / unknown / unknown apc info: 0x7ffc476dff30:\Device\HarddiskVolume4\Windows\System32\ntdll.dll ==> 0x7ffc45632c10:\Device\HarddiskVolume4\Windows\System32\shell32.dll id: 11755 ==> allowed [2], time: 0.253300 ms 2019-Mar-02 21:13:17.699686 [ 8748] [INF] [arkdll] [5888] id: 11756, timestamp: 21:13:17.698, type: PsInject (43), flags: 1 (wait: 1) sid: S-1-5-18, cid: 2560/2740:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll hips: type: 18, action: deny [5] curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s ShellHWDetection fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:09:12.872, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / clean / svchost inject: QueueApc [8], flags: 0x0, start addr: 0x7ffc476dff30, addr: 0x0, param: 0x7ffc45632c10, len: 0, target: bitness: 64, init: 1, image: \Device\HarddiskVolume4\Windows\explorer.exe:6440 fileinfo: size: 4245280, easize: 1072, attr: 0x20, buildtime: 0, ctime: 14.11.2018 18:09:53.074, atime: 02.03.2019 21:09:13.964, mtime: 14.11.2018 18:09:53.166, descr: Windows Explorer, ver: 10.0.17763.107 (WinBuild.160101.0800), company: Microsoft Corporation, oname: EXPLORER.EXE status: signed_microsoft / signed_microsoft / unknown / unknown apc info: 0x7ffc476dff30:\Device\HarddiskVolume4\Windows\System32\ntdll.dll ==> 0x7ffc45632c10:\Device\HarddiskVolume4\Windows\System32\shell32.dll id: 11756 ==> allowed [2], time: 0.221100 ms 2019-Mar-02 21:13:19.200032 [ 8716] [INF] [arkdll] [5888] id: 11791, timestamp: 21:13:19.199, type: RegSetValue (14), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 6440/6936:\Device\HarddiskVolume4\Windows\explorer.exe context: start addr: 0x7ffc44b2c220, image: 0x7ffc44b00000:\Device\HarddiskVolume4\Windows\System32\SHCore.dll hips: type: 111, action: allow [2] cmd: C:\WINDOWS\Explorer.EXE fileinfo: size: 4245280, easize: 1072, attr: 0x20, buildtime: 0, ctime: 14.11.2018 18:09:53.074, atime: 02.03.2019 21:09:13.964, mtime: 14.11.2018 18:09:53.166, descr: Windows Explorer, ver: 10.0.17763.107 (WinBuild.160101.0800), company: Microsoft Corporation, oname: EXPLORER.EXE status: signed_microsoft / signed_microsoft / unknown / unknown key: \REGISTRY\USER\S-1-5-21-190118300-1958815214-1410102576-1001\Software\Microsoft\Internet Explorer\Toolbar, access: 0x0 value: Locked, type: dword id: 11791 ==> allowed [2], time: 0.152700 ms 2019-Mar-02 21:13:19.344589 [ 8716] [INF] [arkdll] [5888] id: 11793, timestamp: 21:13:19.343, type: RegSetValue (14), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 6440/6936:\Device\HarddiskVolume4\Windows\explorer.exe context: start addr: 0x7ffc44b2c220, image: 0x7ffc44b00000:\Device\HarddiskVolume4\Windows\System32\SHCore.dll hips: type: 111, action: allow [2] cmd: C:\WINDOWS\Explorer.EXE fileinfo: size: 4245280, easize: 1072, attr: 0x20, buildtime: 0, ctime: 14.11.2018 18:09:53.074, atime: 02.03.2019 21:09:13.964, mtime: 14.11.2018 18:09:53.166, descr: Windows Explorer, ver: 10.0.17763.107 (WinBuild.160101.0800), company: Microsoft Corporation, oname: EXPLORER.EXE status: signed_microsoft / signed_microsoft / unknown / unknown key: \REGISTRY\USER\S-1-5-21-190118300-1958815214-1410102576-1001\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser, access: 0x0 value: ITBar7Layout, type: binary id: 11793 ==> allowed [2], time: 0.157800 ms 2019-Mar-02 21:13:19.779918 [ 8716] [INF] [arkdll] [5936] id: 11800, timestamp: 21:13:19.775, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 992/564:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:992 => \Device\HarddiskVolume4\Windows\System32\dllhost.exe:11164 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: medium, sesion id: 1, type: 0, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} status: signed_microsoft, system_file_host / signed_microsoft / unknown / dllhost id: 11800 ==> allowed [2], time: 2.219800 ms 2019-Mar-02 21:13:23.437297 [ 8748] [INF] [arkdll] [5936] id: 11863, timestamp: 21:13:23.432, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 992/2404:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll created process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:992 => \Device\HarddiskVolume4\Windows\System32\rundll32.exe:10156 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: medium, sesion id: 1, type: 0, reason: 3, new: 1, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding status: signed_microsoft, system_file_host / signed_microsoft / unknown / rundll object: <command line> ==> Ok [0, time: 1197 ms] id: 11863 ==> allowed [2], time: 4.930900 ms 2019-Mar-02 21:13:23.495267 [ 8748] [INF] [arkdll] [5936] id: 11867, timestamp: 21:13:23.494, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 10156/7756:\Device\HarddiskVolume4\Windows\System32\rundll32.exe context: start addr: 0x7ff6da846340, image: 0x7ff6da840000:\Device\HarddiskVolume4\Windows\System32\rundll32.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\rundll32.exe:10156 fileinfo: size: 71168, easize: 1092, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:57.796, atime: 02.03.2019 21:13:23.431, mtime: 15.09.2018 11:28:57.796, descr: Windows host process (Rundll32), ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: RUNDLL32.EXE status: signed_microsoft, system_file_host / signed_microsoft / unknown / rundll id: 11867 ==> undefined [1], time: 0.102500 ms 2019-Mar-02 21:13:28.104408 [ 8716] [INF] [arkdll] [5888] id: 11931, timestamp: 21:13:28.103, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 6440/12216:\Device\HarddiskVolume4\Windows\explorer.exe context: start addr: 0x7ffc44b2c220, image: 0x7ffc44b00000:\Device\HarddiskVolume4\Windows\System32\SHCore.dll created process: \Device\HarddiskVolume4\Windows\explorer.exe:6440 => \Device\HarddiskVolume4\Program Files (x86)\FastStone Image Viewer\FSViewer.exe:8616 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 32, ilevel: medium, sesion id: 1, type: 0, reason: 0, new: 0, dbg: 0, wsl: 0 curdir: C:\Users\IPSinelnikov_1\Pictures\Screenshots\, cmd: "C:\Program Files (x86)\FastStone Image Viewer\FSViewer.exe" "C:\Users\IPSinelnikov_1\Pictures\Screenshots\Снимок экрана (53).png" fileinfo: size: 6772224, easize: 72, attr: 0x20, buildtime: 20.06.1992 02:22:17.000, ctime: 23.01.2019 21:45:12.000, atime: 02.03.2019 21:13:27.041, mtime: 23.01.2019 21:45:12.000, descr: FastStone Image Viewer, ver: 6.9.0.0, company: FastStone Soft, oname: file sha1: 41d8e47f4c5801d68d92b12e8cc4a765a40e5044 status: unsigned, pe32 / unsigned / unknown / unknown id: 11931 ==> undefined [1], time: 0.454400 ms 2019-Mar-02 21:13:28.682860 [ 8716] [INF] [arkdll] [5808] id: 11970, timestamp: 21:13:28.682, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 11164/6652:\Device\HarddiskVolume4\Windows\System32\dllhost.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll terminated win process: \Device\HarddiskVolume4\Windows\System32\dllhost.exe:11164 fileinfo: size: 21304, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.482, atime: 02.03.2019 21:13:19.772, mtime: 15.09.2018 11:28:45.482, descr: COM Surrogate, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: dllhost.exe status: signed_microsoft, system_file_host / signed_microsoft / unknown / dllhost id: 11970 ==> undefined [1], time: 0.115600 ms 2019-Mar-02 21:13:29.469744 [ 8748] [INF] [arkdll] [4732] path: \Device\HarddiskVolume4\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll ==> added to SpIDerG3 cache 2019-Mar-02 21:13:29.469779 [ 8716] [INF] [arkdll] [4732] path: \Device\HarddiskVolume4\Program Files (x86)\Common Files\microsoft shared\ink\tiptsf.dll ==> send SPC detect to cloud [1] 2019-Mar-02 21:13:30.153898 [ 8716] [INF] [arkdll] [5936] id: 12017, timestamp: 21:13:30.152, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 3192/4084:\Device\HarddiskVolume4\Windows\System32\SearchIndexer.exe context: start addr: 0x7ffc34209510, image: 0x7ffc34180000:\Device\HarddiskVolume4\Windows\System32\mssrch.dll created process: \Device\HarddiskVolume4\Windows\System32\SearchIndexer.exe:3192 => \Device\HarddiskVolume4\Windows\System32\SearchProtocolHost.exe:1472 sid: S-1-5-21-190118300-1958815214-1410102576-1001, bitness: 64, ilevel: medium, sesion id: 1, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\WINDOWS\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-190118300-1958815214-1410102576-10012_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-190118300-1958815214-1410102576-10012 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" "1" status: signed_microsoft / signed_microsoft / clean / unknown id: 12017 ==> allowed [2], time: 0.405500 ms 2019-Mar-02 21:13:30.188323 [ 8716] [INF] [arkdll] [5936] id: 12022, timestamp: 21:13:30.187, type: PsCreate (16), flags: 1 (wait: 1) sid: S-1-5-18, cid: 3192/4084:\Device\HarddiskVolume4\Windows\System32\SearchIndexer.exe context: start addr: 0x7ffc34209510, image: 0x7ffc34180000:\Device\HarddiskVolume4\Windows\System32\mssrch.dll created process: \Device\HarddiskVolume4\Windows\System32\SearchIndexer.exe:3192 => \Device\HarddiskVolume4\Windows\System32\SearchFilterHost.exe:5740 sid: S-1-5-18, bitness: 64, ilevel: medium, sesion id: 0, type: 0, reason: 2, new: 0, dbg: 0, wsl: 0 curdir: C:\WINDOWS\system32\, cmd: "C:\WINDOWS\system32\SearchFilterHost.exe" 0 760 764 772 8192 768 status: signed_microsoft / signed_microsoft / clean / unknown id: 12022 ==> allowed [2], time: 0.347600 ms 2019-Mar-02 21:13:33.744460 [ 8748] [INF] [arkdll] [5936] id: 12086, timestamp: 21:13:33.744, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 8616/7348:\Device\HarddiskVolume4\Program Files (x86)\FastStone Image Viewer\FSViewer.exe context: start addr: 0x936334, image: 0x400000:\Device\HarddiskVolume4\Program Files (x86)\FastStone Image Viewer\FSViewer.exe terminated win process: \Device\HarddiskVolume4\Program Files (x86)\FastStone Image Viewer\FSViewer.exe:8616 fileinfo: size: 6772224, easize: 72, attr: 0x20, buildtime: 20.06.1992 02:22:17.000, ctime: 23.01.2019 21:45:12.000, atime: 02.03.2019 21:13:27.041, mtime: 23.01.2019 21:45:12.000, descr: FastStone Image Viewer, ver: 6.9.0.0, company: FastStone Soft, oname: file sha1: 41d8e47f4c5801d68d92b12e8cc4a765a40e5044 status: unsigned, pe32 / unsigned / unknown / unknown id: 12086 ==> undefined [1], time: 0.107900 ms 2019-Mar-02 21:13:34.389933 [ 8716] [INF] [arkdll] [5936] id: 12087, timestamp: 21:13:34.389, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-19, cid: 10828/3244:\Device\HarddiskVolume4\Windows\System32\svchost.exe context: start addr: 0x7ff72a2e4510, image: 0x7ff72a2e0000:\Device\HarddiskVolume4\Windows\System32\svchost.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\svchost.exe:10828 fileinfo: size: 51696, easize: 1104, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:45.623, atime: 02.03.2019 21:13:03.650, mtime: 15.09.2018 11:28:45.623, descr: Host Process for Windows Services, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: svchost.exe status: signed_microsoft, system_file_host / signed_microsoft / unknown / svchost id: 12087 ==> undefined [1], time: 0.108600 ms 2019-Mar-02 21:13:37.642595 [ 8716] [INF] [arkdll] [5836] id: 12136, timestamp: 21:13:37.641, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-21-190118300-1958815214-1410102576-1001, cid: 2608/10284:\Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeApp.exe context: start addr: 0x7ffc476aff80, image: 0x7ffc47660000:\Device\HarddiskVolume4\Windows\System32\ntdll.dll terminated win process: \Device\HarddiskVolume4\Program Files\WindowsApps\Microsoft.SkypeApp_14.40.70.0_x64__kzf8qxf38zg5c\SkypeApp.exe:2608 fileinfo: size: 21504, easize: 180, attr: 0x20, buildtime: 22.02.2019 03:06:15.000, ctime: 01.03.2019 15:35:24.805, atime: 02.03.2019 21:12:55.772, mtime: 01.03.2019 15:35:50.163, descr: SkypeApp, ver: 8.40.0.70, company: Microsoft Corporation, oname: SkypeApp.exe signer: C=LU|ST=Luxembourg|L=Luxembourg|O=Microsoft Corporation|CN=Skype Software Sarl, timestamp: 26.02.2019 03:35:08.000, thumbprint: 638db8116efd6c9c8a332a56b3a0f0bf91d28f78 file sha1: e9b0facbc5246c258c22d5ad3f2b8beb0b49aab6 status: signed_winstore, pe64, new_pe / signed_winstore / unknown / unknown id: 12136 ==> undefined [1], time: 0.132100 ms 2019-Mar-02 21:13:59.519654 [ 8716] [INF] [arkdll] [5936] id: 13277, timestamp: 21:13:59.519, type: PsDelete (17), flags: 1 (wait: 1) sid: S-1-5-18, cid: 11088/1388:\Device\HarddiskVolume4\Windows\System32\taskhostw.exe context: start addr: 0x7ff6650a5570, image: 0x7ff6650a0000:\Device\HarddiskVolume4\Windows\System32\taskhostw.exe terminated win process: \Device\HarddiskVolume4\Windows\System32\taskhostw.exe:11088 fileinfo: size: 86744, easize: 1088, attr: 0x20, buildtime: 0, ctime: 15.09.2018 11:28:44.357, atime: 02.03.2019 21:09:11.169, mtime: 15.09.2018 11:28:44.357, descr: Host Process for Windows Tasks, ver: 10.0.17763.1 (WinBuild.160101.0800), company: Microsoft Corporation, oname: taskhostw.exe status: signed_microsoft / signed_microsoft / clean / unknown id: 13277 ==> undefined [1], time: 0.104200 ms