URL Details

URL
http://mrwmjudmfyja.com/

Score

This url appears fairly benign with a score of 0.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Feb. 5, 2019, 12:19 p.m. Feb. 5, 2019, 12:20 p.m. 32 seconds

Machine

Name Label Started On Shutdown On
win7x32 win7x32 2019-02-05 12:19:43 2019-02-05 12:20:15

Analyzer Log

2019-02-05 04:19:43,092 [analyzer] DEBUG: Starting analyzer from: C:\mepkivjwb
2019-02-05 04:19:43,092 [analyzer] DEBUG: Pipe server name: \\.\PIPE\JEUtLARFmCWqOglIVdtwRSGVASbF
2019-02-05 04:19:43,092 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\zEAedIQqsSdeFtSAVhmlKUSQUOOOvE
2019-02-05 04:19:46,789 [analyzer] DEBUG: Started auxiliary module Disguise
2019-02-05 04:19:47,023 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-02-05 04:19:47,023 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-02-05 04:19:47,086 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-02-05 04:19:47,086 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-02-05 04:19:47,086 [analyzer] DEBUG: Loaded monitor into process with pid 476
2019-02-05 04:19:47,101 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-02-05 04:19:47,101 [analyzer] DEBUG: Started auxiliary module Human
2019-02-05 04:19:47,101 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-02-05 04:19:47,101 [analyzer] DEBUG: Started auxiliary module Reboot
2019-02-05 04:19:47,368 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-02-05 04:19:47,382 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-02-05 04:19:47,819 [lib.api.process] INFO: Successfully executed process from path 'C:\\Windows\\System32\\msiexec.exe' with arguments ['/I', 'http://mrwmjudmfyja.com/'] and pid 2852
2019-02-05 04:19:50,878 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-02-05 04:19:50,878 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-02-05 04:19:51,377 [analyzer] DEBUG: Loaded monitor into process with pid 2852
2019-02-05 04:19:51,391 [analyzer] DEBUG: Received request to inject pid=2852, but we are already injected there.
2019-02-05 04:20:04,667 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-02-05 04:20:05,697 [lib.api.process] WARNING: The process with pid 2852 is not alive, memory dump aborted
2019-02-05 04:20:06,400 [analyzer] INFO: Process with pid 2852 has terminated
2019-02-05 04:20:06,400 [analyzer] INFO: Process list is empty, terminating analysis.
2019-02-05 04:20:07,414 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-02-05 04:20:07,414 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-02-05 12:19:43,179 [lib.cuckoo.core.scheduler] INFO: Task #1232: acquired machine win7x32 (label=win7x32)
2019-02-05 12:19:43,234 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2373 (interface=eth2, host=192.168.128.112, pcap=/opt/cuckoo/storage/analyses/1232/dump.pcap)
2019-02-05 12:19:52,189 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x32, ip=192.168.128.112)
2019-02-05 12:20:14,819 [lib.cuckoo.core.guest] INFO: win7x32: analysis completed successfully
2019-02-05 12:20:28,064 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-02-05 12:20:29,642 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c7e7950>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-05 12:20:29,643 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c7e7290>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-05 12:20:29,644 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c7e7490>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-05 12:20:29,645 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c7e7910>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-05 12:20:29,646 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937c7e7910>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937c7e7910>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Allocates read-write-execute memory (usually to unpack itself) (15 events)
Time & API Arguments Status Return Repeated
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x73ca1000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x739c1000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x73551000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x73531000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x74b61000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x71481000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x71431000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x76771000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x75671000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x747a1000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x74411000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x74761000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x70b01000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x72f41000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Feb. 5, 2019, 7:19 a.m.
NtProtectVirtualMemory
base_address: 0x74601000
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
process_identifier: 2852
process_handle: 0xffffffff
success 0 0
Checks adapter addresses which can be used to detect virtual network interfaces (4 events)
Time & API Arguments Status Return Repeated
Feb. 5, 2019, 7:19 a.m.
GetAdaptersAddresses
flags: 15
family: 0
failed 111 0
Feb. 5, 2019, 7:19 a.m.
GetAdaptersAddresses
flags: 15
family: 0
success 0 0
Feb. 5, 2019, 7:19 a.m.
GetAdaptersAddresses
flags: 640
family: 0
failed 111 0
Feb. 5, 2019, 7:19 a.m.
GetAdaptersAddresses
flags: 640
family: 0
success 0 0

Network

DNS

Name Response Post-Analysis Lookup
mrwmjudmfyja.com
dns.msftncsi.com 131.107.255.255

Hosts

No hosts contacted.

Summary

Process msiexec.exe (2852)

  • Opened files

    • C:\Windows\System32\msimsg.dll
    • C:\Windows\Globalization\Sorting\sortdefault.nls

Process msiexec.exe (2852)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaExtensionConfig\SspiCli
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-93-4b-7c
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\msiexec.exe
    • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Psched\Parameters\Winsock
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Psched
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Psched\WinSock 2.0 Provider ID
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-93-4b-7c\WpadDecision
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Psched\Parameters\Winsock\MaxSockaddrLength
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-93-4b-7c\WpadDecisionTime
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureRoutine
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\MaximumAllowedAllocationSize
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AllowOnlyDNSQueryForWPAD
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureDll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Psched\Parameters\Winsock\HelperDllName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\AutoProxyAutoLogonIfChallenged
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Psched\Parameters\Winsock\MinSockaddrLength
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Psched\Parameters\Winsock\Mapping
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Psched\Parameters\Winsock\UseDelayedAcceptance
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions\00060101.00060101
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type

Process msiexec.exe (2852)

Process msiexec.exe (2852)

Process msiexec.exe (2852)

  • DLLs Loaded

    • C:\Windows\System32\wshqos.dll
    • C:\Windows\system32\ole32.dll
    • DNSAPI.dll
    • wship6.dll
    • kernel32.dll
    • UxTheme.dll
    • C:\Windows\system32\OLE32.DLL
    • dwmapi.dll
    • ntdll.dll
    • cryptsp.dll
    • C:\Windows\system32\TSAPPCMP.DLL
    • winhttp.dll
    • C:\Windows\system32\SHELL32.DLL
    • API-MS-WIN-Service-Management-L2-1-0.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • PROPSYS.dll
    • WINHTTP
    • SspiCli.dll
    • COMCTL32
    • ole32.dll
    • SHLWAPI.dll
    • credssp.dll
    • C:\Windows\system32\mswsock.dll
    • C:\Windows\system32\SHLWAPI.DLL
    • IPHLPAPI.DLL
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • wshtcpip
    • OLEAUT32.dll
    • RPCRT4.dll
    • comctl32.dll
    • C:\Windows\system32\NETAPI32.DLL
    • NSI.dll
    • C:\Windows\system32\uxtheme.dll
    • CFGMGR32.dll
    • C:\Windows\system32\KERNEL32.DLL
    • ADVAPI32.dll
    • Ntdll.dll
    • WS2_32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


msiexec.exe, PID: 2852, Parent PID: 2824

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
mrwmjudmfyja.com
dns.msftncsi.com 131.107.255.255

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.112 49254 192.168.128.111 53
192.168.128.112 56984 192.168.128.111 53
192.168.128.112 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Sorry! No dropped files.
Sorry! No dropped buffers.
Task ID 1232
Mongo ID 5c59c5de11d30812ab71f463
Cuckoo release 2.0-dev