What is crazymonsters.exe?
crazymonsters.exe is usually located in the 'c:\downloads\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about crazymonsters.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
crazymonsters.exe does not have any version or vendor information.
Digital signatures [?]
crazymonsters.exe is not signed.
VirusTotal report
None of the 59 anti-virus programs at VirusTotal detected the crazymonsters.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{6D1BA4D8-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFDC12BDD23AFAC58F.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF0F937188DA6ED68E.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7563FAB57D9DEE23.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA5A0D94A770D735A.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFB7D328EFB3E4474D.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7CCCC34AB54D59F2.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF9C8E1DFF136E57FF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{6D1BA4D9-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA4387CDD54E65835.TMP"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"\\??\\C:",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"\\??\\MountPointManager",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\Device\\Afd\\Endpoint",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi"
],
"dll_loaded": [
"C:\\Windows\\system32\\pnrpnsp.dll",
"DNSAPI.dll",
"SHELL32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"ImgUtil.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"PROPSYS.dll",
"SspiCli.dll",
"ole32.dll",
"USER32.dll",
"OLEAUT32.DLL",
"msfeeds.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"C:\\Windows\\System32\\mswsock.dll",
"Shell32.dll",
"C:\\Windows\\System32\\wship6.dll",
"UXTHEME.DLL",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"urlmon.dll",
"mshtml.dll",
"apphelp.dll",
"kernel32.dll",
"CRYPTBASE.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"MLANG.dll",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"C:\\Windows\\system32\\Oleacc.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"RASAPI32.dll",
"profapi.dll",
"dhcpcsvc.DLL",
"comctl32.dll",
"VERSION.dll",
"RpcRtRemote.dll",
"user32.dll",
"MSIMG32.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"NTDLL.DLL",
"shlwapi.dll",
"iphlpapi",
"CRYPTSP.dll",
"C:\\Windows\\system32\\msimg32.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"msctf.dll",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32",
"sensapi.dll",
"IEShims.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"SXS.DLL",
"dhcpcsvc6.DLL",
"ADVAPI32.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"IEFRAME.dll",
"gdiplus.dll",
"USER32.DLL",
"ntmarta.dll",
"C:\\Windows\\system32\\Msimtf.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"rasadhlp.dll",
"dnsapi",
"OLEACC.DLL",
"RASMAN.DLL",
"IEUI.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"wininet.dll",
"SHELL32.DLL",
"OLEAUT32.dll",
"DHCPCSVC.DLL",
"RPCRT4.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"ws2_32",
"C:\\Windows\\system32\\mswsock.dll",
"DWMAPI.DLL",
"Normaliz.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Windows\\System32\\en-US\\jscript.dll.mui",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\c74c55275b31d27b3baf92d91ebf08c600780abc1f66a9bc22ec2dc63ea49c1f.bin.html",
"C:\\Windows\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Windows\\System32\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2816 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{6D1BA4D8-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA5A0D94A770D735A.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7CCCC34AB54D59F2.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{6D1BA4D9-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]"
],
"file_failed": [
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (6D1BA4D7-191A-11EA-8829-08002749D99B, 0)",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\media\\shared\\info\\index\\_hm\\",
"C:\\media\\shared\\general\\_hm\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\media\\shared\\general\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"UNC\\www.hostmonster.com\\media\\shared\\info\\index\\_hm\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"UNC\\www.hostmonster.com\\media\\shared\\general\\_hm\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"C:\\media\\shared\\general\\jquery\\",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
],
"guid": [
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{6a01fda0-30df-11d0-b724-00aa006c1a01}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{a3ccedf7-2de2-11d0-86f4-00a0c913f750}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{4ef17940-30e0-11d0-b724-00aa006c1a01}",
"{6e89f8e2-9a2a-4797-9b91-41146bdf0e7b}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{a3ccedf3-2de2-11d0-86f4-00a0c913f750}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{d9e89500-30fa-11d0-b724-00aa006c1a01}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{00021500-0000-0000-c000-000000000046}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{8856f961-340a-11d0-a96b-00c04fd705a2}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{30c3b080-30fb-11d0-b724-00aa006c1a01}",
"{00000109-0000-0000-c000-000000000046}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}",
"{e569bde7-a8dc-47f3-893f-fd2b31b3eefd}"
]
}Dropped
[
{
"yara": [],
"sha1": "47f78f68d72e3d9041acc9107a6b0d665f408385",
"name": "70f316a5492848bb_down[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"type": "PNG image data, 15 x 15, 8-bit\/color RGBA, non-interlaced",
"sha256": "70f316a5492848bb8242d49539468830b353ddaa850964db4e60a6d2d7db4880",
"urls": [],
"crc32": "9EA3279D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/70f316a5492848bb_down[1]",
"ssdeep": null,
"size": 3414,
"sha512": "021f2f0da228a23826cfddf2898e2b63787b3be2d94a49e58fc6973628b3995dc690ff7a80a09974b7769b45c7e5df953edb5632562c907273d7071af5ad253c",
"pids": [
300
],
"md5": "555e83ce7f5d280d7454af334571fb25"
},
{
"yara": [],
"sha1": "a6d24e8a1ffd7e6fc0d1ecd00e67eb72425019a7",
"name": "eb5678de9d8f29ca_errorpagestrings[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "eb5678de9d8f29ca6893d4e6ca79bd5ab4f312813820fe4997b009a2b1a1654c",
"urls": [],
"crc32": "1B8FC3FF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/eb5678de9d8f29ca_errorpagestrings[1]",
"ssdeep": null,
"size": 1817,
"sha512": "4f68d0f0c897ce4c751d5b7b51e7fb9ea31e0c0641376919a2c77ee094ece6b7ef203a29f03a6af1665036a471585f853c906caa2afdb2b822cc4be320f0cae7",
"pids": [
300
],
"md5": "1a0563f7fb85a678771450b131ed66fd"
},
{
"yara": [],
"sha1": "098b04b7237860874db38b22830387937aeb5073",
"name": "6976c426e3ac66d6_noconnect[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"type": "PNG image data, 48 x 48, 8-bit\/color RGBA, non-interlaced",
"sha256": "6976c426e3ac66d66303c114b22b2b41109a7de648ba55ffc3e5a53bd0db09e7",
"urls": [],
"crc32": "F9D26F41",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/6976c426e3ac66d6_noconnect[1]",
"ssdeep": null,
"size": 8230,
"sha512": "e307d058de7d1168f0f0f5e51657091f956af310dc55e967fffac06ebd73bfed4c33d488b4af3297dd0dfeedd26c9d53728fd75722b333c9c2cde016d52ff58b",
"pids": [
300
],
"md5": "3cb8faccd5de434d415ab75c17e8fd86"
},
{
"yara": [],
"sha1": "b326a89ee587636bad7ad52aa944dc314fc6a6e2",
"name": "62a7038cc42c1482_tools[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"type": "PNG image data, 16 x 16, 8-bit\/color RGBA, non-interlaced",
"sha256": "62a7038cc42c1482d70465192318f21fc1ce0f0c737cb8804137f38a1f9d680b",
"urls": [],
"crc32": "6793DDC5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/62a7038cc42c1482_tools[1]",
"ssdeep": null,
"size": 3560,
"sha512": "7fd273080b9ab234576d61233ec62b0e02506e99deddb76c3dfb02e125de60a26d67553b5d23e2d2d0e82d551fab5ed51092f9f437eaef682950953ac24d0d9c",
"pids": [
300
],
"md5": "6f20ba58551e13cfd87ec059327effd0"
},
{
"yara": [],
"sha1": "250c965d7f4eb882d2289706a6c66e2b8976c1a8",
"name": "1ff3334c3eb27033_dnserror[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"type": "HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "1ff3334c3eb27033f8f37029fd72f648edd4551fce85fc1f5159feaea1439630",
"urls": [],
"crc32": "D67C7CDA",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/1ff3334c3eb27033_dnserror[1]",
"ssdeep": null,
"size": 5947,
"sha512": "60ea2052fa47781c1c9c09512f2bebeee4704efe44ea38e92fcb7684347740e0402c95ffd3c59a64e747f185939e0ad479ff942cdb99897d87531048bb4b9ff5",
"pids": [
300
],
"md5": "68e03ed57ec741a4afbbcd11fab1bdbe"
},
{
"yara": [],
"sha1": "852776411bc46aa1d7aa13e0c2c03f4fe279bc31",
"name": "05bb8b39655eae3b_recoverystore.{6d1ba4d8-191a-11ea-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{6D1BA4D8-191A-11EA-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "05bb8b39655eae3b4d2df2f84ebcca4d4717d9e5f442e45c608ab36c4e3fbad5",
"urls": [],
"crc32": "B0E4A80E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/05bb8b39655eae3b_recoverystore.{6d1ba4d8-191a-11ea-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 3584,
"sha512": "bc03803d35d6b54ee982e5872d96f1ebd3040eac50342bf99294bd3ebe1835a8c47a67582ced175d56c06168050208e8ddebdb64e43383e6575c402ef772aad6",
"pids": [
2816
],
"md5": "c3a65b0e3ee5ee28e1f4484938e7ba6e"
},
{
"yara": [],
"sha1": "62c180ec01ff2c30396fb1601004123f56b10d2f",
"name": "07d07a467e4988d3_favcenter[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"type": "PNG image data, 16 x 16, 8-bit\/color RGBA, non-interlaced",
"sha256": "07d07a467e4988d3c377acd6dc9e53abca6b64e8fbf70f6be19d795a1619289b",
"urls": [],
"crc32": "7FE3FBCC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/07d07a467e4988d3_favcenter[1]",
"ssdeep": null,
"size": 3366,
"sha512": "28a82e06f8c59d637630d0426950b0b0a9c3e553d8712e918a304f7fffd961dd06642d17cf3957f2d11574801b61f89c07e049834e7c8d88c90537dcc10c70b0",
"pids": [
300
],
"md5": "25d76ee5fb5b890f2cc022d94a42fe19"
},
{
"yara": [],
"sha1": "fe815ae0f865ec4c26e421bf0bd21bb09bc6f410",
"name": "58268ca71a28973b_httperrorpagesscripts[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"type": "UTF-8 Unicode (with BOM) text, with CRLF, CR line terminators",
"sha256": "58268ca71a28973b756a48bbd7c9dc2f6b87b62ae343e582ce067c725275b63c",
"urls": [
"http:\/\/www.DocURL.com\/bar.htm",
"http:\/\/www.microsoft.com\/bar.htm"
],
"crc32": "A7C34EF3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/58268ca71a28973b_httperrorpagesscripts[1]",
"ssdeep": null,
"size": 8601,
"sha512": "40d33112debdd440f169d3a62b06607afa94c45903c3e650093036b3af2d616310ad6e0a4774f92927295cd3967963d127f63df33c4e763f0d40f306aa52449e",
"pids": [
300
],
"md5": "e7ca76a3c9ee0564471671d500e3f0f3"
},
{
"yara": [],
"sha1": "56bac3d2c88a83628134b36322e37deb6b00b1a1",
"name": "1cb3b6ea56c5b5de_bullet[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"type": "PNG image data, 15 x 15, 8-bit\/color RGBA, non-interlaced",
"sha256": "1cb3b6ea56c5b5decf5e1d487ad51dbb2f62e6a6c78f23c1c81fda1b64f8db16",
"urls": [],
"crc32": "51CC83D9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/1cb3b6ea56c5b5de_bullet[1]",
"ssdeep": null,
"size": 3169,
"sha512": "8d975b96217e503d9fe01cf81d56500ef66a2dedd9ab70ebf0ad475f09522aef0107a6aae38e3c292bcdb206439611f1c2ce05aa692546ee8d56ba640d78bc4e",
"pids": [
300
],
"md5": "0c4c086dd852704e8eeb8ff83e3b73d1"
},
{
"yara": [],
"sha1": "c2e7ab3ce114465ea7060f2ef738afcb3341a384",
"name": "caa140523ba00994_info_48[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"type": "PNG image data, 47 x 48, 8-bit\/color RGBA, non-interlaced",
"sha256": "caa140523ba00994536b33618654e379216261babaae726164a0f74157bb11ff",
"urls": [],
"crc32": "4C99540A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/caa140523ba00994_info_48[1]",
"ssdeep": null,
"size": 6993,
"sha512": "fede6e06011d2203f0359ba7b178771e4dd6500af1c72dd13456f0fad0cde3b75b8709af68447d25b2b916126d85808579940aa24e25b2357d407afd1143da08",
"pids": [
300
],
"md5": "49e0ef03e74704089a60c437085db89e"
},
{
"yara": [],
"sha1": "4180ffdacc7959f9f78623d83f793ef9fc5b0573",
"name": "d1133e76cd06ca7b_{6d1ba4d9-191a-11ea-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{6D1BA4D9-191A-11EA-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "d1133e76cd06ca7b7025711225cb66f43530196d81db183da65c42d701b2e3d6",
"urls": [],
"crc32": "AAEBF86C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/d1133e76cd06ca7b_{6d1ba4d9-191a-11ea-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 4608,
"sha512": "f0dad68bf14af44d6afbc236481a27699cf2b04226f97ded5f91a8d66468cc1e60f1520e848e0d92cb5e4cdda2e8a33b36ae8774c498ee63075dc5263aaba8df",
"pids": [
2816
],
"md5": "e667f08390c16abadc3a0d39d40c651a"
},
{
"yara": [],
"sha1": "42464c70fc16f3f361c2419751acd57d51613cdf",
"name": "bee0439fcf31de76_navcancl[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"type": "HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228",
"urls": [],
"crc32": "912EA90C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/bee0439fcf31de76_navcancl[1]",
"ssdeep": null,
"size": 2713,
"sha512": "bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e",
"pids": [
300
],
"md5": "4bcfe9f8db04948cddb5e31fe6a7f984"
},
{
"yara": [],
"sha1": "f4eda06901edb98633a686b11d02f4925f827bf0",
"name": "8d018639281b33da_errorpagetemplate[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"type": "UTF-8 Unicode (with BOM) text, with CRLF line terminators",
"sha256": "8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f",
"urls": [],
"crc32": "E6FF242A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/8d018639281b33da_errorpagetemplate[1]",
"ssdeep": null,
"size": 2168,
"sha512": "62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436",
"pids": [
300
],
"md5": "f4fe1cb77e758e1ba56b8a8ec20417c5"
},
{
"yara": [],
"sha1": "51f5fc61d8bf19100df0f8aadaa57fcd9c086255",
"name": "1471693be91e53c2_background_gradient[1]",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"type": "JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3",
"sha256": "1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b",
"urls": [],
"crc32": "C2D0CE77",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4105\/files\/1471693be91e53c2_background_gradient[1]",
"ssdeep": null,
"size": 453,
"sha512": "5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a",
"pids": [
300
],
"md5": "20f0110ed5e4e0d5384a496e4880139b"
}
]Generic
[
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 2816,
"summary": {
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{6D1BA4D8-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA5A0D94A770D735A.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFB7D328EFB3E4474D.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7CCCC34AB54D59F2.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7563FAB57D9DEE23.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF9C8E1DFF136E57FF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{6D1BA4D9-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF0F937188DA6ED68E.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA4387CDD54E65835.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFDC12BDD23AFAC58F.TMP"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"sensapi.dll",
"urlmon.dll",
"C:\\Windows\\System32\\mswsock.dll",
"msfeeds.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"comdlg32.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"NTDLL.DLL",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"iphlpapi",
"UxTheme.dll",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"SspiCli.dll",
"ole32.dll",
"USER32.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"RASMAN.DLL",
"msctf.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"apphelp.dll",
"SHELL32.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"RASAPI32.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"IEUI.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"VERSION.dll",
"ws2_32",
"MLANG.dll",
"UXTHEME.DLL",
"dhcpcsvc6.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"SXS.DLL",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"MSIMG32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2816 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF7CCCC34AB54D59F2.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{6D1BA4D9-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{6D1BA4D8-191A-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA5A0D94A770D735A.TMP"
],
"file_failed": [
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (6D1BA4D7-191A-11EA-8829-08002749D99B, 0)",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
],
"guid": [
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{00021500-0000-0000-c000-000000000046}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{00000109-0000-0000-c000-000000000046}"
]
},
"first_seen": 1575744788.59375,
"ppid": 2016
},
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 300,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]"
],
"file_recreated": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"\\??\\C:",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"\\??\\MountPointManager",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\Device\\Afd\\Endpoint",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"gdiplus.dll",
"sensapi.dll",
"urlmon.dll",
"mshtml.dll",
"C:\\Windows\\System32\\mswsock.dll",
"apphelp.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\ole32.dll",
"IEShims.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\msimg32.dll",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"USER32.DLL",
"iphlpapi",
"ImgUtil.dll",
"ntmarta.dll",
"C:\\Windows\\system32\\Msimtf.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEACC.DLL",
"SspiCli.dll",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"C:\\Windows\\system32\\Oleacc.dll",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"OLEAUT32.DLL",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"MLANG.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"C:\\Windows\\system32\\actxprxy.dll",
"IMM32.dll",
"DWMAPI.DLL",
"RASAPI32.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"OLEAUT32",
"C:\\Windows\\system32\\NLAapi.dll",
"RASMAN.DLL",
"VERSION.dll",
"RpcRtRemote.dll",
"ws2_32",
"dhcpcsvc6.DLL",
"UxTheme.dll",
"Normaliz.dll",
"C:\\Windows\\system32\\mswsock.dll",
"SXS.DLL",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"oleaut32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Windows\\System32\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\c74c55275b31d27b3baf92d91ebf08c600780abc1f66a9bc22ec2dc63ea49c1f.bin.html",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Windows\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\System32\\en-US\\jscript.dll.mui",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\dnserror[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\bullet[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\info_48[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\navcancl[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\background_gradient[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\noConnect[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\httpErrorPagesScripts[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\errorPageStrings[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\EIDFNJNY\\favcenter[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\I6GMLZZB\\down[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\tools[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\QQUHP74Z\\ErrorPageTemplate[1]",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\SHYNOLTK\\background_gradient[1]"
],
"file_failed": [
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\RasAcd",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\media\\shared\\info\\index\\_hm\\",
"C:\\media\\shared\\general\\_hm\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"UNC\\www.hostmonster.com\\media\\shared\\general\\_hm\\",
"C:\\Users\\cuck",
"C:\\media\\shared\\general\\jquery\\",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"UNC\\www.hostmonster.com\\media\\shared\\info\\index\\_hm\\",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\media\\shared\\general\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies"
],
"guid": [
"{6a01fda0-30df-11d0-b724-00aa006c1a01}",
"{00000146-0000-0000-c000-000000000046}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{a3ccedf7-2de2-11d0-86f4-00a0c913f750}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{4ef17940-30e0-11d0-b724-00aa006c1a01}",
"{6e89f8e2-9a2a-4797-9b91-41146bdf0e7b}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{a3ccedf3-2de2-11d0-86f4-00a0c913f750}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{871c5380-42a0-1069-a2ea-08002b30309d}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{d9e89500-30fa-11d0-b724-00aa006c1a01}",
"{00000323-0000-0000-c000-000000000046}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{8856f961-340a-11d0-a96b-00c04fd705a2}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{30c3b080-30fb-11d0-b724-00aa006c1a01}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}",
"{e569bde7-a8dc-47f3-893f-fd2b31b3eefd}"
]
},
"first_seen": 1575744790.968626,
"ppid": 2816
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1575744788.328125,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Executes javascript",
"severity": 2,
"marks": [
{
"call": {
"category": "iexplore",
"status": 1,
"stacktrace": [],
"api": "COleScript_Compile",
"return_value": 0,
"arguments": {
"type": "JScript - window script block",
"script": " if (window.top !== window.self) {document.write = \"\";window.top.location = window.self.location; setTimeout(function(){document.body.innerHTML='';},1);window.self.onload=function(evt){document.body.innerHTML='';};} "
},
"time": 1575744796.718626,
"tid": 2248,
"flags": {}
},
"pid": 300,
"type": "call",
"cid": 513
}
],
"references": [],
"name": "js_eval"
},
{
"markcount": 45,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 65
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 67
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 69
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 71
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 72
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 73
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 74
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 75
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2816,
"type": "call",
"cid": 76
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 77
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 78
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 79
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 80
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1575744788.87475,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 81
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002bc0000"
},
"time": 1575744789.45275,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2816,
"type": "call",
"cid": 612
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 300,
"type": "call",
"cid": 17
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 18
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 19
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 20
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 21
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 22
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 23
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 24
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 25
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 26
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 27
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 300,
"type": "call",
"cid": 28
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 29
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 30
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 31
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 32
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1575744791.061626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 33
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffa17000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 34
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bf000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 35
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bd000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 36
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bb000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 37
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffb47000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 38
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff864000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 39
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 40
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff866000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 41
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1575744791.077626,
"tid": 2860,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 300,
"type": "call",
"cid": 42
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 300,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x0000000002c40000"
},
"time": 1575744791.296626,
"tid": 2248,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 300,
"type": "call",
"cid": 175
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2816 CREDAT:14337",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 1,
"families": [],
"description": "Dynamically creates an iframe element",
"severity": 3,
"marks": [
{
"call": {
"category": "iexplore",
"status": 1,
"stacktrace": [],
"api": "CIFrameElement_CreateElement",
"return_value": 0,
"arguments": {
"attributes": {
"src": "http:\/\/www.iyfubh.com\/?dn=topjogosonline.com&pid=9POW7N968",
"height": "800",
"width": "100%",
"scrolling": "no",
"id": "ad_frame",
"frameborder": "1"
}
},
"time": 1575744796.811626,
"tid": 2248,
"flags": {}
},
"pid": 300,
"type": "call",
"cid": 561
}
],
"references": [],
"name": "js_iframe"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2816 resumed a thread in remote process 300",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x000000000000052c",
"suspend_count": 1,
"process_identifier": 300
},
"time": 1575744790.74975,
"tid": 2420,
"flags": {}
},
"pid": 2816,
"type": "call",
"cid": 761
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.088124990463257,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 9114,
"time": 9.079010009765625,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10958,
"time": 5.084568977355957,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11278,
"time": 2.9398200511932373,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11598,
"time": 1.045140027999878,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 11926,
"time": 3.0268170833587646,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12254,
"time": 1.5492939949035645,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12582,
"time": -0.09076189994812012,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 12910,
"time": 3.042314052581787,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 13238,
"time": 1.5631918907165527,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 32648,
"time": 1.0767879486083984,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 41032,
"time": 3.1416170597076416,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "f8118829cdd3895e523595420b19e9b21a0b0c3a27cd514e38a49876e0148bf7",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "0080eba8ffdc931046073a1218fac5c32f7ce0c8fccf035201dc659f10fc4520",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 54e50352ea833c54ded840263735b628 |
| SHA256 | c74c55275b31d27b3baf92d91ebf08c600780abc1f66a9bc22ec2dc63ea49c1f |
Error Messages
These are some of the error messages that can appear related to crazymonsters.exe:
crazymonsters.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
crazymonsters.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
crazymonsters.exe has stopped working.
End Program - crazymonsters.exe. This program is not responding.
crazymonsters.exe is not a valid Win32 application.
crazymonsters.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with the file?
To help other users, please let us know what you will do with the file:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.