What is was001.exe?
was001.exe is usually located in the 'c:\downloads\' folder.
None of the anti-virus scanners at VirusTotal reports anything malicious about was001.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
was001.exe is not signed.
VirusTotal report
None of the 60 anti-virus programs at VirusTotal detected the was001.exe file.
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA6699919FDC32640.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AD3B300C-0F9B-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF6D31A9F575420E69.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF851EE146EF0EBFA4.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1B972853F219E482.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\index.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF07B1CF93179889EF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1843D5E65994BED1.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF50A6BB6F8810D9DF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF83E813C744A379EA.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AD3B300D-0F9B-11EA-8829-08002749D99B}.dat"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\Device\\KsecDD",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"C:\\Windows\\system32\\pnrpnsp.dll",
"DNSAPI.dll",
"SHELL32.dll",
"UXTHEME.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"PROPSYS.dll",
"SspiCli.dll",
"ole32.dll",
"USER32.dll",
"msfeeds.dll",
"WINTRUST.dll",
"C:\\Windows\\System32\\mswsock.dll",
"Shell32.dll",
"C:\\Windows\\System32\\wship6.dll",
"dhcpcsvc6.DLL",
"rpcrt4.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"urlmon.dll",
"mshtml.dll",
"apphelp.dll",
"kernel32.dll",
"CRYPTBASE.dll",
"oleaut32.dll",
"C:\\Windows\\system32\\napinsp.dll",
"WININET.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"MLANG.dll",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"RASAPI32.dll",
"profapi.dll",
"dhcpcsvc.DLL",
"comctl32.dll",
"C:\\Windows\\system32\\kernel32.dll",
"VERSION.dll",
"RpcRtRemote.dll",
"user32.dll",
"MSIMG32.dll",
"CRYPT32.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"NTDLL.DLL",
"shlwapi.dll",
"iphlpapi",
"UxTheme.dll",
"CRYPTSP.dll",
"propsys.dll",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"msctf.dll",
"C:\\Windows\\system32\\xmllite.dll",
"OLEAUT32",
"ddraw.dll",
"sensapi.dll",
"IEShims.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"SXS.DLL",
"ADVAPI32.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"IEFRAME.dll",
"gdiplus.dll",
"USER32.DLL",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"rasadhlp.dll",
"dnsapi",
"OLEAUT32.DLL",
"RASMAN.DLL",
"IEUI.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"wininet.dll",
"SHELL32.DLL",
"OLEAUT32.dll",
"DHCPCSVC.DLL",
"RPCRT4.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"ws2_32",
"C:\\Windows\\system32\\mswsock.dll",
"DWMAPI.DLL",
"Normaliz.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Entertainment.url",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\System32\\dxtmsft.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\",
"C:\\Program Files\\Internet Explorer\\iexplore.exe",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\Favorites\\Windows Live\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\Favorites\\Links\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSNBC News.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft Store.url",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\Favorites\\Links for United States\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url",
"C:\\Windows\\System32\\en-US\\MLANG.dll.mui",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Windows\\System32\\en-US\\DDRAW.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Spaces.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Autos.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Sports.url",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Get Windows Live.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Mail.url",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE Add-on site.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Work.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Home.url",
"C:\\Windows\\System32\\dxtrans.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\USA.gov.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\index.dat",
"C:\\Users\\cuck\\Favorites\\Links for United States\\GobiernoUSA.gov.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Gallery.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8ba425275bec986b9567578b7d519bcd461cb7fa89f516d8faf73b032a42dd97.bin.html",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Money.url"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2740 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF50A6BB6F8810D9DF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1B972853F219E482.TMP",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AD3B300C-0F9B-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AD3B300D-0F9B-11EA-8829-08002749D99B}.dat"
],
"file_failed": [
"C:\\TSKS\\images\\home\\Images_3_9.png",
"C:\\TSKS\\images\\home\\Images_3_8.png",
"C:\\TSKS\\images\\home\\",
"C:\\TSKS\\themes\\tsks\\css\\",
"C:\\Users\\cuck\\AppData",
"C:\\TSKS\\images\\home\\Images_3_1.png",
"C:\\TSKS\\images\\home\\Images_3_3.png",
"C:\\Users\\cuck\\Favorites",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\img\\",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\TSKS\\themes\\tsks\\bootstrap\\css\\bootstrap.min.css",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\TSKS\\images\\home\\Images_3_6.png",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\TSKS\\themes\\tsks\\js\\",
"C:\\TSKS\\themes\\tsks\\SLIDE\\css\\",
"C:\\TSKS\\images\\banner\\",
"C:\\TSKS\\images\\home\\Images_4_1.png",
"C:\\TSKS\\images\\home\\Images_9_3.png",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\TSKS\\images\\home\\Images_9_1.png",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\TSKS\\themes\\tsks\\css\\mainstyle.css",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\css\\",
"C:\\TSKS\\themes\\tsks\\js\\jssor.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\images\\home\\logoTSKS.png",
"C:\\TSKS\\images\\home\\Images_3_10.png",
"C:\\TSKS\\images\\home\\Images_6_1.png",
"C:\\Users\\cuck\\AppData\\Roaming",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\TSKS\\images\\home\\Images_9_2.png",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\TSKS\\images\\home\\Images_3_2.png",
"C:\\TSKS\\themes\\tsks\\bootstrap\\css\\",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\js\\",
"C:\\TSKS\\images\\home\\Images_3_4.png",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\css\\jquery.mmenu.all.css",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\TSKS\\images\\home\\Images_2_1.png",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (AD3B300B-0F9B-11EA-8829-08002749D99B, 0)",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users",
"C:\\TSKS\\images\\home\\Images_1_1.png",
"C:\\TSKS\\images\\home\\Images_8_1.png",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\TSKS\\images\\home\\Images_9_4.png",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\TSKS\\themes\\tsks\\js\\jssor.slider.js",
"C:\\TSKS\\images\\home\\Images_7_1.jpg",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\TSKS\\images\\home\\footer.png",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"C:\\TSKS\\images\\home\\Images_3_5.png",
"C:\\TSKS\\images\\home\\Images_5_1.png",
"C:\\TSKS\\images\\home\\Images_3_7.png",
"C:\\TSKS\\images\\home\\Images_1_2.png",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\TSKS\\themes\\tsks\\bootstrap\\css\\bootstrap.css",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\js\\jquery.mmenu.all.min.js",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\TSKS\\themes\\tsks\\SLIDE\\css\\demo.css",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\images\\home\\"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{00021500-0000-0000-c000-000000000046}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{30a5fb78-e11f-11d1-9064-00c04fd9189d}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{4fd2a832-86c8-11d0-8fca-00c04fd9189d}",
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{a7ee7f34-3bd1-427f-9231-f941e9b7e1fe}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{4cb26c03-ff93-11d0-817e-0000f87557db}",
"{b39fd73f-e139-11d1-9065-00c04fd9189d}",
"{04c18ccf-1f57-4cbd-88cc-3900f5195ce3}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{ff393560-c2a7-11cf-bff4-444553540000}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{30766bd2-ea1c-4f28-bf27-0b44e2f68db7}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{ab310581-ac80-11d1-8df3-00c04fb6ef69}",
"{81397204-f51a-4571-8d7b-dc030521aabd}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{7d096c5f-ac08-4f1f-beb7-5c22c517ce39}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{6187e5a2-a445-4608-8fc0-be7a6c8db386}",
"{385a91bc-1e8a-4e4a-a7a6-f4fc1e6ca1bd}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{adc6cb82-424c-11d2-952a-00c04fa34f05}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{254dbbc1-f922-11d0-883a-3c8b00c10000}",
"{0e890f83-5f79-11d1-9043-00c04fd9189d}",
"{4fd2a833-86c8-11d0-8fca-00c04fd9189d}",
"{00000109-0000-0000-c000-000000000046}",
"{22b07b33-8bfb-49d4-9b90-0938370c9019}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}"
]
}Dropped
[
{
"yara": [],
"sha1": "ae0371d769c1556891f64406134fd6e067d7a12b",
"name": "405e7e7b65f00adc_{ad3b300d-0f9b-11ea-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AD3B300D-0F9B-11EA-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "405e7e7b65f00adcf3414d22e8e48bbd7398aceef7a74d6a1862840828c6e926",
"urls": [],
"crc32": "58E59C7B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3816\/files\/405e7e7b65f00adc_{ad3b300d-0f9b-11ea-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 4096,
"sha512": "5817ac1320527836cd558fc23b3ae734beeac857d4efc8be99122c0839c2bb0c3f1922f5f9ffffb16e4145a273250e48df435783c49c5a2111da6660a3da2527",
"pids": [
2740
],
"md5": "1961120e750a6abd792182c24bd7f16e"
},
{
"yara": [],
"sha1": "d41133a885a4f50f4bb128746222326a80c5cbfb",
"name": "eef5e2a1b1bf059d_recoverystore.{ad3b300c-0f9b-11ea-8829-08002749d99b}.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AD3B300C-0F9B-11EA-8829-08002749D99B}.dat",
"type": "Composite Document File V2 Document, Cannot read section info",
"sha256": "eef5e2a1b1bf059db2be2887af2c9f8fe56f96b5d94cdf35a2569d4cb6ae6168",
"urls": [],
"crc32": "72ACB4C0",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/3816\/files\/eef5e2a1b1bf059d_recoverystore.{ad3b300c-0f9b-11ea-8829-08002749d99b}.dat",
"ssdeep": null,
"size": 3584,
"sha512": "c55375d285b75d3ab0c492395ca891390433cabfdc4425cf4574bd1ef9db386d46d545410345621b120fe74363cedeb972fc62f3ac11b33c1ef81930850b0f47",
"pids": [
2740
],
"md5": "59205fe049b57edf8589ded286966c4e"
}
]Generic
[
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 2384,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\index.dat"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"gdiplus.dll",
"sensapi.dll",
"urlmon.dll",
"mshtml.dll",
"C:\\Windows\\System32\\mswsock.dll",
"apphelp.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"CRYPTBASE.dll",
"C:\\Windows\\system32\\rsaenh.dll",
"C:\\Windows\\system32\\ole32.dll",
"IEShims.dll",
"dwmapi.dll",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"USER32.DLL",
"iphlpapi",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"SspiCli.dll",
"C:\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll",
"ddraw.dll",
"ole32.dll",
"CRYPTSP.dll",
"USER32.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"comdlg32.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"MLANG.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"WINTRUST.dll",
"DWMAPI.DLL",
"RASAPI32.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"OLEAUT32",
"C:\\Windows\\system32\\kernel32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"RASMAN.DLL",
"VERSION.dll",
"RpcRtRemote.dll",
"ws2_32",
"dhcpcsvc6.DLL",
"UxTheme.dll",
"Normaliz.dll",
"C:\\Windows\\system32\\mswsock.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"oleaut32.dll"
],
"file_opened": [
"C:\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\",
"C:\\Windows\\WindowsShell.manifest",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\MSIMGSIZ.DAT",
"C:\\Windows\\System32\\dxtrans.dll",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Windows\\System32\\dxtmsft.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019112520191126\\index.dat",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Program Files\\Internet Explorer\\iexplore.exe",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\index.dat",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac",
"C:\\Users\\desktop.ini",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck",
"C:\\Windows\\System32\\en-US\\MLANG.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\8ba425275bec986b9567578b7d519bcd461cb7fa89f516d8faf73b032a42dd97.bin.html",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Windows\\System32\\rsaenh.dll",
"C:\\Windows\\System32\\en-US\\DDRAW.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\"
],
"file_failed": [
"C:\\TSKS\\images\\home\\Images_3_9.png",
"C:\\TSKS\\images\\home\\Images_3_8.png",
"C:\\TSKS\\images\\home\\",
"C:\\TSKS\\themes\\tsks\\css\\",
"C:\\TSKS\\images\\home\\Images_3_1.png",
"C:\\TSKS\\images\\home\\Images_3_3.png",
"C:\\Users\\cuck\\Favorites",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\img\\",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\TSKS\\themes\\tsks\\bootstrap\\css\\bootstrap.min.css",
"C:\\TSKS\\images\\home\\Images_3_6.png",
"C:\\TSKS\\themes\\tsks\\js\\",
"C:\\TSKS\\themes\\tsks\\SLIDE\\css\\",
"C:\\TSKS\\images\\banner\\",
"C:\\TSKS\\images\\home\\Images_4_1.png",
"C:\\TSKS\\images\\home\\Images_9_3.png",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\TSKS\\images\\home\\Images_9_1.png",
"C:\\TSKS\\themes\\tsks\\css\\mainstyle.css",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\css\\",
"C:\\TSKS\\themes\\tsks\\js\\jssor.js",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\images\\home\\logoTSKS.png",
"C:\\TSKS\\images\\home\\Images_3_10.png",
"C:\\TSKS\\images\\home\\Images_6_1.png",
"C:\\Users\\cuck\\AppData\\Roaming",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\TSKS\\images\\home\\Images_9_2.png",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\TSKS\\images\\home\\Images_3_2.png",
"C:\\TSKS\\themes\\tsks\\bootstrap\\css\\",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\js\\",
"C:\\TSKS\\images\\home\\Images_3_4.png",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\css\\jquery.mmenu.all.css",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\TSKS\\images\\home\\Images_2_1.png",
"C:\\Users\\cuck",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\TSKS\\images\\home\\Images_1_1.png",
"C:\\TSKS\\images\\home\\Images_8_1.png",
"C:\\TSKS\\images\\home\\Images_9_4.png",
"C:\\TSKS\\themes\\tsks\\js\\jssor.slider.js",
"C:\\TSKS\\images\\home\\Images_7_1.jpg",
"C:\\TSKS\\images\\home\\footer.png",
"C:\\TSKS\\images\\home\\Images_3_5.png",
"C:\\TSKS\\images\\home\\Images_5_1.png",
"C:\\TSKS\\images\\home\\Images_3_7.png",
"C:\\TSKS\\images\\home\\Images_1_2.png",
"C:\\TSKS\\themes\\tsks\\bootstrap\\css\\bootstrap.css",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\TSKS\\themes\\tsks\\SLIDE\\dist\\js\\jquery.mmenu.all.min.js",
"C:\\TSKS\\themes\\tsks\\SLIDE\\css\\demo.css",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\images\\home\\"
],
"guid": [
"{275c23e2-3747-11d0-9fea-00aa003f8646}",
"{3050f4cf-98b5-11cf-bb82-00aa00bdce0b}",
"{9ba05972-f6a8-11cf-a442-00a0c90a8f39}",
"{dccfc164-2b38-11d2-b7ec-00c04f8f5d9a}",
"{30a5fb78-e11f-11d1-9064-00c04fd9189d}",
"{25336920-03f9-11cf-8fd0-00aa00686f13}",
"{4fd2a832-86c8-11d0-8fca-00c04fd9189d}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{00000146-0000-0000-c000-000000000046}",
"{6c736dc1-ab0d-11d0-a2ad-00a0c90f27e8}",
"{a7ee7f34-3bd1-427f-9231-f941e9b7e1fe}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{4cb26c03-ff93-11d0-817e-0000f87557db}",
"{b39fd73f-e139-11d1-9065-00c04fd9189d}",
"{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}",
"{000214e6-0000-0000-c000-000000000046}",
"{00000001-0000-0000-c000-000000000046}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{ff393560-c2a7-11cf-bff4-444553540000}",
"{00000323-0000-0000-c000-000000000046}",
"{e7e4bc40-e76a-11ce-a9bb-00aa004ae837}",
"{85cb6900-4d95-11cf-960c-0080c7f4ee85}",
"{3050f429-98b5-11cf-bb82-00aa00bdce0b}",
"{81397204-f51a-4571-8d7b-dc030521aabd}",
"{79eac9ef-baf9-11ce-8c82-00aa004ba90b}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{50d5107a-d278-4871-8989-f4ceaaf59cfc}",
"{6187e5a2-a445-4608-8fc0-be7a6c8db386}",
"{385a91bc-1e8a-4e4a-a7a6-f4fc1e6ca1bd}",
"{7b8a2d95-0ac9-11d1-896c-00c04fb6bfc4}",
"{bb1a2ae1-a4f9-11cf-8f20-00805f2cd064}",
"{adc6cb82-424c-11d2-952a-00c04fa34f05}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{254dbbc1-f922-11d0-883a-3c8b00c10000}",
"{0e890f83-5f79-11d1-9043-00c04fd9189d}",
"{4fd2a833-86c8-11d0-8fca-00c04fd9189d}",
"{22b07b33-8bfb-49d4-9b90-0938370c9019}",
"{6c736db1-bd94-11d0-8a23-00aa00b58e10}",
"{3050f406-98b5-11cf-bb82-00aa00bdce0b}",
"{08c0e040-62d1-11d1-9326-0060b067b86e}"
]
},
"first_seen": 1574700791.952875,
"ppid": 2740
},
{
"process_path": "C:\\Program Files\\Internet Explorer\\iexplore.exe",
"process_name": "iexplore.exe",
"pid": 2740,
"summary": {
"downloads_file": [
"http:\/\/www.bing.com\/favicon.ico"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DFA6699919FDC32640.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AD3B300C-0F9B-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF6D31A9F575420E69.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF851EE146EF0EBFA4.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1B972853F219E482.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF07B1CF93179889EF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1843D5E65994BED1.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF50A6BB6F8810D9DF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF83E813C744A379EA.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AD3B300D-0F9B-11EA-8829-08002749D99B}.dat"
],
"file_recreated": [
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\??\\MountPointManager",
"\\Device\\KsecDD",
"\\??\\C:",
"\\??\\STORAGE#Volume#{3f5cc1b2-70f9-11e8-b07b-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}",
"\\Device\\NetBT_Tcpip_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\DEVICE\\NETBT_TCPIP_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"\\??\\Nsi",
"\\Device\\Afd\\Endpoint"
],
"dll_loaded": [
"IEFRAME.dll",
"C:\\Windows\\System32\\fwpuclnt.dll",
"sensapi.dll",
"urlmon.dll",
"propsys.dll",
"C:\\Windows\\System32\\mswsock.dll",
"msfeeds.dll",
"dhcpcsvc.DLL",
"rasadhlp.dll",
"Shell32.dll",
"kernel32.dll",
"comdlg32.dll",
"CRYPTBASE.dll",
"C:\\Windows\\System32\\wshtcpip.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"NTDLL.DLL",
"shlwapi.dll",
"C:\\Windows\\system32\\napinsp.dll",
"iphlpapi",
"UxTheme.dll",
"ntmarta.dll",
"API-MS-WIN-Service-Management-L1-1-0.dll",
"C:\\Program Files\\Internet Explorer\\ieproxy.dll",
"PROPSYS.dll",
"WININET.dll",
"C:\\Windows\\System32\\wship6.dll",
"dnsapi",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"DHCPCSVC.DLL",
"OLEAUT32.DLL",
"SspiCli.dll",
"ole32.dll",
"CRYPT32.dll",
"CRYPTSP.dll",
"USER32.dll",
"IMM32.dll",
"C:\\Program Files\\Internet Explorer\\sqmapi.dll",
"API-MS-Win-Security-SDDL-L1-1-0.dll",
"C:\\Windows\\system32\\pnrpnsp.dll",
"RASMAN.DLL",
"msctf.dll",
"rtutils.dll",
"IPHLPAPI.DLL",
"API-MS-WIN-Service-winsvc-L1-1-0.dll",
"wininet.dll",
"apphelp.dll",
"SHELL32.DLL",
"C:\\Windows\\system32\\xmllite.dll",
"RASAPI32.dll",
"OLEAUT32.dll",
"profapi.dll",
"SHELL32.dll",
"RPCRT4.dll",
"DNSAPI.dll",
"C:\\Windows\\System32\\winrnr.dll",
"IEUI.dll",
"comctl32.dll",
"C:\\Windows\\system32\\oleaut32.dll",
"C:\\Windows\\system32\\NLAapi.dll",
"C:\\Windows\\system32\\IEUI.dll",
"VERSION.dll",
"ws2_32",
"MLANG.dll",
"UXTHEME.DLL",
"dhcpcsvc6.DLL",
"C:\\Windows\\system32\\mswsock.dll",
"SXS.DLL",
"ADVAPI32.dll",
"rpcrt4.dll",
"advapi32",
"SETUPAPI.dll",
"WS2_32.dll",
"C:\\Windows\\system32\\MSCTF.dll",
"user32.dll",
"MSIMG32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\Favorites\\Links",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\FeedsStore.feedsdb-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"C:\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Entertainment.url",
"C:\\Windows\\System32\\en-US\\MSCTF.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\",
"C:\\Users\\cuck\\Desktop\\desktop.ini",
"C:\\Windows\\System32\\shell32.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\Favorites\\Windows Live\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\",
"C:\\Users\\cuck\\Favorites\\Links\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Windows\\System32\\wininet.dll",
"C:\\Windows\\System32\\oleaccrc.dll",
"C:\\Users\\cuck\\Favorites\\desktop.ini",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\",
"C:\\Windows\\System32\\url.dll",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low\\",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSNBC News.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
"C:\\Windows\\System32\\ieframe.dll",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft Store.url",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\",
"C:\\Users\\cuck\\AppData\\Roaming\\",
"C:\\Windows\\System32\\en-US\\urlmon.dll.mui",
"C:\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3",
"C:\\Users\\cuck\\Favorites\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"C:\\Users\\cuck\\Favorites\\Links\\Suggested Sites.url",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\Favorites\\Links for United States\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Web Slice Gallery~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE site on Microsoft.com.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\",
"C:\\Windows\\System32\\stdole2.tlb",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Windows\\Fonts\\staticcache.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Spaces.url",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Autos.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\frameiconcache.dat",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Sports.url",
"C:\\Users\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@www.bing[1].txt",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Work.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"C:\\Users\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\Favorites\\Links\\Web Slice Gallery.url",
"C:\\Users\\cuck\\Favorites\\Links\\desktop.ini",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\cuck@bing[1].txt",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~\\Suggested Sites~.feed-ms",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\index.dat",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Get Windows Live.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\",
"C:\\Users\\cuck\\AppData\\",
"C:\\Windows\\System32\\ras\\",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Mail.url",
"C:\\Users\\cuck\\Desktop",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\IE Add-on site.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\Favorites\\Microsoft Websites\\Microsoft At Home.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\USA.gov.url",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\",
"C:\\Users\\cuck\\Favorites\\Links for United States\\GobiernoUSA.gov.url",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\",
"C:\\Users\\cuck\\Favorites\\Windows Live\\Windows Live Gallery.url",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds Cache\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\Favorites\\MSN Websites\\MSN Money.url"
],
"command_line": [
"\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2740 CREDAT:14337"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF50A6BB6F8810D9DF.TMP",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\~DF1B972853F219E482.TMP",
"C:\\Users\\cuck\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\RecoveryStore.{AD3B300C-0F9B-11EA-8829-08002749D99B}.dat",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Internet Explorer\\Recovery\\High\\Active\\{AD3B300D-0F9B-11EA-8829-08002749D99B}.dat"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds\\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\\WebSlices~",
"\\Device\\NetBT_Tcpip6_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\Favorites",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE",
"\\DEVICE\\NETBT_TCPIP_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"\\Device\\NetBT_Tcpip_{AEFD33F3-CC73-4821-AD44-6915063E7FB1}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019040920190410\\",
"\\Sessions\\1\\BaseNamedObjects\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Virtualized",
"\\Sessions\\1\\BaseNamedObjects\\Isolation Signal Registry (AD3B300B-0F9B-11EA-8829-08002749D99B, 0)",
"C:\\Users\\cuck\\AppData\\Roaming",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows",
"\\Device\\NetBT_Tcpip6_{EF381EA0-4D07-418D-A490-68AF67CE948B}",
"C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
"\\Device\\NetBT_Tcpip6_{46C6AD23-CFC8-4177-B38F-6C28F239EB0D}",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low",
"\\DEVICE\\NETBT_TCPIP_{846EE342-7039-11DE-9D20-806E6F6E6963}",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Caches",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\History\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\Low",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft",
"C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Feeds",
"\\Device\\RasAcd",
"C:\\Users\\cuck\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files"
],
"guid": [
"{6f237df9-9ddb-47ad-b218-400d54c286ad}",
"{c43dc798-95d1-4bea-9030-bb99e2983a1a}",
"{04c18ccf-1f57-4cbd-88cc-3900f5195ce3}",
"{06eee834-461c-42c2-8dcf-1502b527b1f9}",
"{00020420-0000-0000-c000-000000000046}",
"{6e26e776-04f0-495d-80e4-3330352e3169}",
"{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
"{5762f2a7-4658-4c7a-a4ac-bdabfe154e0d}",
"{465a756d-45ad-4305-85fd-d3321650f3b7}",
"{00000146-0000-0000-c000-000000000046}",
"{4516cee1-97da-4030-a444-2d8e296b96b6}",
"{d0074ffd-570f-4a9b-8d69-199fdba5723b}",
"{f5078f32-c551-11d3-89b9-0000f81fe221}",
"{d5f569d0-593b-101a-b569-08002b2dbf7a}",
"{fbf23b40-e3f0-101b-8488-00aa003e56f8}",
"{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}",
"{00000323-0000-0000-c000-000000000046}",
"{0000010b-0000-0000-c000-000000000046}",
"{56fdf344-fd6d-11d0-958a-006097c9a090}",
"{b5f8350b-0548-48b1-a6ee-88bd00b4a5e7}",
"{2933bf81-7b36-11d2-b20e-00c04f983e60}",
"{00021500-0000-0000-c000-000000000046}",
"{ab310581-ac80-11d1-8df3-00c04fb6ef69}",
"{30766bd2-ea1c-4f28-bf27-0b44e2f68db7}",
"{dcb00000-570f-4a9b-8d69-199fdba5723b}",
"{7d096c5f-ac08-4f1f-beb7-5c22c517ce39}",
"{a47979d2-c419-11d9-a5b4-001185ad2b89}",
"{00000109-0000-0000-c000-000000000046}"
]
},
"first_seen": 1574700789.625,
"ppid": 1664
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1574700789.328125,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Executes javascript",
"severity": 2,
"marks": [
{
"call": {
"category": "iexplore",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "COleScript_Compile",
"return_value": -2040119292,
"arguments": {
"type": "JScript - window script block",
"script": "\n\nfunction menu(a)\n{\n if($(\"#menu_\"+a).is(\":visible\"))\n {\n src=\"
<\/img>\";\n $(\"#sim_\"+a).html(src);\n $(\"#menu_\"+a).hide();\n }\n else\n {\n src=\"
<\/img>\";\n $(\"#sim_\"+a).html(src);\n $(\"#menu_\"+a).show();\n }\n}\n\nfunction ubah()\n{\n if($(\"#menu1\").is(\":visible\"))\n $(\"#menu1\").hide();\n else\n $(\"#menu1\").show();\n}\n\nfunction centerModal() {\n $(this).css('display', 'block');\n var $dialog = $(this).find(\".modal-dialog\");\n var offset = ($(window).height() - $dialog.height()) \/ 2;\n \/\/ Center modal vertically in window\n $dialog.css(\"margin-top\", offset);\n}\n\n\/*$('.modal').on('show.bs.modal', centerModal);*\/\n\/*$(window).on(\"resize\", function () {\n $('.modal:visible').each(centerModal);\n});*\/\n\n\nfunction fmenusearch(){\nif($('#myFilter').val()!='')\n{\n $.ajax({\n url: \"\/TSKS\/site-ajaxGetSearch\",\n type: \"GET\",\n data: 'id=' + $('#myFilter').val(),\n dataType: \"json\",\n cache: false,\n error: function() {\n alert(\"Approved\");\n \n },\n success: function(data){\n $('#menuAll').attr('hidden',true);\n $('#menuSearch').empty();\n $('#menuSearch').append(data.menu);\n },\n });\n}\nelse\n{\n $('#menuAll').attr('hidden',false);\n $('#menuSearch').empty();\n}\n}\n\nfunction submit()\n{\n alert(\"Message sent\");\n}\n"
},
"time": 1574700792.609875,
"tid": 1576,
"flags": {}
},
"pid": 2384,
"type": "call",
"cid": 348
}
],
"references": [],
"name": "js_eval"
},
{
"markcount": 45,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2740,
"type": "call",
"cid": 63
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 64
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 65
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 66
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 67
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 68
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 69
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 70
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 71
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 72
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 73
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2740,
"type": "call",
"cid": 74
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 75
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 76
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 77
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 78
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1574700789.891,
"tid": 2436,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2740,
"type": "call",
"cid": 79
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2740,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x00000000028a0000"
},
"time": 1574700790.485,
"tid": 2260,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2740,
"type": "call",
"cid": 602
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000000005fff0000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2384,
"type": "call",
"cid": 17
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 18
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 19
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 20
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 21
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 22
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x0000000077921000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 23
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778cd000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 24
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 25
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778d4000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 26
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778f2000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 27
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 1,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 12288,
"base_address": "0x000007fefc360000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2384,
"type": "call",
"cid": 28
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 29
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefc3b5000"
},
"time": 1574700792.015875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 30
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff8c4000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 31
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007fefe0c1000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 32
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778c0000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 33
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffa17000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 34
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bf000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 35
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bd000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 36
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x00000000778bb000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 37
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feffb47000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 38
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff864000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 39
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 40
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff866000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 41
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"base_address": "0x000007feff861000"
},
"time": 1574700792.030875,
"tid": 2584,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2384,
"type": "call",
"cid": 42
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2384,
"region_size": 65536,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffffffffffff",
"allocation_type": 4096,
"base_address": "0x00000000012c0000"
},
"time": 1574700792.249875,
"tid": 1576,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2384,
"type": "call",
"cid": 174
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 1,
"families": [],
"description": "Uses Windows utilities for basic Windows functionality",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Program Files\\Internet Explorer\\iexplore.exe\" SCODEF:2740 CREDAT:14337",
"type": "ioc",
"description": null
}
],
"references": [
"http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
],
"name": "uses_windows_utilities"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2740 resumed a thread in remote process 2384",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x0000000000000518",
"suspend_count": 1,
"process_identifier": 2384
},
"time": 1574700791.75,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 759
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0917539596557617,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 7170,
"time": 9.094604969024658,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9014,
"time": 4.9390997886657715,
"dport": 5355,
"sport": 49840
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9334,
"time": 2.982480764389038,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9654,
"time": 1.0102319717407227,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 9982,
"time": 3.0935678482055664,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10310,
"time": 1.5203678607940674,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10638,
"time": -0.09921622276306152,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 10966,
"time": 3.104592800140381,
"dport": 5355,
"sport": 55880
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 11294,
"time": 1.0670759677886963,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 30704,
"time": 1.031125783920288,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 39088,
"time": 3.1270089149475098,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "4748bfecbb908f2d774f45705a085dd88173376508297920e8d688e88b12ae87",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "684abd1c90cb8e9144d146d7101d8ea7284dbfeb13f21e5382e4277bfeb20e4e",
"irc": [],
"https_ex": []
}Screenshots
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 2c20e6fb71dc17e1d2e3971d918d1525 |
| SHA256 | 8ba425275bec986b9567578b7d519bcd461cb7fa89f516d8faf73b032a42dd97 |
Error Messages
These are some of the error messages that can appear related to was001.exe:
was001.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
was001.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
was001.exe has stopped working.
End Program - was001.exe. This program is not responding.
was001.exe is not a valid Win32 application.
was001.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with was001.exe?
To help other users, please let us know what you will do with was001.exe:
Malware or legitimate?
If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.
And now some shameless self promotion ;)
Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.
If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.