@Karishad

---

@Karishad Ran procmon against chrome.exe while accessing furaffinity.com. The same CloudFlare DDoS protection page was seen. MSE didn't alert but it's out of date on that box anyway.

These can be opened in procmon.exe from live.sysinternals.com

[7.1MB] http://vonunov.nu/fa/all.csv

Let's filter for CreateFile operation (which, mind, also includes opening existing files, so we really need to look at the Disposition and OpenResult).

[257KB] http://vonunov.nu/fa/createfile.csv

Looks fairly routine here, though there is:

"12:34:11.7921906 PM","chrome.exe","3180","CreateFile","C:\Users\Althrin\AppData\Local\Temp\etilqs_grdli5rLmY07tdw","SUCCESS","Desired Access: Generic Read/Write, Delete, Disposition: Create, Options: Synchronous IO Non-Alert, Non-Directory File, Delete On Close, Attributes: HT, ShareMode: Read, Write, AllocationSize: 0, OpenResult: Created"

(This is an example of an actual file creation).

The file didn't exist in the filesystem when I went to check for it. Not unusual of malware to run and delete the original file, so let's check that nothing else is happening:

[7.1KB] http://vonunov.nu/fa/etilqs.csv

And just to verify:

https://duckduckgo.com/?q=etilqs

(And now we realize what 'etilqs' spells backward and we feel dumb and go for more coffee.)

No unexpected processes were found in a ps^H^H task manager check.

This isn't the same as starting with a clean VM and thoroughly monitoring for changes, but as far as this goes, I don't see anything interesting happening.

Anyone experiencing otherwise should check for browser or DNS hijacking, other local malware, the usual.

Reply · Report Post