What is sexplayer.exe?
sexplayer.exe is usually located in the 'c:\downloads\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about sexplayer.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
sexplayer.exe is not signed.
VirusTotal report
None of the 58 anti-virus programs at VirusTotal detected the sexplayer.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF207CC4AAE4AB494B.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{21140F32-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{21140F33-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFEE06690E5D3B2A93.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFAC088FE259298364.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFF87886A4501D4600.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\index.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFDC9B763F9B922FE4.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7D4099A60B7852D1.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1E6E91729FB841D8.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFC36DF5D143C4549E.TMP"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\Device\\KsecDD",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"C:\\Windows\\system32\\pnrpnsp.dll",
"DNSAPI.dll",
"SHELL32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"PROPSYS.dll",
"SspiCli.dll",
"ole32.dll",
"USER32.dll",
"OLEAUT32.DLL",
"msfeeds.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"C:\\Windows\\System32\\mswsock.dll",
"Shell32.dll",
"C:\\Windows\\System32\\wship6.dll",
"UXTHEME.DLL",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"urlmon.dll",
"propsys.dll",
"apphelp.dll",
"kernel32.dll",
"CRYPTBASE.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"schannel",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"MLANG.dll",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"C:\\Windows\\system32\\Oleacc.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"RASAPI32.dll",
"profapi.dll",
"dhcpcsvc.DLL",
"comctl32.dll",
"VERSION.dll",
"RpcRtRemote.dll",
"user32.dll",
"MSIMG32.dll",
"CRYPT32.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"NTDLL.DLL",
"shlwapi.dll",
"iphlpapi",
"USERENV.dll",
"CRYPTSP.dll",
"mshtml.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"msctf.dll",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32",
"sensapi.dll",
"IEShims.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"SXS.DLL",
"dhcpcsvc6.DLL",
"ADVAPI32.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"IEFRAME.dll",
"gdiplus.dll",
"wintrust.dll",
"USER32.DLL",
"ntmarta.dll",
"C:\\Windows\\system32\\Msimtf.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"rasadhlp.dll",
"dnsapi",
"OLEACC.DLL",
"RASMAN.DLL",
"IEUI.dll",
"COMCTL32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"wininet.dll",
"SHELL32.DLL",
"OLEAUT32.dll",
"DHCPCSVC.DLL",
"RPCRT4.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"ws2_32",
"C:\\Windows\\system32\\mswsock.dll",
"DWMAPI.DLL",
"Normaliz.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Entertainment.url",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\Favorites\\Windows Live\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\Favorites\\Links\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSNBC News.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft Store.url",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\Favorites\\Links for United States\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\System32\\en-US\\MLANG.dll.mui",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Spaces.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Autos.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Sports.url",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Work.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Get Windows Live.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Mail.url",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE Add-on site.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Home.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\USA.gov.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\GobiernoUSA.gov.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\550f3c94f7a1c77a5812a745ece0ff04d944e6de0c592408249c118c5dd54323.bin.html",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Gallery.url",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Money.url"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2504 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{21140F32-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{21140F33-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFEE06690E5D3B2A93.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFC36DF5D143C4549E.TMP"
],
"file_failed": [
"C:\\966\\pics\\f0_2013-04-07.jpg",
"C:\\966\\js\\jquery-1.9.1.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\966\\images\\IMG_2017081531.jpg",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\js\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\966\\images\\ad03.jpg",
"C:\\966\\css\\index.css",
"C:\\966\\images\\IMG_2017082355.jpg",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\966\\images\\IMG_2017081997.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\966\\js\\",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\966\\images\\ad07.jpg",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\js\\flw.js",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\966\\images\\ad08.gif",
"C:\\966\\images\\IMG_2017081981.jpg",
"C:\\966\\images\\IMG_2017082015.jpg",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\966\\css\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\966\\images\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"C:\\966\\images\\ad06.jpg",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\966\\pics\\",
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (21140F31-B4AF-11E9-8829-08002749D99B, 0)",
"C:\\966\\css\\common.css",
"C:\\966\\js\\6666.js"
],
"guid": [
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{04c18ccf-1f57-4cbd-88cc-3900f5195ce3}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{ff393560-c2a7-11cf-bff4-444553540000}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{00021500-0000-0000-c000-000000000046}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{ab310581-ac80-11d1-8df3-00c04fb6ef69}",
"{30766bd2-ea1c-4f28-bf27-0b44e2f68db7}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{7d096c5f-ac08-4f1f-beb7-5c22c517ce39}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{00000109-0000-0000-c000-000000000046}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}"
]
}Dropped
[
{
"yara": [],
"sha1": "6b6564fbf033fd405c200e3a6d8b82b9f89be785",
"name": "8d5646b7738a307a_{21140f33-b4af-11e9-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{21140F33-B4AF-11E9-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "8d5646b7738a307a4a6a15e42a522a9f1c5efd2ec162c8b7147b25f00184a2b4",
"urls": [],
"crc32": "9878723B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1472\/files\/8d5646b7738a307a_{21140f33-b4af-11e9-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 7168,
"sha512": "b9f20eaa0ace65175ed980a920cb41334fb4172e779ae355fd6da487c704a688c83c6296ed14dabfe81eac69057ab66d907f944d0061d4e1069fdf097f967027",
"pids": [
2504
],
"md5": "6eb77f3bcd42a01d87a30e122c0647b3"
},
{
"yara": [],
"sha1": "cbf614bfd63f06417c5c390d71eb491519488652",
"name": "3f139c3448492413_recoverystore.{21140f32-b4af-11e9-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{21140F32-B4AF-11E9-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "3f139c34484924132154575ffe1b322bf609ecca910b04bbf14c14013314bc00",
"urls": [],
"crc32": "312861E7",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/1472\/files\/3f139c3448492413_recoverystore.{21140f32-b4af-11e9-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 3584,
"sha512": "4e585859d59e90aaa48f62a9a23f48d301220e06fbbba3b9bff4437bb245505cfff86ddc5d9cd0897937c7c316fdf048a5573ae668e7951e4a0b86963e94ce94",
"pids": [
2504
],
"md5": "3a459ea55f3739dae437439eed767ab5"
}
]Generic
[
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 2504,
"summary": {
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF207CC4AAE4AB494B.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{21140F32-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{21140F33-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFEE06690E5D3B2A93.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFAC088FE259298364.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFF87886A4501D4600.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFDC9B763F9B922FE4.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7D4099A60B7852D1.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1E6E91729FB841D8.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFC36DF5D143C4549E.TMP"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\Device\\KsecDD",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"sensapi.dll",
"urlmon.dll",
"propsys.dll",
"C:\\Windows\\System32\\mswsock.dll",
"msfeeds.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"comdlg32.dll",
"CRYPTBASE.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"NTDLL.DLL",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"iphlpapi",
"UxTheme.dll",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"SspiCli.dll",
"ole32.dll",
"CRYPT32.dll",
"CRYPTSP.dll",
"USER32.dll",
"IMM32.dll",
"apphelp.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"RASMAN.DLL",
"msctf.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"SHELL32.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"RASAPI32.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"IEUI.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"VERSION.dll",
"ws2_32",
"MLANG.dll",
"UXTHEME.DLL",
"dhcpcsvc6.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"SXS.DLL",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"MSIMG32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Entertainment.url",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\Favorites\\Windows Live\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\Favorites\\Links\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSNBC News.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft Store.url",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\Favorites\\Links for United States\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Spaces.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Autos.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Sports.url",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Work.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Get Windows Live.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Mail.url",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE Add-on site.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Home.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\USA.gov.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\GobiernoUSA.gov.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Gallery.url",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Money.url"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2504 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{21140F32-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{21140F33-B4AF-11E9-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFEE06690E5D3B2A93.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFC36DF5D143C4549E.TMP"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (21140F31-B4AF-11E9-8829-08002749D99B, 0)"
],
"guid": [
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{04c18ccf-1f57-4cbd-88cc-3900f5195ce3}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{00021500-0000-0000-c000-000000000046}",
"{ab310581-ac80-11d1-8df3-00c04fb6ef69}",
"{30766bd2-ea1c-4f28-bf27-0b44e2f68db7}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{7d096c5f-ac08-4f1f-beb7-5c22c517ce39}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{00000109-0000-0000-c000-000000000046}"
]
},
"first_seen": 1564707188.625,
"ppid": 1512
},
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 816,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\index.dat"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"gdiplus.dll",
"sensapi.dll",
"urlmon.dll",
"mshtml.dll",
"C:\\Windows\\System32\\mswsock.dll",
"apphelp.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\ole32.dll",
"IEShims.dll",
"dwmapi.dll",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"USER32.DLL",
"iphlpapi",
"ntmarta.dll",
"RASAPI32.dll",
"C:\\Windows\\system32\\Msimtf.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEACC.DLL",
"SspiCli.dll",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"C:\\Windows\\system32\\Oleacc.dll",
"ole32.dll",
"CRYPT32.dll",
"CRYPTSP.dll",
"USER32.dll",
"OLEAUT32.DLL",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"MLANG.dll",
"wintrust.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"IMM32.dll",
"DWMAPI.DLL",
"OLEAUT32",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"COMCTL32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"RASMAN.DLL",
"SXS.DLL",
"USERENV.dll",
"RpcRtRemote.dll",
"ws2_32",
"dhcpcsvc6.DLL",
"schannel",
"UxTheme.dll",
"Normaliz.dll",
"C:\\Windows\\system32\\mswsock.dll",
"VERSION.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"oleaut32.dll"
],
"file_opened": [
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019080120190802\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\550f3c94f7a1c77a5812a745ece0ff04d944e6de0c592408249c118c5dd54323.bin.html",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\en-US\\MLANG.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\"
],
"file_failed": [
"C:\\966\\pics\\f0_2013-04-07.jpg",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\js\\",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\966\\images\\IMG_2017081531.jpg",
"C:\\966\\images\\ad03.jpg",
"C:\\966\\css\\index.css",
"C:\\966\\images\\IMG_2017082355.jpg",
"C:\\966\\images\\IMG_2017081997.jpg",
"C:\\966\\js\\",
"C:\\Users\\cuck\\AppData\\Roaming",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\966\\images\\ad07.jpg",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\js\\flw.js",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\966\\pics\\",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\966\\images\\ad08.gif",
"C:\\966\\images\\IMG_2017081981.jpg",
"C:\\966\\css\\",
"C:\\966\\images\\IMG_2017082015.jpg",
"C:\\966\\images\\ad06.jpg",
"C:\\966\\images\\",
"C:\\966\\js\\jquery-1.9.1.min.js",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\966\\css\\common.css",
"C:\\966\\js\\6666.js"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{00000146-0000-0000-c000-000000000046}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{ff393560-c2a7-11cf-bff4-444553540000}",
"{00000323-0000-0000-c000-000000000046}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}"
]
},
"first_seen": 1564707191.2961,
"ppid": 2504
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1564707188.3281,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Executes javascript",
"severity": 2,
"marks": [
{
"call": {
"category": "iexplore",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "COleScript_Compile",
"return_value": -2040119292,
"arguments": {
"type": "JScript - window script block",
"script": "\u0001"
},
"time": 1564706762.6124,
"tid": 1576,
"flags": {}
},
"pid": 816,
"type": "call",
"cid": 357
}
],
"references": [],
"name": "js_eval"
},
{
"markcount": 45,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2504,
"type": "call",
"cid": 65
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 67
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 69
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 71
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 72
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 73
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 74
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 75
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2504,
"type": "call",
"cid": 76
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 77
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 78
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 79
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 80
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1564706759.3783,
"tid": 2924,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2504,
"type": "call",
"cid": 81
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2504,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002bb0000"
},
"time": 1564706760.0813,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2504,
"type": "call",
"cid": 615
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 816,
"type": "call",
"cid": 17
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 18
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 19
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 20
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 21
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 22
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 23
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1564706761.8624,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 24
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 25
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 26
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 27
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 816,
"type": "call",
"cid": 28
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 29
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 30
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 31
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 32
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 33
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffa17000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 34
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bf000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 35
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bd000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 36
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bb000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 37
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffb47000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 38
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff864000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 39
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 40
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff866000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 41
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1564706761.8784,
"tid": 2256,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 816,
"type": "call",
"cid": 42
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002360000"
},
"time": 1564706762.0964,
"tid": 1576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 816,
"type": "call",
"cid": 158
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2504 CREDAT:14337",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2504 resumed a thread in remote process 816",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000000000000578",
"suspend_count": 1,
"process_identifier": 816
},
"time": 1564706761.6743,
"tid": 2924,
"flags": {}
},
"pid": 2504,
"type": "call",
"cid": 828
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.189031124115,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 7818,
"time": 9.2979741096497,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9662,
"time": 5.4295790195465,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9982,
"time": 2.9671940803528,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10302,
"time": 1.0161340236664,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10630,
"time": 3.021989107132,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10958,
"time": 1.5181741714478,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11286,
"time": -0.089166879653931,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11614,
"time": 3.0690670013428,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 11942,
"time": 1.0877771377563,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 31352,
"time": 1.0465700626373,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 39736,
"time": 3.1908049583435,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "803a575190c958aa23ee0c9804f41c0922bc06f70d1e5f833be80105c89bdcbe",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "db4964af104c7339d0b8c81b7cfb82926077f46f29a09314ea88e2ac50b23349",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 3bc0a9a851740b2fbf007d8d26eba0df |
| SHA256 | 550f3c94f7a1c77a5812a745ece0ff04d944e6de0c592408249c118c5dd54323 |
Error Messages
These are some of the error messages that can appear related to sexplayer.exe:
sexplayer.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
sexplayer.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
sexplayer.exe has stopped working.
End Program - sexplayer.exe. This program is not responding.
sexplayer.exe is not a valid Win32 application.
sexplayer.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with sexplayer.exe?
To help other users, please let us know what you will do with sexplayer.exe:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.