What is kfuyod.exe?
kfuyod.exe is usually located in the 'c:\downloads\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about kfuyod.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
kfuyod.exe is not signed.
VirusTotal report
None of the 54 anti-virus programs at VirusTotal detected the kfuyod.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF84A9CBDA9A2C1C73.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF18393DB08CBBA5DC.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFDFFFFE0F068100B1.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFB51BFC77ADC2A802.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AC372AC1-DCC4-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFD6413F93CB087130.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF51892300DDE0BF68.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF3E7C1276CCA312AE.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF887548F1610B03CE.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AC372AC0-DCC4-11EA-8829-08002749D99B}.dat"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"\\??\\C:",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"\\??\\MountPointManager",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\Device\\Afd\\Endpoint",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi"
],
"dll_loaded": [
"C:\\Windows\\system32\\pnrpnsp.dll",
"DNSAPI.dll",
"SHELL32.dll",
"UXTHEME.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"ImgUtil.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"PROPSYS.dll",
"SspiCli.dll",
"ole32.dll",
"USER32.dll",
"OLEAUT32.DLL",
"msfeeds.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"C:\\Windows\\System32\\mswsock.dll",
"Shell32.dll",
"C:\\Windows\\System32\\wship6.dll",
"dhcpcsvc6.DLL",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"urlmon.dll",
"mshtml.dll",
"apphelp.dll",
"kernel32.dll",
"CRYPTBASE.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"MLANG.dll",
"C:\\Windows\\system32\\Oleacc.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"RASAPI32.dll",
"profapi.dll",
"dhcpcsvc.DLL",
"comctl32.dll",
"VERSION.dll",
"RpcRtRemote.dll",
"user32.dll",
"MSIMG32.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"NTDLL.DLL",
"shlwapi.dll",
"iphlpapi",
"UxTheme.dll",
"CRYPTSP.dll",
"C:\\Windows\\system32\\msimg32.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"msctf.dll",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32",
"sensapi.dll",
"IEShims.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"SXS.DLL",
"ADVAPI32.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"IEFRAME.dll",
"USER32.DLL",
"ntmarta.dll",
"C:\\Windows\\system32\\Msimtf.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"rasadhlp.dll",
"dnsapi",
"OLEACC.DLL",
"RASMAN.DLL",
"IEUI.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"wininet.dll",
"SHELL32.DLL",
"OLEAUT32.dll",
"DHCPCSVC.DLL",
"RPCRT4.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"ws2_32",
"C:\\Windows\\system32\\mswsock.dll",
"DWMAPI.DLL",
"Normaliz.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ee7227c7382e40839613f361530ba5644e318ffa1b996f823f8ca67875c00757.bin.html",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Windows\\System32\\en-US\\jscript.dll.mui",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Windows\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Windows\\System32\\"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2888 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AC372AC1-DCC4-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF887548F1610B03CE.TMP",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF3E7C1276CCA312AE.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AC372AC0-DCC4-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\static\\images\\toolbar\\wayback-toolbar-logo.png",
"C:\\Users\\cuck\\Favorites",
"C:\\static\\js\\",
"C:\\static\\css\\",
"C:\\static\\images\\toolbar\\wm_tb_prv_off.png",
"C:\\static\\js\\timestamp.js",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\static\\js\\jquery-1.11.1.min.js",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\static\\images\\toolbar\\wm_tb_nxt_off.png",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\static\\images\\toolbar\\",
"C:\\static\\css\\banner-styles.css",
"C:\\static\\js\\graph-calc.js",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\static\\images\\",
"C:\\static\\js\\toolbar.js",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\static\\js\\auto-complete.js",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\includes\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (AC372ABF-DCC4-11EA-8829-08002749D99B, 0)",
"C:\\static\\images\\loading.gif",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\static\\css\\iconochive.css"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{6a01fda0-30df-11d0-b724-00aa006c1a01}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{a3ccedf7-2de2-11d0-86f4-00a0c913f750}",
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{4ef17940-30e0-11d0-b724-00aa006c1a01}",
"{6e89f8e2-9a2a-4797-9b91-41146bdf0e7b}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{a3ccedf3-2de2-11d0-86f4-00a0c913f750}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{d9e89500-30fa-11d0-b724-00aa006c1a01}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{8856f961-340a-11d0-a96b-00c04fd705a2}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{00021500-0000-0000-c000-000000000046}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{30c3b080-30fb-11d0-b724-00aa006c1a01}",
"{00000109-0000-0000-c000-000000000046}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}",
"{e569bde7-a8dc-47f3-893f-fd2b31b3eefd}"
]
}Dropped
[
{
"yara": [],
"sha1": "47f78f68d72e3d9041acc9107a6b0d665f408385",
"name": "70f316a5492848bb_down[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"type": "PNG image data, 15 x 15, 8-bit\/color RGBA, non-interlaced",
"sha256": "70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880",
"urls": [],
"crc32": "9EA3279D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/70f316a5492848bb_down[1]",
"ssdeep": null,
"size": 3414,
"sha512": "021f2f0da228a23826cfddf2898e2b63787b3be2d94a49e58fc6973628b3995dc690ff7a80a09974b7769b45c7e5df953edb5632562c907273d7071af5ad253c",
"pids": [
344
],
"md5": "555e83ce7f5d280d7454af334571fb25"
},
{
"yara": [],
"sha1": "a6d24e8a1ffd7e6fc0d1ecd00e67eb72425019a7",
"name": "eb5678de9d8f29ca_errorpagestrings[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c",
"urls": [],
"crc32": "1B8FC3FF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/eb5678de9d8f29ca_errorpagestrings[1]",
"ssdeep": null,
"size": 1817,
"sha512": "4f68d0f0c897ce4c751d5b7b51e7fb9ea31e0c0641376919a2c77ee094ece6b7ef203a29f03a6af1665036a471585f853c906caa2afdb2b822cc4be320f0cae7",
"pids": [
344
],
"md5": "1a0563f7fb85a678771450b131ed66fd"
},
{
"yara": [],
"sha1": "098b04b7237860874db38b22830387937aeb5073",
"name": "6976c426e3ac66d6_noconnect[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"type": "PNG image data, 48 x 48, 8-bit\/color RGBA, non-interlaced",
"sha256": "6976c426e3ac66d66303c114b22b2b41109a7de648ba55ffc3e5a53bd0db09e7",
"urls": [],
"crc32": "F9D26F41",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/6976c426e3ac66d6_noconnect[1]",
"ssdeep": null,
"size": 8230,
"sha512": "e307d058de7d1168f0f0f5e51657091f956af310dc55e967fffac06ebd73bfed4c33d488b4af3297dd0dfeedd26c9d53728fd75722b333c9c2cde016d52ff58b",
"pids": [
344
],
"md5": "3cb8faccd5de434d415ab75c17e8fd86"
},
{
"yara": [],
"sha1": "b326a89ee587636bad7ad52aa944dc314fc6a6e2",
"name": "62a7038cc42c1482_tools[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"type": "PNG image data, 16 x 16, 8-bit\/color RGBA, non-interlaced",
"sha256": "62a7038cc42c1482d70465192318f21fc1ce0f0c737cb8804137f38a1f9d680b",
"urls": [],
"crc32": "6793DDC5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/62a7038cc42c1482_tools[1]",
"ssdeep": null,
"size": 3560,
"sha512": "7fd273080b9ab234576d61233ec62b0e02506e99deddb76c3dfb02e125de60a26d67553b5d23e2d2d0e82d551fab5ed51092f9f437eaef682950953ac24d0d9c",
"pids": [
344
],
"md5": "6f20ba58551e13cfd87ec059327effd0"
},
{
"yara": [],
"sha1": "250c965d7f4eb882d2289706a6c66e2b8976c1a8",
"name": "1ff3334c3eb27033_dnserror[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"type": "HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "1ff3334c3eb27033f8f37029fd72f648edd4551fce85fc1f5159feaea1439630",
"urls": [],
"crc32": "D67C7CDA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/1ff3334c3eb27033_dnserror[1]",
"ssdeep": null,
"size": 5947,
"sha512": "60ea2052fa47781c1c9c09512f2bebeee4704efe44ea38e92fcb7684347740e0402c95ffd3c59a64e747f185939e0ad479ff942cdb99897d87531048bb4b9ff5",
"pids": [
344
],
"md5": "68e03ed57ec741a4afbbcd11fab1bdbe"
},
{
"yara": [],
"sha1": "62c180ec01ff2c30396fb1601004123f56b10d2f",
"name": "07d07a467e4988d3_favcenter[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"type": "PNG image data, 16 x 16, 8-bit\/color RGBA, non-interlaced",
"sha256": "07d07a467e4988d3c377acd6dc9e53abca6b64e8fbf70f6be19d795a1619289b",
"urls": [],
"crc32": "7FE3FBCC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/07d07a467e4988d3_favcenter[1]",
"ssdeep": null,
"size": 3366,
"sha512": "28a82e06f8c59d637630d0426950b0b0a9c3e553d8712e918a304f7fffd961dd06642d17cf3957f2d11574801b61f89c07e049834e7c8d88c90537dcc10c70b0",
"pids": [
344
],
"md5": "25d76ee5fb5b890f2cc022d94a42fe19"
},
{
"yara": [],
"sha1": "fe815ae0f865ec4c26e421bf0bd21bb09bc6f410",
"name": "58268ca71a28973b_httperrorpagesscripts[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"type": "UTF-8 Unicode (with BOM) text, with CRLF, CR line terminators",
"sha256": "58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c",
"urls": [
"http:\/\/www.DocURL.com\/bar.htm",
"http:\/\/www.microsoft.com\/bar.htm"
],
"crc32": "A7C34EF3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/58268ca71a28973b_httperrorpagesscripts[1]",
"ssdeep": null,
"size": 8601,
"sha512": "40d33112debdd440f169d3a62b06607afa94c45903c3e650093036b3af2d616310ad6e0a4774f92927295cd3967963d127f63df33c4e763f0d40f306aa52449e",
"pids": [
344
],
"md5": "e7ca76a3c9ee0564471671d500e3f0f3"
},
{
"yara": [],
"sha1": "56bac3d2c88a83628134b36322e37deb6b00b1a1",
"name": "1cb3b6ea56c5b5de_bullet[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"type": "PNG image data, 15 x 15, 8-bit\/color RGBA, non-interlaced",
"sha256": "1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16",
"urls": [],
"crc32": "51CC83D9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/1cb3b6ea56c5b5de_bullet[1]",
"ssdeep": null,
"size": 3169,
"sha512": "8d975b96217e503d9fe01cf81d56500ef66a2dedd9ab70ebf0ad475f09522aef0107a6aae38e3c292bcdb206439611f1c2ce05aa692546ee8d56ba640d78bc4e",
"pids": [
344
],
"md5": "0c4c086dd852704e8eeb8ff83e3b73d1"
},
{
"yara": [],
"sha1": "c2e7ab3ce114465ea7060f2ef738afcb3341a384",
"name": "caa140523ba00994_info_48[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"type": "PNG image data, 47 x 48, 8-bit\/color RGBA, non-interlaced",
"sha256": "caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff",
"urls": [],
"crc32": "4C99540A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/caa140523ba00994_info_48[1]",
"ssdeep": null,
"size": 6993,
"sha512": "fede6e06011d2203f0359ba7b178771e4dd6500af1c72dd13456f0fad0cde3b75b8709af68447d25b2b916126d85808579940aa24e25b2357d407afd1143da08",
"pids": [
344
],
"md5": "49e0ef03e74704089a60c437085db89e"
},
{
"yara": [],
"sha1": "42464c70fc16f3f361c2419751acd57d51613cdf",
"name": "bee0439fcf31de76_navcancl[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"type": "HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228",
"urls": [],
"crc32": "912EA90C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/bee0439fcf31de76_navcancl[1]",
"ssdeep": null,
"size": 2713,
"sha512": "bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e",
"pids": [
344
],
"md5": "4bcfe9f8db04948cddb5e31fe6a7f984"
},
{
"yara": [],
"sha1": "f4eda06901edb98633a686b11d02f4925f827bf0",
"name": "8d018639281b33da_errorpagetemplate[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f",
"urls": [],
"crc32": "E6FF242A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/8d018639281b33da_errorpagetemplate[1]",
"ssdeep": null,
"size": 2168,
"sha512": "62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436",
"pids": [
344
],
"md5": "f4fe1cb77e758e1ba56b8a8ec20417c5"
},
{
"yara": [],
"sha1": "8d7da06bac1cf353a013d00f143c5642a41d8b7b",
"name": "e5129403ad3049e5_recoverystore.{ac372ac0-dcc4-11ea-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AC372AC0-DCC4-11EA-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "e5129403ad3049e5f855345c14f03412e4d4070e7cd7016f0b3fbc3598b21c1e",
"urls": [],
"crc32": "BFC4C107",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/e5129403ad3049e5_recoverystore.{ac372ac0-dcc4-11ea-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 3584,
"sha512": "73821a43ae97ec79b0aa8f1941179e54df0e47d20f9963ebd4095c5369a9151b78d549fc117fad35a49c1ae3419b33572757bd6b83ceab702e76e5e4ba0813f4",
"pids": [
2888
],
"md5": "ac3cc0ea6bf9416dfaee245ae100ca56"
},
{
"yara": [],
"sha1": "51f5fc61d8bf19100df0f8aadaa57fcd9c086255",
"name": "1471693be91e53c2_background_gradient[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"type": "JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3",
"sha256": "1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b",
"urls": [],
"crc32": "C2D0CE77",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/1471693be91e53c2_background_gradient[1]",
"ssdeep": null,
"size": 453,
"sha512": "5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a",
"pids": [
344
],
"md5": "20f0110ed5e4e0d5384a496e4880139b"
},
{
"yara": [],
"sha1": "7aaa938e101548e39e8fc4d188c3e05f155b345e",
"name": "85387fa7d23200e7_{ac372ac1-dcc4-11ea-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AC372AC1-DCC4-11EA-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "85387fa7d23200e74271045b18bec45d1d05054c6581d3edc7523349f542f81b",
"urls": [],
"crc32": "D1F83C6D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/8893\/files\/85387fa7d23200e7_{ac372ac1-dcc4-11ea-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 8192,
"sha512": "2345a9364c0743c4f4676d23c272b05f628fed8af7541fd481e4e8430279447a92ad2ca36f7d0dfb996ef3cd7e90a45aebd1848e0fda3d69a942716f31b35037",
"pids": [
2888
],
"md5": "f9d80a28b0ef830e69ada66742e77a50"
}
]Generic
[
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 344,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"\\??\\C:",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"\\??\\MountPointManager",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\Device\\Afd\\Endpoint",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"\\??\\Nsi"
],
"dll_loaded": [
"IEFRAME.dll",
"sensapi.dll",
"urlmon.dll",
"OLEACC.DLL",
"mshtml.dll",
"C:\\Windows\\System32\\mswsock.dll",
"apphelp.dll",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\ole32.dll",
"IEShims.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\msimg32.dll",
"shlwapi.dll",
"USER32.DLL",
"iphlpapi",
"ImgUtil.dll",
"ntmarta.dll",
"RASAPI32.dll",
"C:\\Windows\\system32\\Msimtf.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\system32\\Oleacc.dll",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"MLANG.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"DWMAPI.DLL",
"OLEAUT32",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"RASMAN.DLL",
"VERSION.dll",
"RpcRtRemote.dll",
"ws2_32",
"UxTheme.dll",
"Normaliz.dll",
"C:\\Windows\\system32\\mswsock.dll",
"SXS.DLL",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"oleaut32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Windows\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\System32\\en-US\\jscript.dll.mui",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\ee7227c7382e40839613f361530ba5644e318ffa1b996f823f8ca67875c00757.bin.html",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]"
],
"file_failed": [
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\static\\images\\toolbar\\wayback-toolbar-logo.png",
"C:\\static\\js\\",
"C:\\static\\css\\",
"C:\\static\\images\\toolbar\\wm_tb_prv_off.png",
"C:\\static\\js\\timestamp.js",
"C:\\static\\js\\jquery-1.11.1.min.js",
"C:\\static\\images\\toolbar\\wm_tb_nxt_off.png",
"C:\\Users\\cuck\\AppData\\Roaming",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\static\\images\\toolbar\\",
"C:\\static\\css\\banner-styles.css",
"C:\\static\\js\\graph-calc.js",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck",
"C:\\static\\images\\",
"C:\\static\\js\\toolbar.js",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\static\\js\\auto-complete.js",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\includes\\",
"C:\\static\\images\\loading.gif",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\static\\css\\iconochive.css"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{6a01fda0-30df-11d0-b724-00aa006c1a01}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{a3ccedf7-2de2-11d0-86f4-00a0c913f750}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{4ef17940-30e0-11d0-b724-00aa006c1a01}",
"{6e89f8e2-9a2a-4797-9b91-41146bdf0e7b}",
"{00000146-0000-0000-c000-000000000046}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{a3ccedf3-2de2-11d0-86f4-00a0c913f750}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{d9e89500-30fa-11d0-b724-00aa006c1a01}",
"{00000323-0000-0000-c000-000000000046}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{8856f961-340a-11d0-a96b-00c04fd705a2}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{30c3b080-30fb-11d0-b724-00aa006c1a01}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}",
"{e569bde7-a8dc-47f3-893f-fd2b31b3eefd}"
]
},
"first_seen": 1597261987.28125,
"ppid": 2888
},
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 2888,
"summary": {
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFD6413F93CB087130.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF84A9CBDA9A2C1C73.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF51892300DDE0BF68.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF887548F1610B03CE.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF18393DB08CBBA5DC.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFDFFFFE0F068100B1.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFB51BFC77ADC2A802.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF3E7C1276CCA312AE.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AC372AC1-DCC4-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AC372AC0-DCC4-11EA-8829-08002749D99B}.dat"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"sensapi.dll",
"urlmon.dll",
"C:\\Windows\\System32\\mswsock.dll",
"msfeeds.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"comdlg32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"NTDLL.DLL",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"iphlpapi",
"UxTheme.dll",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"SspiCli.dll",
"ole32.dll",
"USER32.dll",
"IMM32.dll",
"apphelp.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"RASMAN.DLL",
"msctf.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"SHELL32.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"RASAPI32.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"IEUI.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"VERSION.dll",
"ws2_32",
"MLANG.dll",
"UXTHEME.DLL",
"dhcpcsvc6.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"SXS.DLL",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"MSIMG32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2888 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AC372AC0-DCC4-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF3E7C1276CCA312AE.TMP",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AC372AC1-DCC4-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF887548F1610B03CE.TMP"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (AC372ABF-DCC4-11EA-8829-08002749D99B, 0)",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
],
"guid": [
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{00021500-0000-0000-c000-000000000046}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{00000109-0000-0000-c000-000000000046}"
]
},
"first_seen": 1597261985.640625,
"ppid": 2436
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1597261985.34375,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Executes javascript",
"severity": 2,
"marks": [
{
"call": {
"category": "iexplore",
"status": 1,
"stacktrace": [],
"api": "COleScript_Compile",
"return_value": 0,
"arguments": {
"type": "JScript - window script block",
"script": "window.addEventListener('DOMContentLoaded',function(){var v=archive_analytics.values;v.service='wb';v.server_name='wwwb-app103.us.archive.org';v.server_ms=245;archive_analytics.send_pageview({});});"
},
"time": 1597261990.42125,
"tid": 2248,
"flags": {}
},
"pid": 344,
"type": "call",
"cid": 401
}
],
"references": [],
"name": "js_eval"
},
{
"markcount": 45,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2888,
"type": "call",
"cid": 63
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 64
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 65
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 67
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 69
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 71
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 72
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1597261985.921625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 73
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1597261985.937625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2888,
"type": "call",
"cid": 74
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1597261985.937625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 75
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1597261985.937625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 76
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1597261985.937625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 77
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1597261985.937625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 78
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1597261985.937625,
"tid": 2392,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2888,
"type": "call",
"cid": 79
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2888,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002830000"
},
"time": 1597261986.515625,
"tid": 2244,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2888,
"type": "call",
"cid": 610
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1597261987.35925,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 344,
"type": "call",
"cid": 17
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 18
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 19
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 20
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 21
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 22
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 23
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 24
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 25
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 26
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 27
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 344,
"type": "call",
"cid": 28
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 29
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 30
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 31
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 32
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 33
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffa17000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 34
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bf000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 35
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bd000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 36
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bb000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 37
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffb47000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 38
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff864000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 39
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 40
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff866000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 41
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1597261987.37425,
"tid": 1616,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 344,
"type": "call",
"cid": 42
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002770000"
},
"time": 1597261987.65625,
"tid": 2248,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 344,
"type": "call",
"cid": 172
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 344,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"length": 65536,
"protection": 32,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000002770000"
},
"time": 1597261987.65625,
"tid": 2248,
"flags": {
"protection": "PAGE_EXECUTE_READ"
}
},
"pid": 344,
"type": "call",
"cid": 173
}
],
"references": [],
"name": "protection_rx"
},
{
"markcount": 1,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2888 CREDAT:14337",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 1,
"families": [],
"description": "Dynamically creates an iframe element",
"severity": 3,
"marks": [
{
"call": {
"category": "iexplore",
"status": 1,
"stacktrace": [],
"api": "CIFrameElement_CreateElement",
"return_value": 0,
"arguments": {
"attributes": {
"src": "http:\/\/web.archive.org\/web\/20150610125232if_\/http:\/\/a.pomf.se\/kfuyod.exe",
"style": "position:absolute;top:65px;left:0;width:100%;",
"id": "playback",
"frameborder": "0"
}
},
"time": 1597261990.56225,
"tid": 2248,
"flags": {}
},
"pid": 344,
"type": "call",
"cid": 512
}
],
"references": [],
"name": "js_iframe"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2888 resumed a thread in remote process 344",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000000000000558",
"suspend_count": 1,
"process_identifier": 344
},
"time": 1597261987.015625,
"tid": 2392,
"flags": {}
},
"pid": 2888,
"type": "call",
"cid": 793
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.078842878341675,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 9114,
"time": 9.093442916870117,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10958,
"time": 2.796517848968506,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11278,
"time": 1.0149438381195068,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11606,
"time": 3.019124984741211,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11934,
"time": 1.518198013305664,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12262,
"time": -0.09188699722290039,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12590,
"time": 3.036371946334839,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 12918,
"time": 1.0832438468933105,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 32328,
"time": 1.0421738624572754,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 40712,
"time": 3.093902826309204,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "f7178edaf3aed00b5283832d9c41378662b8ede974a71f2eaf1114cbbaac6d37",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "3d8204a84a6d25c37b1f1fedb8b1bdbccb2f7c3f2f7326633eb7e8c2e7be07de",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 3a3d61c083388232cd71cf47af6a4d56 |
| SHA256 | ee7227c7382e40839613f361530ba5644e318ffa1b996f823f8ca67875c00757 |
Error Messages
These are some of the error messages that can appear related to kfuyod.exe:
kfuyod.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
kfuyod.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
kfuyod.exe has stopped working.
End Program - kfuyod.exe. This program is not responding.
kfuyod.exe is not a valid Win32 application.
kfuyod.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with kfuyod.exe?
To help other users, please let us know what you will do with kfuyod.exe:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.