Removing stuck processing tasks

[DigiAngel]

So sometimes I'll have an odd malware that will never complete and the status remains in "processing". Is there an easy way to get rid of these? Thank you.

[Nwinternights]

Can U post the hash or where i can download the sample?

[DigiAngel]

b32fc54fd645cddfbb4307714cd1158d

emotet

[Nwinternights]

No problem at all .Processing time ( 74.644 seconds ). Probably it stucks on network analysis cause it does a lot dns querys. I suggest you to move your request to @doomedraven repository https://github.com/doomedraven/cuckoo-modified to pull down latest changes (there's one for network analysis too). same for community https://github.com/doomedraven/community-modified by the way I suggest u to open issues there. regards

[doomedraven]

i can see issues here also ;)

maybe if you post the processing log with debug that would see where it stucks

[DigiAngel]

Ah that's just it...as soon as you select that item, you get the "The analysis is not finished yet, it's still processing. This page will refresh every 30 seconds.". That being said the analysis.log shows this:

2017-07-30 22:59:00,000 [root] INFO: Date set to: 07-31-17, time set to: 04:59:00
2017-07-30 22:59:00,046 [root] DEBUG: Starting analyzer from: C:\jjowdf
2017-07-30 22:59:00,046 [root] DEBUG: Storing results at: C:\gEyUvfrfcX
2017-07-30 22:59:00,046 [root] DEBUG: Pipe server name: \\.\PIPE\TlvdpuvxtV
2017-07-30 22:59:00,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2017-07-30 22:59:00,046 [root] INFO: Automatically selected analysis package "exe"
2017-07-30 22:59:06,375 [root] DEBUG: Started auxiliary module Browser
2017-07-30 22:59:06,375 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2017-07-30 22:59:07,092 [modules.auxiliary.digisig] DEBUG: File is not signed.
2017-07-30 22:59:07,092 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2017-07-30 22:59:07,108 [root] DEBUG: Started auxiliary module DigiSig
2017-07-30 22:59:07,108 [root] DEBUG: Started auxiliary module Disguise
2017-07-30 22:59:07,108 [root] DEBUG: Started auxiliary module Human
2017-07-30 22:59:07,108 [root] DEBUG: Started auxiliary module Screenshots
2017-07-30 22:59:07,108 [root] DEBUG: Started auxiliary module Usage
2017-07-30 22:59:07,187 [lib.api.process] INFO: Successfully executed process from path "C:\Users\Steve\AppData\Local\Temp\vMP.exe" with arguments "" with pid 2216
2017-07-30 22:59:07,203 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 22:59:07,530 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2216
2017-07-30 22:59:09,530 [lib.api.process] INFO: Successfully resumed process with pid 2216
2017-07-30 22:59:09,530 [root] INFO: Added new process to list with pid: 2216
2017-07-30 22:59:09,592 [root] INFO: Cuckoomon successfully loaded in process with pid 2216.
2017-07-30 22:59:24,155 [root] INFO: Announced 32-bit process name: vMP.exe pid: 2284
2017-07-30 22:59:24,155 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 22:59:24,217 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2284
2017-07-30 22:59:24,233 [root] INFO: Disabling sleep skipping.
2017-07-30 22:59:24,233 [root] INFO: Announced 32-bit process name: vMP.exe pid: 2284
2017-07-30 22:59:24,233 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 22:59:24,312 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2284, error: -1
2017-07-30 22:59:24,358 [root] INFO: Notified of termination of process with pid 2216.
2017-07-30 22:59:24,608 [root] INFO: Disabling sleep skipping.
2017-07-30 22:59:26,530 [lib.api.process] INFO: Dumped 32-bit process with pid 2216
2017-07-30 22:59:27,562 [lib.api.process] INFO: Memory dump of process with pid 2216 completed
2017-07-30 22:59:27,562 [root] INFO: Added new process to list with pid: 2284
2017-07-30 22:59:27,562 [root] INFO: Cuckoomon successfully loaded in process with pid 2284.
2017-07-30 22:59:27,953 [root] INFO: Process with pid 2216 has terminated
2017-07-30 22:59:28,312 [root] INFO: Announced 32-bit process name: vMP.exe pid: 2404
2017-07-30 22:59:28,312 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 22:59:28,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2404
2017-07-30 22:59:28,687 [root] INFO: Disabling sleep skipping.
2017-07-30 22:59:28,750 [root] INFO: Added new process to list with pid: 2404
2017-07-30 22:59:28,750 [root] INFO: Cuckoomon successfully loaded in process with pid 2404.
2017-07-30 22:59:42,890 [root] INFO: Announced 32-bit process name: vMP.exe pid: 2472
2017-07-30 22:59:42,905 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 22:59:43,312 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2472
2017-07-30 22:59:43,342 [root] INFO: Announced 32-bit process name: vMP.exe pid: 2472
2017-07-30 22:59:43,342 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 22:59:43,703 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2472, error: -1
2017-07-30 22:59:43,905 [root] INFO: Notified of termination of process with pid 2404.
2017-07-30 22:59:44,062 [root] INFO: Disabling sleep skipping.
2017-07-30 22:59:45,717 [lib.api.process] INFO: Dumped 32-bit process with pid 2404
2017-07-30 22:59:46,703 [lib.api.process] INFO: Memory dump of process with pid 2404 completed
2017-07-30 22:59:46,733 [root] INFO: Added new process to list with pid: 2472
2017-07-30 22:59:46,733 [root] INFO: Cuckoomon successfully loaded in process with pid 2472.
2017-07-30 22:59:47,437 [root] INFO: Process with pid 2404 has terminated
2017-07-30 22:59:47,437 [root] INFO: Notified of termination of process with pid 2284.
2017-07-30 22:59:49,608 [lib.api.process] INFO: Dumped 32-bit process with pid 2284
2017-07-30 22:59:50,015 [lib.api.process] INFO: Memory dump of process with pid 2284 completed
2017-07-30 22:59:50,453 [root] INFO: Process with pid 2284 has terminated
2017-07-30 22:59:59,437 [root] INFO: Announced starting service "cardmsi"
2017-07-30 22:59:59,437 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-07-30 22:59:59,578 [root] INFO: Disabling sleep skipping.
2017-07-30 22:59:59,671 [root] INFO: Added new process to list with pid: 436
2017-07-30 22:59:59,671 [root] INFO: Cuckoomon successfully loaded in process with pid 436.
2017-07-30 23:00:00,592 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2868
2017-07-30 23:00:00,592 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:00,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2868
2017-07-30 23:00:00,733 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:00,828 [root] INFO: Added new process to list with pid: 2868
2017-07-30 23:00:00,828 [root] INFO: Cuckoomon successfully loaded in process with pid 2868.
2017-07-30 23:00:15,155 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2936
2017-07-30 23:00:15,155 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:15,467 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2936
2017-07-30 23:00:15,750 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2936
2017-07-30 23:00:15,750 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:15,937 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2936, error: -1
2017-07-30 23:00:16,203 [root] INFO: Notified of termination of process with pid 2868.
2017-07-30 23:00:16,265 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:17,483 [lib.api.process] INFO: Dumped 32-bit process with pid 2868
2017-07-30 23:00:18,530 [lib.api.process] INFO: Memory dump of process with pid 2868 completed
2017-07-30 23:00:18,562 [root] INFO: Added new process to list with pid: 2936
2017-07-30 23:00:18,578 [root] INFO: Cuckoomon successfully loaded in process with pid 2936.
2017-07-30 23:00:18,655 [root] WARNING: Unable to open termination event for pid 2868.
2017-07-30 23:00:18,717 [root] INFO: Notified of termination of process with pid 2472.
2017-07-30 23:00:21,655 [lib.api.process] INFO: Dumped 32-bit process with pid 2472
2017-07-30 23:00:22,328 [lib.api.process] INFO: Memory dump of process with pid 2472 completed
2017-07-30 23:00:22,328 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3084
2017-07-30 23:00:22,342 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:22,405 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3084
2017-07-30 23:00:22,421 [root] INFO: Announced 32-bit process name: mscorsvw.exe pid: 3104
2017-07-30 23:00:22,421 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:22,453 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:22,500 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3104
2017-07-30 23:00:22,500 [root] INFO: Added new process to list with pid: 3084
2017-07-30 23:00:22,500 [root] INFO: Cuckoomon successfully loaded in process with pid 3084.
2017-07-30 23:00:23,030 [root] INFO: Process with pid 2472 has terminated
2017-07-30 23:00:23,030 [root] INFO: Process with pid 2868 has terminated
2017-07-30 23:00:25,625 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:25,733 [root] INFO: Added new process to list with pid: 3104
2017-07-30 23:00:25,733 [root] INFO: Cuckoomon successfully loaded in process with pid 3104.
2017-07-30 23:00:25,875 [root] INFO: Announced 32-bit process name: svchost.exe pid: 3244
2017-07-30 23:00:25,875 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:26,092 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3244
2017-07-30 23:00:26,562 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:26,608 [root] INFO: Added new process to list with pid: 3244
2017-07-30 23:00:26,608 [root] INFO: Cuckoomon successfully loaded in process with pid 3244.
2017-07-30 23:00:26,812 [root] INFO: Notified of termination of process with pid 3104.
2017-07-30 23:00:28,467 [lib.api.process] INFO: Dumped 32-bit process with pid 3104
2017-07-30 23:00:28,967 [lib.api.process] INFO: Memory dump of process with pid 3104 completed
2017-07-30 23:00:28,983 [root] INFO: Announced 32-bit process name: sppsvc.exe pid: 3356
2017-07-30 23:00:29,000 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:29,108 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3356
2017-07-30 23:00:29,108 [root] INFO: Announced 32-bit process name: svchost.exe pid: 1040
2017-07-30 23:00:29,108 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:29,296 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:29,328 [root] INFO: Added new process to list with pid: 1040
2017-07-30 23:00:29,342 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:29,342 [root] INFO: Cuckoomon successfully loaded in process with pid 1040.
2017-07-30 23:00:29,390 [root] INFO: Added new process to list with pid: 3356
2017-07-30 23:00:29,390 [root] INFO: Cuckoomon successfully loaded in process with pid 3356.
2017-07-30 23:00:30,092 [root] INFO: Process with pid 3104 has terminated
2017-07-30 23:00:33,953 [root] INFO: Stopping Task Scheduler Service
2017-07-30 23:00:34,421 [root] INFO: Stopped Task Scheduler Service
2017-07-30 23:00:34,546 [root] INFO: Starting Task Scheduler Service
2017-07-30 23:00:34,733 [root] INFO: Started Task Scheduler Service
2017-07-30 23:00:34,937 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-07-30 23:00:35,687 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:35,937 [root] INFO: Added new process to list with pid: 820
2017-07-30 23:00:36,092 [root] INFO: Cuckoomon successfully loaded in process with pid 820.
2017-07-30 23:00:38,092 [root] INFO: Stopping WMI Service
2017-07-30 23:00:38,108 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1412
2017-07-30 23:00:38,453 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-07-30 23:00:38,905 [root] INFO: Added new file to list with path: C:\Windows\Temp\fwtsqmfile00.sqm
2017-07-30 23:00:39,390 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3560
2017-07-30 23:00:39,390 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:39,390 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:39,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3560
2017-07-30 23:00:39,578 [root] INFO: Announced 32-bit process name: explorer.exe pid: 1412
2017-07-30 23:00:39,608 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:40,108 [root] INFO: Added new process to list with pid: 1412
2017-07-30 23:00:40,108 [root] INFO: Cuckoomon successfully loaded in process with pid 1412.
2017-07-30 23:00:40,108 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3560
2017-07-30 23:00:40,125 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:40,405 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3560, error: -1
2017-07-30 23:00:40,625 [root] INFO: Notified of termination of process with pid 3084.
2017-07-30 23:00:40,703 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:41,108 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db
2017-07-30 23:00:41,187 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db
2017-07-30 23:00:41,217 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db
2017-07-30 23:00:41,250 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1024.db
2017-07-30 23:00:41,328 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db
2017-07-30 23:00:41,983 [root] INFO: Added new file to list with path: C:\Users\Steve\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
2017-07-30 23:00:42,562 [lib.api.process] INFO: Dumped 32-bit process with pid 3084
2017-07-30 23:00:44,203 [lib.api.process] INFO: Memory dump of process with pid 3084 completed
2017-07-30 23:00:44,405 [root] INFO: Added new process to list with pid: 3560
2017-07-30 23:00:44,483 [root] INFO: Cuckoomon successfully loaded in process with pid 3560.
2017-07-30 23:00:45,000 [root] INFO: Process with pid 3084 has terminated
2017-07-30 23:00:45,375 [root] INFO: Notified of termination of process with pid 2936.
2017-07-30 23:00:46,358 [lib.api.process] INFO: Dumped 32-bit process with pid 2936
2017-07-30 23:00:46,750 [lib.api.process] INFO: Memory dump of process with pid 2936 completed
2017-07-30 23:00:47,015 [root] INFO: Process with pid 2936 has terminated
2017-07-30 23:00:56,155 [root] INFO: Stopped WMI Service
2017-07-30 23:00:56,780 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-07-30 23:00:56,858 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:56,905 [root] INFO: Added new process to list with pid: 572
2017-07-30 23:00:56,905 [root] INFO: Cuckoomon successfully loaded in process with pid 572.
2017-07-30 23:00:57,750 [root] INFO: Added new file to list with path: C:\Windows\System32\015F8493.exe
2017-07-30 23:00:58,000 [root] INFO: Announced 32-bit process name: 015F8493.exe pid: 232
2017-07-30 23:00:58,015 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:58,078 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 232
2017-07-30 23:00:58,155 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:58,203 [root] INFO: Added new process to list with pid: 232
2017-07-30 23:00:58,203 [root] INFO: Cuckoomon successfully loaded in process with pid 232.
2017-07-30 23:00:58,842 [root] INFO: Starting WMI Service
2017-07-30 23:00:58,953 [root] INFO: Announced 32-bit process name: svchost.exe pid: 1188
2017-07-30 23:00:58,953 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:00:59,046 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1188
2017-07-30 23:00:59,092 [root] INFO: Disabling sleep skipping.
2017-07-30 23:00:59,140 [root] INFO: Added new process to list with pid: 1188
2017-07-30 23:00:59,140 [root] INFO: Cuckoomon successfully loaded in process with pid 1188.
2017-07-30 23:01:01,217 [root] INFO: Started WMI Service
2017-07-30 23:01:01,233 [lib.api.process] DEBUG: Using CreateRemoteThread injection.
2017-07-30 23:01:22,296 [root] INFO: Announced 32-bit process name: 015F8493.exe pid: 672
2017-07-30 23:01:22,312 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:01:22,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 672
2017-07-30 23:01:22,687 [root] INFO: Announced 32-bit process name: 015F8493.exe pid: 672
2017-07-30 23:01:22,703 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:01:22,953 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 672, error: -1
2017-07-30 23:01:23,187 [root] INFO: Notified of termination of process with pid 232.
2017-07-30 23:01:23,217 [root] INFO: Disabling sleep skipping.
2017-07-30 23:01:24,217 [lib.api.process] INFO: Dumped 32-bit process with pid 232
2017-07-30 23:01:25,967 [lib.api.process] INFO: Memory dump of process with pid 232 completed
2017-07-30 23:01:25,983 [root] INFO: Added new process to list with pid: 672
2017-07-30 23:01:26,000 [root] INFO: Cuckoomon successfully loaded in process with pid 672.
2017-07-30 23:01:26,000 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 2648
2017-07-30 23:01:26,562 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:01:27,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2648
2017-07-30 23:01:27,421 [root] INFO: Announced 32-bit process name: 015F8493.exe pid: 176
2017-07-30 23:01:27,483 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:01:28,655 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 176
2017-07-30 23:01:29,233 [root] INFO: Disabling sleep skipping.
2017-07-30 23:01:29,342 [root] INFO: Added new process to list with pid: 176
2017-07-30 23:01:29,358 [root] INFO: Cuckoomon successfully loaded in process with pid 176.
2017-07-30 23:01:29,546 [root] INFO: Process with pid 232 has terminated
2017-07-30 23:01:30,250 [root] INFO: Disabling sleep skipping.
2017-07-30 23:01:30,546 [root] INFO: Added new process to list with pid: 2648
2017-07-30 23:01:30,655 [root] INFO: Cuckoomon successfully loaded in process with pid 2648.
2017-07-30 23:01:55,875 [root] INFO: Announced 32-bit process name: 015F8493.exe pid: 3024
2017-07-30 23:01:55,921 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:01:56,108 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3024
2017-07-30 23:01:56,187 [root] INFO: Announced 32-bit process name: 015F8493.exe pid: 3024
2017-07-30 23:01:56,187 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:01:56,750 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3024, error: -1
2017-07-30 23:01:56,967 [root] INFO: Notified of termination of process with pid 176.
2017-07-30 23:01:57,062 [root] INFO: Disabling sleep skipping.
2017-07-30 23:01:58,265 [lib.api.process] INFO: Dumped 32-bit process with pid 176
2017-07-30 23:02:00,217 [lib.api.process] INFO: Memory dump of process with pid 176 completed
2017-07-30 23:02:00,217 [root] INFO: Added new process to list with pid: 3024
2017-07-30 23:02:00,233 [root] INFO: Cuckoomon successfully loaded in process with pid 3024.
2017-07-30 23:02:01,092 [root] INFO: Notified of termination of process with pid 672.
2017-07-30 23:02:01,187 [root] INFO: Process with pid 176 has terminated
2017-07-30 23:02:02,625 [lib.api.process] INFO: Dumped 32-bit process with pid 672
2017-07-30 23:02:03,046 [lib.api.process] INFO: Memory dump of process with pid 672 completed
2017-07-30 23:02:03,125 [root] INFO: Notified of termination of process with pid 3560.
2017-07-30 23:02:05,875 [lib.api.process] INFO: Dumped 32-bit process with pid 3560
2017-07-30 23:02:06,875 [lib.api.process] INFO: Memory dump of process with pid 3560 completed
2017-07-30 23:02:07,750 [root] INFO: Process with pid 3560 has terminated
2017-07-30 23:02:07,765 [root] INFO: Process with pid 672 has terminated
2017-07-30 23:02:09,671 [root] INFO: Announced starting service "cardmsi"
2017-07-30 23:02:09,733 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3608
2017-07-30 23:02:09,750 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:02:09,828 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3608
2017-07-30 23:02:09,858 [root] INFO: Disabling sleep skipping.
2017-07-30 23:02:09,967 [root] INFO: Added new process to list with pid: 3608
2017-07-30 23:02:10,062 [root] INFO: Cuckoomon successfully loaded in process with pid 3608.
2017-07-30 23:02:25,328 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3672
2017-07-30 23:02:25,358 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:02:31,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3672
2017-07-30 23:02:31,717 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3672
2017-07-30 23:02:31,733 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:02:31,796 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3672, error: -1
2017-07-30 23:02:31,905 [root] INFO: Notified of termination of process with pid 3608.
2017-07-30 23:02:31,905 [root] INFO: Disabling sleep skipping.
2017-07-30 23:02:33,203 [lib.api.process] INFO: Dumped 32-bit process with pid 3608
2017-07-30 23:02:33,858 [lib.api.process] INFO: Memory dump of process with pid 3608 completed
2017-07-30 23:02:33,905 [root] INFO: Added new process to list with pid: 3672
2017-07-30 23:02:33,921 [root] INFO: Cuckoomon successfully loaded in process with pid 3672.
2017-07-30 23:02:34,483 [root] WARNING: Unable to open termination event for pid 3608.
2017-07-30 23:02:34,500 [root] INFO: Process with pid 3608 has terminated
2017-07-30 23:02:34,500 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 3948
2017-07-30 23:02:34,515 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:02:34,703 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3948
2017-07-30 23:02:34,703 [root] INFO: Notified of termination of process with pid 3024.
2017-07-30 23:02:34,750 [root] INFO: Disabling sleep skipping.
2017-07-30 23:02:36,530 [lib.api.process] INFO: Dumped 32-bit process with pid 3024
2017-07-30 23:02:37,358 [lib.api.process] INFO: Memory dump of process with pid 3024 completed
2017-07-30 23:02:37,375 [root] INFO: Added new process to list with pid: 3948
2017-07-30 23:02:37,405 [root] INFO: Cuckoomon successfully loaded in process with pid 3948.
2017-07-30 23:02:37,515 [root] INFO: Process with pid 3024 has terminated
2017-07-30 23:02:53,046 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 948
2017-07-30 23:02:53,078 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:02:54,937 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 948
2017-07-30 23:02:55,108 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 948
2017-07-30 23:02:55,467 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:02:55,655 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 948, error: -1
2017-07-30 23:02:55,905 [root] INFO: Notified of termination of process with pid 3948.
2017-07-30 23:02:55,967 [root] INFO: Disabling sleep skipping.
2017-07-30 23:02:58,640 [lib.api.process] INFO: Dumped 32-bit process with pid 3948
2017-07-30 23:02:59,842 [lib.api.process] INFO: Memory dump of process with pid 3948 completed
2017-07-30 23:02:59,842 [root] INFO: Added new process to list with pid: 948
2017-07-30 23:02:59,905 [root] INFO: Cuckoomon successfully loaded in process with pid 948.
2017-07-30 23:03:00,015 [root] INFO: Process with pid 3948 has terminated
2017-07-30 23:03:00,625 [root] INFO: Notified of termination of process with pid 3672.
2017-07-30 23:03:02,733 [lib.api.process] INFO: Dumped 32-bit process with pid 3672
2017-07-30 23:03:03,328 [lib.api.process] INFO: Memory dump of process with pid 3672 completed
2017-07-30 23:03:03,358 [root] INFO: Notified of termination of process with pid 2648.
2017-07-30 23:03:05,796 [lib.api.process] INFO: Dumped 32-bit process with pid 2648
2017-07-30 23:03:06,500 [lib.api.process] INFO: Memory dump of process with pid 2648 completed
2017-07-30 23:03:07,030 [root] INFO: Process with pid 2648 has terminated
2017-07-30 23:03:08,046 [root] INFO: Process with pid 3672 has terminated
2017-07-30 23:03:11,500 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2180
2017-07-30 23:03:11,515 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:11,640 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2180
2017-07-30 23:03:11,671 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2228
2017-07-30 23:03:11,687 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:11,750 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2228
2017-07-30 23:03:11,765 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2156
2017-07-30 23:03:11,780 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:11,858 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2156
2017-07-30 23:03:11,875 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2180
2017-07-30 23:03:11,890 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:12,000 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2180, error: -1
2017-07-30 23:03:12,015 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2228
2017-07-30 23:03:12,015 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:12,078 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2228, error: -1
2017-07-30 23:03:12,092 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2156
2017-07-30 23:03:12,125 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:12,250 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2156, error: -1
2017-07-30 23:03:12,390 [root] INFO: Disabling sleep skipping.
2017-07-30 23:03:12,421 [root] INFO: Disabling sleep skipping.
2017-07-30 23:03:12,515 [root] INFO: Added new process to list with pid: 2180
2017-07-30 23:03:12,530 [root] INFO: Disabling sleep skipping.
2017-07-30 23:03:12,546 [root] INFO: Cuckoomon successfully loaded in process with pid 2180.
2017-07-30 23:03:12,608 [root] INFO: Added new process to list with pid: 2228
2017-07-30 23:03:12,625 [root] INFO: Added new process to list with pid: 2156
2017-07-30 23:03:12,625 [root] INFO: Cuckoomon successfully loaded in process with pid 2228.
2017-07-30 23:03:12,655 [root] INFO: Cuckoomon successfully loaded in process with pid 2156.
2017-07-30 23:03:12,703 [root] INFO: Notified of termination of process with pid 2228.
2017-07-30 23:03:14,530 [lib.api.process] INFO: Dumped 32-bit process with pid 2228
2017-07-30 23:03:15,078 [lib.api.process] INFO: Memory dump of process with pid 2228 completed
2017-07-30 23:03:15,155 [root] INFO: Process with pid 2228 has terminated
2017-07-30 23:03:17,062 [root] INFO: Announced starting service "VaultSvc"
2017-07-30 23:03:17,125 [root] INFO: Announced 32-bit process name: lsass.exe pid: 1108
2017-07-30 23:03:17,125 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:03:17,217 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1108
2017-07-30 23:03:17,265 [root] INFO: Disabling sleep skipping.
2017-07-30 23:03:17,312 [root] INFO: Added new process to list with pid: 1108
2017-07-30 23:03:17,328 [root] INFO: Cuckoomon successfully loaded in process with pid 1108.
2017-07-30 23:03:22,812 [root] INFO: Notified of termination of process with pid 2180.
2017-07-30 23:03:24,265 [lib.api.process] INFO: Dumped 32-bit process with pid 2180
2017-07-30 23:03:25,015 [lib.api.process] INFO: Memory dump of process with pid 2180 completed
2017-07-30 23:03:25,296 [root] INFO: Process with pid 2180 has terminated
2017-07-30 23:03:47,233 [root] INFO: Notified of termination of process with pid 1108.
2017-07-30 23:03:48,280 [lib.api.process] INFO: Dumped 32-bit process with pid 1108
2017-07-30 23:03:48,750 [lib.api.process] INFO: Memory dump of process with pid 1108 completed
2017-07-30 23:03:48,858 [root] INFO: Added new file to list with path: C:\ProgramData\D109.tmp
2017-07-30 23:03:48,875 [root] INFO: Notified of termination of process with pid 2156.
2017-07-30 23:03:51,015 [lib.api.process] INFO: Dumped 32-bit process with pid 2156
2017-07-30 23:03:52,483 [lib.api.process] INFO: Memory dump of process with pid 2156 completed
2017-07-30 23:03:52,592 [root] INFO: Process with pid 2156 has terminated
2017-07-30 23:03:53,625 [root] INFO: Process with pid 1108 has terminated
2017-07-30 23:04:59,328 [root] INFO: Announced 32-bit process name: WMIADAP.exe pid: 1984
2017-07-30 23:04:59,342 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:04:59,453 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1984
2017-07-30 23:04:59,530 [root] INFO: Disabling sleep skipping.
2017-07-30 23:04:59,655 [root] INFO: Added new process to list with pid: 1984
2017-07-30 23:04:59,671 [root] INFO: Cuckoomon successfully loaded in process with pid 1984.
2017-07-30 23:05:00,312 [root] INFO: Announced 32-bit process name: WmiPrvSE.exe pid: 3060
2017-07-30 23:05:00,328 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:05:00,405 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3060
2017-07-30 23:05:00,530 [root] INFO: Disabling sleep skipping.
2017-07-30 23:05:00,592 [root] INFO: Added new process to list with pid: 3060
2017-07-30 23:05:00,592 [root] INFO: Cuckoomon successfully loaded in process with pid 3060.
2017-07-30 23:05:02,796 [root] INFO: Added new file to list with path: C:\Windows\System32\wbem\Performance\WmiApRpl_new.h
2017-07-30 23:05:39,467 [root] INFO: Notified of termination of process with pid 3356.
2017-07-30 23:05:41,312 [lib.api.process] INFO: Dumped 32-bit process with pid 3356
2017-07-30 23:05:42,046 [lib.api.process] INFO: Memory dump of process with pid 3356 completed
2017-07-30 23:05:42,858 [root] INFO: Process with pid 3356 has terminated
2017-07-30 23:05:49,125 [root] INFO: Added new file to list with path: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini
2017-07-30 23:06:02,655 [root] INFO: Notified of termination of process with pid 3060.
2017-07-30 23:06:04,092 [lib.api.process] INFO: Dumped 32-bit process with pid 3060
2017-07-30 23:06:04,608 [lib.api.process] INFO: Memory dump of process with pid 3060 completed
2017-07-30 23:06:05,217 [root] INFO: Process with pid 3060 has terminated
2017-07-30 23:06:20,280 [root] INFO: Added new file to list with path: C:\Windows\System32\wbem\repository\OBJECTS.DATA
2017-07-30 23:06:20,562 [root] INFO: Added new file to list with path: C:\Windows\System32\wbem\repository\INDEX.BTR
2017-07-30 23:06:20,687 [root] INFO: Added new file to list with path: C:\Windows\System32\wbem\repository\MAPPING3.MAP
2017-07-30 23:07:20,405 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\DataStore.edb
2017-07-30 23:07:20,655 [root] INFO: Added new file to list with path: C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk
2017-07-30 23:08:06,515 [root] INFO: Added new file to list with path: C:\Windows\inf\WmiApRpl\WmiApRpl.h
2017-07-30 23:08:06,608 [root] INFO: Added new file to list with path: C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini
2017-07-30 23:08:07,015 [root] INFO: Added new file to list with path: C:\Windows\System32\PerfStringBackup.TMP
2017-07-30 23:08:07,203 [root] INFO: Added new file to list with path: C:\Windows\System32\PerfStringBackup.INI
2017-07-30 23:08:52,640 [root] INFO: Notified of termination of process with pid 1984.
2017-07-30 23:08:54,203 [lib.api.process] INFO: Dumped 32-bit process with pid 1984
2017-07-30 23:08:54,796 [lib.api.process] INFO: Memory dump of process with pid 1984 completed
2017-07-30 23:08:55,217 [root] INFO: Process with pid 1984 has terminated
2017-07-30 23:32:52,421 [root] INFO: Added new file to list with path: C:\Windows\System32\0171FB1C.exe
2017-07-30 23:32:52,983 [root] INFO: Announced 32-bit process name: 0171FB1C.exe pid: 4024
2017-07-30 23:32:52,983 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:32:53,108 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4024
2017-07-30 23:32:53,280 [root] INFO: Disabling sleep skipping.
2017-07-30 23:32:53,328 [root] INFO: Added new process to list with pid: 4024
2017-07-30 23:32:53,358 [root] INFO: Cuckoomon successfully loaded in process with pid 4024.
2017-07-30 23:33:11,796 [root] INFO: Announced 32-bit process name: 0171FB1C.exe pid: 2904
2017-07-30 23:33:11,796 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:33:12,155 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2904
2017-07-30 23:33:12,453 [root] INFO: Announced 32-bit process name: 0171FB1C.exe pid: 2904
2017-07-30 23:33:12,467 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:33:13,062 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2904, error: -1
2017-07-30 23:33:13,750 [root] INFO: Notified of termination of process with pid 4024.
2017-07-30 23:33:13,765 [root] INFO: Disabling sleep skipping.
2017-07-30 23:33:15,140 [lib.api.process] INFO: Dumped 32-bit process with pid 4024
2017-07-30 23:33:16,765 [lib.api.process] INFO: Memory dump of process with pid 4024 completed
2017-07-30 23:33:16,796 [root] INFO: Added new process to list with pid: 2904
2017-07-30 23:33:16,890 [root] INFO: Cuckoomon successfully loaded in process with pid 2904.
2017-07-30 23:33:17,375 [root] INFO: Process with pid 4024 has terminated
2017-07-30 23:33:17,983 [root] INFO: Announced 32-bit process name: 0171FB1C.exe pid: 1556
2017-07-30 23:33:18,000 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:33:18,390 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1556
2017-07-30 23:33:18,467 [root] INFO: Disabling sleep skipping.
2017-07-30 23:33:18,608 [root] INFO: Added new process to list with pid: 1556
2017-07-30 23:33:18,625 [root] INFO: Cuckoomon successfully loaded in process with pid 1556.
2017-07-30 23:33:37,062 [root] INFO: Announced 32-bit process name: 0171FB1C.exe pid: 1860
2017-07-30 23:33:37,203 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:33:41,483 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1860
2017-07-30 23:33:41,687 [root] INFO: Announced 32-bit process name: 0171FB1C.exe pid: 1860
2017-07-30 23:33:41,687 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:33:42,155 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1860, error: -1
2017-07-30 23:33:42,592 [root] INFO: Notified of termination of process with pid 1556.
2017-07-30 23:33:42,592 [root] INFO: Disabling sleep skipping.
2017-07-30 23:33:43,858 [lib.api.process] INFO: Dumped 32-bit process with pid 1556
2017-07-30 23:33:44,437 [lib.api.process] INFO: Memory dump of process with pid 1556 completed
2017-07-30 23:33:44,453 [root] INFO: Added new process to list with pid: 1860
2017-07-30 23:33:44,500 [root] INFO: Cuckoomon successfully loaded in process with pid 1860.
2017-07-30 23:33:44,750 [root] INFO: Process with pid 1556 has terminated
2017-07-30 23:33:45,453 [root] INFO: Notified of termination of process with pid 2904.
2017-07-30 23:33:47,765 [lib.api.process] INFO: Dumped 32-bit process with pid 2904
2017-07-30 23:33:48,187 [lib.api.process] INFO: Memory dump of process with pid 2904 completed
2017-07-30 23:33:48,217 [root] INFO: Notified of termination of process with pid 948.
2017-07-30 23:33:50,515 [lib.api.process] INFO: Dumped 32-bit process with pid 948
2017-07-30 23:33:51,515 [lib.api.process] INFO: Memory dump of process with pid 948 completed
2017-07-30 23:33:51,796 [root] INFO: Process with pid 948 has terminated
2017-07-30 23:33:52,828 [root] INFO: Process with pid 2904 has terminated
2017-07-30 23:33:55,155 [root] INFO: Announced starting service "cardmsi"
2017-07-30 23:33:55,280 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2592
2017-07-30 23:33:55,296 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:33:55,578 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2592
2017-07-30 23:33:55,717 [root] INFO: Disabling sleep skipping.
2017-07-30 23:33:55,780 [root] INFO: Added new process to list with pid: 2592
2017-07-30 23:33:55,796 [root] INFO: Cuckoomon successfully loaded in process with pid 2592.
2017-07-30 23:34:17,125 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 1236
2017-07-30 23:34:17,187 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:34:18,717 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1236
2017-07-30 23:34:18,780 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 1236
2017-07-30 23:34:18,796 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:34:19,062 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 1236, error: -1
2017-07-30 23:34:19,375 [root] INFO: Notified of termination of process with pid 2592.
2017-07-30 23:34:19,562 [root] INFO: Disabling sleep skipping.
2017-07-30 23:34:21,000 [lib.api.process] INFO: Dumped 32-bit process with pid 2592
2017-07-30 23:34:22,342 [lib.api.process] INFO: Memory dump of process with pid 2592 completed
2017-07-30 23:34:22,405 [root] INFO: Added new process to list with pid: 1236
2017-07-30 23:34:22,500 [root] INFO: Cuckoomon successfully loaded in process with pid 1236.
2017-07-30 23:34:22,515 [root] WARNING: Unable to open termination event for pid 2592.
2017-07-30 23:34:23,030 [root] INFO: Notified of termination of process with pid 1860.
2017-07-30 23:34:25,530 [lib.api.process] INFO: Dumped 32-bit process with pid 1860
2017-07-30 23:34:26,405 [lib.api.process] INFO: Memory dump of process with pid 1860 completed
2017-07-30 23:34:26,483 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2744
2017-07-30 23:34:26,515 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:34:26,765 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2744
2017-07-30 23:34:26,842 [root] INFO: Disabling sleep skipping.
2017-07-30 23:34:26,890 [root] INFO: Added new process to list with pid: 2744
2017-07-30 23:34:26,905 [root] INFO: Cuckoomon successfully loaded in process with pid 2744.
2017-07-30 23:34:27,500 [root] INFO: Process with pid 1860 has terminated
2017-07-30 23:34:28,546 [root] INFO: Process with pid 2592 has terminated
2017-07-30 23:34:46,765 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2928
2017-07-30 23:34:46,858 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:34:47,905 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2928
2017-07-30 23:34:48,092 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2928
2017-07-30 23:34:48,125 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:34:48,358 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2928, error: -1
2017-07-30 23:34:48,750 [root] INFO: Notified of termination of process with pid 2744.
2017-07-30 23:34:49,233 [root] INFO: Disabling sleep skipping.
2017-07-30 23:34:51,467 [lib.api.process] INFO: Dumped 32-bit process with pid 2744
2017-07-30 23:34:53,015 [lib.api.process] INFO: Memory dump of process with pid 2744 completed
2017-07-30 23:34:53,062 [root] INFO: Added new process to list with pid: 2928
2017-07-30 23:34:53,092 [root] INFO: Cuckoomon successfully loaded in process with pid 2928.
2017-07-30 23:34:53,937 [root] INFO: Process with pid 2744 has terminated
2017-07-30 23:34:55,046 [root] INFO: Notified of termination of process with pid 1236.
2017-07-30 23:34:56,717 [lib.api.process] INFO: Dumped 32-bit process with pid 1236
2017-07-30 23:34:57,250 [lib.api.process] INFO: Memory dump of process with pid 1236 completed
2017-07-30 23:34:58,078 [root] INFO: Process with pid 1236 has terminated
2017-07-30 23:49:25,250 [root] INFO: Added new file to list with path: C:\Windows\System32\01708469.exe
2017-07-30 23:49:25,765 [root] INFO: Announced 32-bit process name: 01708469.exe pid: 3472
2017-07-30 23:49:25,780 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:49:25,905 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3472
2017-07-30 23:49:26,015 [root] INFO: Disabling sleep skipping.
2017-07-30 23:49:26,125 [root] INFO: Added new process to list with pid: 3472
2017-07-30 23:49:26,140 [root] INFO: Cuckoomon successfully loaded in process with pid 3472.
2017-07-30 23:49:47,467 [root] INFO: Announced 32-bit process name: 01708469.exe pid: 2120
2017-07-30 23:49:47,562 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:49:47,953 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2120
2017-07-30 23:49:48,015 [root] INFO: Announced 32-bit process name: 01708469.exe pid: 2120
2017-07-30 23:49:48,030 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:49:48,562 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2120, error: -1
2017-07-30 23:49:49,312 [root] INFO: Notified of termination of process with pid 3472.
2017-07-30 23:49:49,358 [root] INFO: Disabling sleep skipping.
2017-07-30 23:49:50,608 [lib.api.process] INFO: Dumped 32-bit process with pid 3472
2017-07-30 23:49:52,155 [lib.api.process] INFO: Memory dump of process with pid 3472 completed
2017-07-30 23:49:52,187 [root] INFO: Added new process to list with pid: 2120
2017-07-30 23:49:52,453 [root] INFO: Cuckoomon successfully loaded in process with pid 2120.
2017-07-30 23:49:54,000 [root] INFO: Process with pid 3472 has terminated
2017-07-30 23:49:54,000 [root] INFO: Announced 32-bit process name: 01708469.exe pid: 2108
2017-07-30 23:49:54,015 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:49:54,421 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2108
2017-07-30 23:49:54,562 [root] INFO: Disabling sleep skipping.
2017-07-30 23:49:54,750 [root] INFO: Added new process to list with pid: 2108
2017-07-30 23:49:54,780 [root] INFO: Cuckoomon successfully loaded in process with pid 2108.
2017-07-30 23:50:13,562 [root] INFO: Announced 32-bit process name: 01708469.exe pid: 3372
2017-07-30 23:50:13,687 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:50:14,875 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3372
2017-07-30 23:50:14,953 [root] INFO: Announced 32-bit process name: 01708469.exe pid: 3372
2017-07-30 23:50:14,953 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:50:15,125 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 3372, error: -1
2017-07-30 23:50:15,546 [root] INFO: Notified of termination of process with pid 2108.
2017-07-30 23:50:15,546 [root] INFO: Disabling sleep skipping.
2017-07-30 23:50:16,983 [lib.api.process] INFO: Dumped 32-bit process with pid 2108
2017-07-30 23:50:18,671 [lib.api.process] INFO: Memory dump of process with pid 2108 completed
2017-07-30 23:50:18,687 [root] INFO: Added new process to list with pid: 3372
2017-07-30 23:50:18,717 [root] INFO: Cuckoomon successfully loaded in process with pid 3372.
2017-07-30 23:50:19,375 [root] INFO: Process with pid 2108 has terminated
2017-07-30 23:50:20,687 [root] INFO: Notified of termination of process with pid 2120.
2017-07-30 23:50:22,390 [lib.api.process] INFO: Dumped 32-bit process with pid 2120
2017-07-30 23:50:23,015 [lib.api.process] INFO: Memory dump of process with pid 2120 completed
2017-07-30 23:50:23,030 [root] INFO: Notified of termination of process with pid 2928.
2017-07-30 23:50:25,671 [lib.api.process] INFO: Dumped 32-bit process with pid 2928
2017-07-30 23:50:26,515 [lib.api.process] INFO: Memory dump of process with pid 2928 completed
2017-07-30 23:50:27,562 [root] INFO: Process with pid 2928 has terminated
2017-07-30 23:50:28,578 [root] INFO: Process with pid 2120 has terminated
2017-07-30 23:50:30,796 [root] INFO: Announced starting service "cardmsi"
2017-07-30 23:50:30,890 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2576
2017-07-30 23:50:30,905 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:50:31,625 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2576
2017-07-30 23:50:32,078 [root] INFO: Disabling sleep skipping.
2017-07-30 23:50:32,530 [root] INFO: Added new process to list with pid: 2576
2017-07-30 23:50:32,546 [root] INFO: Cuckoomon successfully loaded in process with pid 2576.
2017-07-30 23:50:51,812 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 4000
2017-07-30 23:50:51,953 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:50:53,296 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 4000
2017-07-30 23:50:53,390 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 4000
2017-07-30 23:50:53,405 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:50:54,703 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 4000, error: -1
2017-07-30 23:50:55,750 [root] INFO: Notified of termination of process with pid 2576.
2017-07-30 23:50:55,812 [root] INFO: Disabling sleep skipping.
2017-07-30 23:50:57,233 [lib.api.process] INFO: Dumped 32-bit process with pid 2576
2017-07-30 23:50:58,592 [lib.api.process] INFO: Memory dump of process with pid 2576 completed
2017-07-30 23:50:58,625 [root] INFO: Added new process to list with pid: 4000
2017-07-30 23:50:58,655 [root] INFO: Cuckoomon successfully loaded in process with pid 4000.
2017-07-30 23:50:58,655 [root] WARNING: Unable to open termination event for pid 2576.
2017-07-30 23:50:58,812 [root] INFO: Notified of termination of process with pid 3372.
2017-07-30 23:51:01,765 [lib.api.process] INFO: Dumped 32-bit process with pid 3372
2017-07-30 23:51:02,467 [lib.api.process] INFO: Memory dump of process with pid 3372 completed
2017-07-30 23:51:02,562 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 1336
2017-07-30 23:51:02,578 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:51:03,092 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1336
2017-07-30 23:51:03,203 [root] INFO: Disabling sleep skipping.
2017-07-30 23:51:03,390 [root] INFO: Added new process to list with pid: 1336
2017-07-30 23:51:03,405 [root] INFO: Cuckoomon successfully loaded in process with pid 1336.
2017-07-30 23:51:04,155 [root] INFO: Process with pid 3372 has terminated
2017-07-30 23:51:11,717 [root] INFO: Process with pid 2576 has terminated
2017-07-30 23:51:21,171 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2676
2017-07-30 23:51:21,312 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:51:21,812 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2676
2017-07-30 23:51:21,875 [root] INFO: Announced 32-bit process name: cardmsi.exe pid: 2676
2017-07-30 23:51:21,890 [lib.api.process] DEBUG: Using QueueUserAPC injection.
2017-07-30 23:51:22,655 [lib.api.process] ERROR: Unable to inject into 32-bit process with pid 2676, error: -1
2017-07-30 23:51:23,155 [root] INFO: Notified of termination of process with pid 1336.
2017-07-30 23:51:23,530 [root] INFO: Disabling sleep skipping.
2017-07-30 23:51:27,530 [lib.api.process] INFO: Dumped 32-bit process with pid 1336
2017-07-30 23:51:28,171 [lib.api.process] INFO: Memory dump of process with pid 1336 completed
2017-07-30 23:51:28,217 [root] INFO: Added new process to list with pid: 2676
2017-07-30 23:51:28,233 [root] INFO: Cuckoomon successfully loaded in process with pid 2676.
2017-07-30 23:51:28,750 [root] INFO: Process with pid 1336 has terminated
2017-07-30 23:51:29,687 [root] INFO: Notified of termination of process with pid 4000.
2017-07-30 23:51:30,953 [lib.api.process] INFO: Dumped 32-bit process with pid 4000
2017-07-30 23:51:32,375 [lib.api.process] INFO: Memory dump of process with pid 4000 completed
2017-07-30 23:51:32,796 [root] INFO: Process with pid 4000 has terminated
2017-07-31 00:21:19,983 [root] INFO: Process with pid 436 has terminated

I have memory and pcap and screenshots...kinda looks like it finished on the backend, but the web frontend doesn't seem to know it. API shows:

{
    "data": {
        "guest": {
            "shutdown_on": "2017-07-31 06:44:33",
            "task_id": 530,
            "label": "win732",
            "manager": "KVM",
            "started_on": "2017-07-31 04:59:57",
            "id": 528,
            "name": "cuckoo1"
        },
        "started_on": "2017-07-31 04:59:57",
        "sample": {
            "sha1": "ae719efe85c61f9d9b76a810b8f33ee22d4a20a6",
            "file_type": "PE32 executable (GUI) Intel 80386, for MS Windows",
            "file_size": 175104,
            "crc32": "04DA5939",
            "ssdeep": "3072:oCbiFuA6biwjV+bjmRUvKONreiHYA4DCpjPqosvmhF:oCbiFzE+mJGnHhpTx",
            "sha256": "b6e68ffede4e72ef0b7b9dad3842c27c1136eeb5336df1d490b4c9f497b484cf",
            "sha512": "0aa9db95d92c0cf0d670e435a3bee624653bc1966fafb2f144f3c436d1983d6303fd75f80a3997094dfacf960ccd49df0cda8009142b467a5a82c2d0498b95d1",
            "id": 528,
            "md5": "b32fc54fd645cddfbb4307714cd1158d"
        },
        "sample_id": 528,
        "reporting_started_on": null,
        "id": 530,
        "category": "file",
        "priority": 3,
        "errors": [
            "The analysis hit the critical timeout, terminating."
        ],
        "signatures_started_on": null,
        "analysis_finished_on": null,
        "clock": "2017-07-31 04:59:00",
        "processing_finished_on": null,
        "custom": "",
        "machine": "",
        "platform": "",
        "shrike_sid": null,
        "memory": true,
        "reporting_finished_on": null,
        "signatures_total": null,
        "api_calls": null,
        "status": "completed",
        "timedout": false,
        "shrike_msg": null,
        "tags": [],
        "crash_issues": null,
        "dropped_files": null,
        "enforce_timeout": false,
        "parent_id": null,
        "signatures_finished_on": null,
        "running_processes": null,
        "completed_on": "2017-07-31 06:45:00",
        "target": "vMP.exe",
        "shrike_url": null,
        "package": "",
        "files_written": null,
        "analysis_started_on": null,
        "processing_started_on": null,
        "anti_issues": null,
        "registry_keys_modified": null,
        "signatures_alert": null,
        "timeout": 5000,
        "domains": null,
        "machine_id": null,
        "options": "tor=yes,procmemdump=yes",
        "added_on": "2017-07-31 04:59:56",
        "shrike_refer": null
    },
    "error": false
}

And

{
    "data": "completed",
    "error": false
}

Hope that helps..thank you.

[Nwinternights]

process.txt I post mine in case it helps

[doomedraven]

@Nwinternights your processing looks just fine, there no issue, @DigiAngel you don't have access to process.py log/screen/tmux session/supervisor/whatever?

[DigiAngel]

Yea I got access to the entire setup...just tell me where to go.

[doomedraven]

if it still processing that should be in some tty, i don't know how you run process.py, but you should see it in screen/tmux session/supervisor/whatever, you will know better where and how it started, so you will can see in real time what happening

[DigiAngel]

Ah.....yea that box got rebooted :(...it's not REALLY still processing.

[doomedraven]

maybe python process.py -r ID -d will reprocess it :)

[DigiAngel]

Ok I'll give that a go...wish me luck :D

[doomedraven]

good luck and make that issue disappear :P

[DigiAngel]

It appears to stop process with volatility at:

2017-08-01 14:26:22,957 [volatility.debug] DEBUG: Succeeded instantiating <volatility.plugins.addrspaces.intel.IA32PagedMemoryPae object at 0x7fd4424a6e10>
2017-08-01 14:26:22,957 [volatility.debug] DEBUG: Voting round
2017-08-01 14:26:22,957 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.macho.MachOAddressSpace'>
2017-08-01 14:26:22,957 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.lime.LimeAddressSpace'>
2017-08-01 14:26:22,958 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32'>
2017-08-01 14:26:22,959 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.crashbmp.WindowsCrashDumpSpace64BitMap'>
2017-08-01 14:26:22,959 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmem.VMWareMetaAddressSpace'>
2017-08-01 14:26:22,959 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64'>
2017-08-01 14:26:22,959 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.hpak.HPAKAddressSpace'>
2017-08-01 14:26:22,959 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.VirtualBoxCoreDumpElf64'>
2017-08-01 14:26:22,960 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.vmware.VMWareAddressSpace'>
2017-08-01 14:26:22,960 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.elfcoredump.QemuCoreDumpElf'>
2017-08-01 14:26:22,960 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32'>
2017-08-01 14:26:22,961 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.Win10AMD64PagedMemory'>
2017-08-01 14:26:22,961 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.WindowsAMD64PagedMemory'>
2017-08-01 14:26:22,961 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.LinuxAMD64PagedMemory'>
2017-08-01 14:26:22,961 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.amd64.AMD64PagedMemory'>
2017-08-01 14:26:22,962 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemoryPae'>
2017-08-01 14:26:22,962 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.intel.IA32PagedMemory'>
2017-08-01 14:26:22,962 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.osxpmemelf.OSXPmemELF'>
2017-08-01 14:26:22,962 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.standard.FileAddressSpace'>
2017-08-01 14:26:22,962 [volatility.debug] DEBUG: Trying <class 'volatility.plugins.addrspaces.arm.ArmAddressSpace'>

CPU is pegged at 100% for the last 20 minutes:

cuckoo   11208 97.2 21.0 2162228 1719108 pts/1 Rl+  14:19  30:49 python utils/process.py -r 530 -d

[doomedraven]

try disable memory processing and reprocess to see if that is real vol problem, or there something else

which yara and vol version? as it for some reason can be yara related

[DigiAngel]

So a ctrl-c a couple times past the volatility plugins appear to have fixed this up...thank you!