URL Details

URL
https://sftpemea.west.com/pcs/uploads/jsc/5276729.zip

Score

This url appears fairly benign with a score of 0.4 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Analysis
Compare analysis to ... Export analysis Reboot analysis

Category Started Completed Duration Logs
URL Feb. 6, 2019, 6:15 a.m. Feb. 6, 2019, 6:20 a.m. 268 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-02-06 06:15:36 2019-02-06 06:20:03

Analyzer Log

2019-02-05 22:15:35,046 [analyzer] DEBUG: Starting analyzer from: C:\cljoweyer
2019-02-05 22:15:35,124 [analyzer] DEBUG: Pipe server name: \\.\PIPE\LsFtJwAeEutgbMBQaYRPitDhDa
2019-02-05 22:15:35,124 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\qQZTQlPSJeJIGztcjhD
2019-02-05 22:15:35,124 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-02-05 22:15:35,124 [analyzer] INFO: Automatically selected analysis package "ie"
2019-02-05 22:15:36,964 [analyzer] DEBUG: Started auxiliary module Disguise
2019-02-05 22:15:37,417 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-02-05 22:15:37,417 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-02-05 22:15:37,417 [analyzer] DEBUG: Started auxiliary module Human
2019-02-05 22:15:37,417 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-02-05 22:15:37,417 [analyzer] DEBUG: Started auxiliary module Reboot
2019-02-05 22:15:37,744 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-02-05 22:15:37,760 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-02-05 22:15:37,760 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-02-05 22:15:37,931 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['https://sftpemea.west.com/pcs/uploads/jsc/5276729.zip'] and pid 2316
2019-02-05 22:15:38,431 [analyzer] DEBUG: Loaded monitor into process with pid 2316
2019-02-05 22:15:38,602 [analyzer] DEBUG: Ignoring process "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon!
2019-02-05 22:15:43,190 [analyzer] DEBUG: Following legitimate iexplore process: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2316 CREDAT:79873!
2019-02-05 22:15:43,236 [analyzer] INFO: Injected into process with pid 2460 and name u'iexplore.exe'
2019-02-05 22:15:43,377 [analyzer] DEBUG: Loaded monitor into process with pid 2460
2019-02-05 22:15:43,750 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F79A3D5-29D6-11E9-B036-0050569395D7}.dat
2019-02-05 22:15:43,813 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Temp\~DF78591C720D7F9597.TMP
2019-02-05 22:15:46,528 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F79A3D6-29D6-11E9-B036-0050569395D7}.dat
2019-02-05 22:15:46,575 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Temp\~DF314E77333919DBF9.TMP
2019-02-05 22:19:40,325 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-02-05 22:19:44,460 [lib.api.process] INFO: Memory dump of process with pid 2316 completed
2019-02-05 22:19:53,132 [lib.api.process] INFO: Memory dump of process with pid 2460 completed
2019-02-05 22:19:53,132 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-02-05 22:19:53,132 [lib.api.process] INFO: Successfully terminated process with pid 2316.
2019-02-05 22:19:53,132 [lib.api.process] INFO: Successfully terminated process with pid 2460.
2019-02-05 22:19:53,132 [analyzer] INFO: Error dumping file from path "c:\users\zamen\appdata\local\temp\~df78591c720d7f9597.tmp": [Errno 13] Permission denied: u'c:\\users\\zamen\\appdata\\local\\temp\\~df78591c720d7f9597.tmp'
2019-02-05 22:19:53,132 [analyzer] INFO: Error dumping file from path "c:\users\zamen\appdata\local\temp\~df314e77333919dbf9.tmp": [Errno 13] Permission denied: u'c:\\users\\zamen\\appdata\\local\\temp\\~df314e77333919dbf9.tmp'
2019-02-05 22:19:53,319 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-02-06 06:15:36,367 [lib.cuckoo.core.scheduler] INFO: Task #1234: acquired machine win7x64 (label=win7x64)
2019-02-06 06:15:36,774 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 4252 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1234/dump.pcap)
2019-02-06 06:15:44,074 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-02-06 06:19:53,606 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-02-06 06:20:02,370 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-02-06 06:20:02,713 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-02-06 06:20:08,129 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-02-06 06:20:09,634 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f590f10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-06 06:20:09,635 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f590590>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-06 06:20:09,635 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f590f50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-06 06:20:09,636 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f590f90>: Failed to establish a new connection: [Errno 111] Connection refused
2019-02-06 06:20:09,637 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f590f90>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f590f90>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Executes javascript (5 events)
Time & API Arguments Status Return Repeated
Feb. 6, 2019, 1:16 a.m.
COleScript_Compile
type: JScript - window script block
script: 
//Split out for localization.
var L_GOBACK_TEXT = "Go back to the previous page.";
var L_REFRESH_TEXT = "Refresh the page.";
var L_MOREINFO_TEXT = "More information";
var L_OFFLINE_USERS_TEXT = "For offline users";
var L_RELOAD_TEXT = "Retype the address.";
var L_HIDE_HOTKEYS_TEXT = "Hide tab shortcuts";
var L_SHOW_HOTKEYS_TEXT = "Show more tab shortcuts";
var L_CONNECTION_OFF_TEXT = "You are not connected to the Internet. Check your Internet connection.";
var L_CONNECTION_ON_TEXT = "It appears you are connected to the Internet, but you might want to try to reconnect to the Internet.";

//used by invalidcert.js
var L_CertUnknownCA_TEXT = "The security certificate presented by this website was not issued by a trusted certificate authority.";
var L_CertExpired_TEXT = "The security certificate presented by this website has expired or is not yet valid.";
var L_CertCNMismatch_TEXT = "The security certificate presented by this website was issued for a different website's address.";
var L_CertRevoked_TEXT = "This organization's certificate has been revoked.";

var L_PhishingThreat_TEXT = "Phishing threat: This is a phishing website that impersonates a trusted website to trick you into revealing personal or financial information.";
var L_MalwareThreat_TEXT = "Malicious software threat: This site contains links to viruses or other software programs that can reveal personal information stored or typed on your computer to malicious persons.";

var L_ACR_Title_TEXT = "We were unable to return you to %s.";
var L_ACR_TitleFallback_TEXT = "We were unable to return you to the page you were viewing.";
var L_ACR_ReturnTo_TEXT = "Try to return to %s";
var L_ACR_ReturnToFallback_TEXT = "Try to return to the page you were viewing";
var L_ACR_GoHome_TEXT = "Go to your home page";

success 0 0
Feb. 6, 2019, 1:16 a.m.
COleScript_Compile
type: JScript - window script block
script: 
//Need to include errorPageStrings.js when you include this file

function isExternalUrlSafeForNavigation(urlStr)
{
    var regEx = new RegExp("^(http(s?)|ftp|file)://", "i");
    return regEx.exec(urlStr);
}

function clickRefresh()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        window.location.replace(location.substring(poundIndex+1));
    }
}

function navCancelInit()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        var bElement = document.createElement("A");
        bElement.innerText = L_REFRESH_TEXT;
        bElement.href = 'javascript:clickRefresh()';
        navCancelContainer.appendChild(bElement);
    }
    else
    {
        var textNode = document.createTextNode(L_RELOAD_TEXT);
        navCancelContainer.appendChild(textNode);
    }
}

function expandCollapse(elem, changeImage)
{
    if (document.getElementById)
    {
        ecBlock = document.getElementById(elem);

        if (ecBlock != undefined && ecBlock != null)
        {
            if (changeImage)
            {
                //gets the image associated
                elemImage = document.getElementById(elem + "Image");
            }

            //make sure elemImage is good
            if (!changeImage || (elemImage != undefined && elemImage != null))
            {
                if (ecBlock.currentStyle.display == "none" || ecBlock.currentStyle.display == null || ecBlock.currentStyle.display == "")
                {
                    //shows the info.
                    ecBlock.style.display = "block";
                    if (changeImage)
                    {
                        //Just got in expanded mode. Thus, change image to "collapse"
                        elemImage.src = "up.png";
                    }
                }
                else if (ecBlock.currentStyle.display == "block")
                {
                    //hide info
                    ecBlock.style.display = "none";
                    if (changeImage)
                    {
                        //Just got in collapsed mode. Thus, change image to "expand"
                        elemImage.src = "down.png";
                    }
                }
                else
                {
                    //catch any weird circumstances.
                    ecBlock.style.display = "block";
                    if (changeImage)
                    {
                        elemImage.src = "up.png";
                    }
                }
            }//end check elemImage
        }//end check ecBlock
    }//end getElemById
}//end expandCollapse


function initHomepage()
{
    // in real bits, urls get returned to our script like this:
    // res://shdocvw.dll/http_404.htm#http://www.DocURL.com/bar.htm

    //For testing use
    //DocURL = "res://shdocvw.dll/http_404.htm#http://www.microsoft.com/bar.htm"
    DocURL=document.location.href;

    var poundIndex = DocURL.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
   
       //this is where the http or https will be, as found by searching for :// but skipping the res://
       protocolIndex=DocURL.indexOf("://", 4);
   
       //this finds the ending slash for the domain server
       serverIndex=DocURL.indexOf("/", protocolIndex + 3);
   
       //for the href, we need a valid URL to the domain. We search for the # symbol to find the begining
       //of the true URL, and add 1 to skip it - this is the BeginURL value. We use serverIndex as the end marker.
       //urlresult=DocURL.substring(protocolIndex - 4,serverIndex);
       BeginURL=DocURL.indexOf("#",1) + 1;
       urlresult=DocURL.substring(BeginURL, serverIndex);
       if (protocolIndex - BeginURL > 7)
           urlresult="";

        //for display, we need to skip after http://, and go to the next slash
       displayresult=DocURL.substring(protocolIndex + 3, serverIndex);
    } 
    else
    {
       displayresult = "";
       urlresult = "";
    }

    var aElement = document.createElement("A");

    aElement.innerText = displayresult;
    aElement.href = urlresult;

    homepageContainer.appendChild(aElement);
}


function initConnectionStatus()
{

    if (navigator.onLine) //the network connection is connected
    {
        checkConnection.innerText = L_CONNECTION_ON_TEXT;
    }
    else
    {
        checkConnection.innerText = L_CONNECTION_OFF_TEXT;
    }
}

function initGoBack()
{
    //fills in the span container for "back to previous page"
    //Basically, makes "back to previous page" a clickable item IF there's something in the navstack.

    if (history.length < 1)
    {
        //this page is the only thing. Nothing in history.
        var textNode = document.createTextNode(L_GOBACK_TEXT);
        goBackContainer.appendChild(textNode);
    }
    else
    {
        var bElement = document.createElement("A");
        bElement.innerText = L_GOBACK_TEXT ;
        bElement.href = "javascript:history.back();";
        goBackContainer.appendChild(bElement);
    }
}

function initMoreInfo(infoBlockID)
{
    var bElement = document.createElement("A");
    bElement.innerText = L_MOREINFO_TEXT;
    bElement.href = "javascript:expandCollapse(\'infoBlockID\', true);";
    moreInfoContainer.appendChild(bElement);				
}

function initOfflineUser(offlineUserID)
{
    var bElement = document.createElement("A");
    bElement.innerText = L_OFFLINE_USERS_TEXT;
    bElement.href = "javascript:expandCollapse('offlineUserID', true);";
    offlineUserContainer.appendChild(bElement);
}

function initUnframeContent()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        document.all.whatToDoIntro.style.display="block";
        document.all.whatToDoBody.style.display="block";
    }
}

function makeNewWindow()
{
    var location = window.location.href;
    var poundIndex = location.indexOf('#');
    
    if (poundIndex != -1 && poundIndex+1 < location.length && isExternalUrlSafeForNavigation(location.substring(poundIndex+1)))
    {
        window.open(location.substring(poundIndex+1));
    }
}

function setTabInfo(tabInfoBlockID)
{
    //removes the previous tabInfo text
    var bPrevElement = document.getElementById("tabInfoTextID");
    var bPrevImage   = document.getElementById("tabInfoBlockIDImage");

    if (bPrevElement != null)
    {
        tabInfoContainer.removeChild(bPrevElement);
    }

    if (bPrevImage != null)
    {
        tabImageContainer.removeChild(bPrevImage);
    }

    var bElement = document.createElement("A");
    var bImageElement = document.createElement("IMG");

    var ecBlock = document.getElementById(tabInfoBlockID);

    //determines if the block is closed
    if ((ecBlock != undefined && ecBlock != null) &&
        (ecBlock.currentStyle.display == "none" || ecBlock.currentStyle.display == null || ecBlock.currentStyle.display == ""))
    {
        bElement.innerText = L_SHOW_HOTKEYS_TEXT;
        bImageElement.alt = L_SHOW_HOTKEYS_TEXT;
        bImageElement.src="down.png";
    }
    else
    {
        bElement.innerText = L_HIDE_HOTKEYS_TEXT;
        bImageElement.alt = L_HIDE_HOTKEYS_TEXT;
        bImageElement.src="up.png";
    }

    bElement.id = "tabInfoTextID";
    bElement.href = "javascript:expandCollapse(\'tabInfoBlockID\', false); setTabInfo('tabInfoBlockID');";


    bImageElement.id="tabInfoBlockIDImage";
    bImageElement.border="0";
    bImageElement.className="actionIcon";

    tabInfoContainer.appendChild(bElement);
    tabImageContainer.appendChild(bImageElement);
}

function diagnoseConnection()
{
    window.external.DiagnoseConnection();
}

function diagnoseConnectionAndRefresh()
{
    window.external.DiagnoseConnection();
    if (navigator.onLine) //network connection is connected
    {
        clickRefresh();
    }
}

success 0 0
Feb. 6, 2019, 1:16 a.m.
COleScript_Compile
type: JScript - onload function
script: 
function onload()
{
initMoreInfo('infoBlockID');
}

success 0 0
Feb. 6, 2019, 1:16 a.m.
COleScript_Compile
type: JScript - onclick function
script: 
function onclick()
{
diagnoseConnectionAndRefresh(); return false;
}

success 0 0
Feb. 6, 2019, 1:16 a.m.
COleScript_Compile
type: JScript - onclick function
script: 
function onclick()
{
expandCollapse('infoBlockID', true); return false;
}

success 0 0

Screenshots

No screenshots available.

Network

DNS

Name Response Post-Analysis Lookup
www.bing.com 204.79.197.200
sftpemea.west.com 94.175.244.208

Hosts

No hosts contacted.

Summary

Process iexplore.exe (2316)

  • Opened files

    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\
    • C:\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\Low
    • C:\Users\zamen\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
    • C:\Users\zamen\Favorites\Links for United States\USA.gov.url
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
    • C:\Users\zamen\AppData\Local\
    • C:\Users\zamen\Favorites\MSN Websites\MSN Money.url
    • C:\Users\zamen\Favorites\Microsoft Websites\IE Add-on site.url
    • C:\Users\zamen\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\zamen
    • C:\Users\zamen\Favorites\MSN Websites\MSN Sports.url
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IETldCache\Low\
    • C:\Windows\System32\shell32.dll
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    • C:\Users\zamen\Favorites\Links
    • C:\Program Files\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\
    • C:\Users\zamen\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Web Slice Gallery~.feed-ms
    • C:\Windows\System32\wininet.dll
    • C:\Windows\System32\oleaccrc.dll
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Windows\System32\url.dll
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History
    • C:\Users\zamen\Favorites\Links for United States\
    • C:\Windows\System32\ieframe.dll
    • C:\Program Files\Java\jre1.8.0_111\bin\ssv.dll
    • C:\Users\zamen\AppData\
    • C:\Users\zamen\AppData\Roaming\Microsoft\
    • C:\Users\zamen\Favorites\Windows Live\Windows Live Spaces.url
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
    • C:\Users\zamen\Favorites\Windows Live\Windows Live Gallery.url
    • C:\Users\zamen\Favorites\Microsoft Websites\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\
    • C:\Users\zamen\Favorites\MSN Websites\MSN Autos.url
    • C:\Users\zamen\AppData\Local\Temp
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\
    • C:\Users\zamen\Favorites\Links for United States\GobiernoUSA.gov.url
    • C:\Windows\System32\en-US\MSCTF.dll.mui
    • C:\Users\zamen\Favorites\Links\Web Slice Gallery.url
    • C:\Users\zamen\AppData\Local\Microsoft\
    • C:\Users\zamen\Favorites\Microsoft Websites\Microsoft Store.url
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IETldCache
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IECompatCache\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    • C:\Windows\System32\stdole2.tlb
    • C:\Windows\Fonts\staticcache.dat
    • C:\Users\zamen\AppData\Local
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\
    • C:\Users\zamen\Desktop
    • C:\Program Files\Java\jre1.8.0_111\bin\
    • C:\Users\zamen\Favorites\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\PrivacIE
    • C:\Users\zamen\AppData\Local\Microsoft\Feeds Cache\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
    • C:\Users\zamen\AppData\Roaming\Microsoft\Network\Connections\Pbk\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IETldCache\
    • C:\Users\zamen\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
    • C:\Users\zamen\AppData\Roaming\Microsoft
    • C:\Users\zamen\Desktop\desktop.ini
    • C:\Users\zamen\Favorites\Links\
    • C:\Users\zamen\AppData\Roaming
    • C:\Windows\System32\en-US\urlmon.dll.mui
    • C:\Users\zamen\Favorites\Windows Live\
    • C:\Users\
    • C:\Users\zamen\Favorites\Links\desktop.ini
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IECompatCache\Low\
    • C:\Users
    • C:\Users\zamen\Favorites\Windows Live\Windows Live Mail.url
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\Low\
    • C:\Users\zamen\AppData\Roaming\
    • C:\Users\desktop.ini
    • C:\Users\zamen\Favorites\Microsoft Websites\Microsoft At Home.url
    • C:\Program Files\Java\jre1.8.0_111\
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Users\zamen\AppData\Local\Temp\Low\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IECompatCache
    • C:\Users\zamen\Favorites\MSN Websites\MSN Entertainment.url
    • C:\Windows\System32\ras\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\Low\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IETldCache\Low
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\PrivacIE\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\
    • C:\Users\zamen\AppData\Local\Microsoft
    • C:\Users\zamen\Favorites\Microsoft Websites\IE site on Microsoft.com.url
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies
    • C:\Users\zamen\AppData\Local\Microsoft\Windows
    • C:\Users\zamen\Favorites
    • C:\Program Files\Java\jre1.8.0_111\bin\jp2ssv.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\Low
    • C:\Users\zamen\AppData
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\
    • C:\Users\zamen\Favorites\MSN Websites\
    • C:\Users\zamen\Favorites\Microsoft Websites\Microsoft At Work.url
    • C:\Users\zamen\AppData\Local\Temp\
    • C:\Users\zamen\Favorites\MSN Websites\MSN.url
    • C:\Users\zamen\Favorites\MSN Websites\MSNBC News.url
    • C:\Users\zamen\AppData\Local\Microsoft\Feeds Cache\index.dat
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
    • C:\Users\zamen\Favorites\desktop.ini
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\PrivacIE\Low\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files
    • C:\Users\zamen\AppData\Local\Temp\Low
    • C:\Users\zamen\Favorites\Windows Live\Get Windows Live.url
    • C:\Users\zamen\

  • Written files

    • C:\Users\zamen\AppData\Local\Temp\~DF78591C720D7F9597.TMP
    • C:\Users\zamen\AppData\Local\Temp\~DF314E77333919DBF9.TMP
    • C:\Users\zamen\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F79A3D6-29D6-11E9-B036-0050569395D7}.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F79A3D5-29D6-11E9-B036-0050569395D7}.dat

Process iexplore.exe (2316)

Process iexplore.exe (2316)

Process iexplore.exe (2316)

Process iexplore.exe (2316)

  • Processes created

    • "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2316 CREDAT:79873

  • DLLs Loaded

    • IEFRAME.dll
    • C:\Windows\System32\fwpuclnt.dll
    • sensapi.dll
    • urlmon.dll
    • propsys.dll
    • C:\Windows\System32\mswsock.dll
    • apphelp.dll
    • CRYPT32.dll
    • rasadhlp.dll
    • Shell32.dll
    • kernel32.dll
    • comdlg32.dll
    • CRYPTBASE.dll
    • C:\Windows\System32\wshtcpip.dll
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • NTDLL.DLL
    • shlwapi.dll
    • C:\Windows\system32\napinsp.dll
    • iphlpapi
    • ntmarta.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • C:\Program Files\Internet Explorer\ieproxy.dll
    • PROPSYS.dll
    • USP10.dll
    • WININET.dll
    • C:\Windows\System32\wship6.dll
    • dnsapi
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • msfeeds.dll
    • SspiCli.dll
    • ole32.dll
    • CRYPTSP.dll
    • USER32.dll
    • IMM32.dll
    • C:\Program Files\Internet Explorer\sqmapi.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • C:\Windows\system32\pnrpnsp.dll
    • RASMAN.DLL
    • msctf.dll
    • rtutils.dll
    • IPHLPAPI.DLL
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • wininet.dll
    • SHELL32.DLL
    • C:\Windows\system32\xmllite.dll
    • RASAPI32.dll
    • OLEAUT32.dll
    • profapi.dll
    • SHELL32.dll
    • RPCRT4.dll
    • DNSAPI.dll
    • C:\Windows\System32\winrnr.dll
    • IEUI.dll
    • comctl32.dll
    • C:\Windows\system32\oleaut32.dll
    • C:\Windows\system32\NLAapi.dll
    • C:\Windows\system32\IEUI.dll
    • VERSION.dll
    • ws2_32
    • MLANG.dll
    • UXTHEME.DLL
    • UxTheme.dll
    • Normaliz.dll
    • C:\Windows\system32\mswsock.dll
    • SXS.DLL
    • ADVAPI32.dll
    • rpcrt4.dll
    • advapi32
    • SETUPAPI.dll
    • WS2_32.dll
    • C:\Windows\system32\MSCTF.dll
    • user32.dll
    • MSIMG32.dll
No static analysis available.
No antivirus signatures available.

Process Tree

iexplore.exe, PID: 2316, Parent PID: 2292

default registry file network process services synchronisation iexplore office pdf

iexplore.exe, PID: 2460, Parent PID: 2316

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 52096 192.168.128.111 53
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 64209 192.168.128.111 53
192.168.128.109 137 192.168.128.255 137
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name a4489c998d58ce68_{9f79a3d6-29d6-11e9-b036-0050569395d7}.dat
Download Submit file
Filepath C:\Users\zamen\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{9F79A3D6-29D6-11E9-B036-0050569395D7}.dat
Size 4.5KB
Processes 2316 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 906fe226d1ede7adff98419c676eff80
SHA1 d9a871b51fbe94806f02da6eb121a429031f6710
SHA256 a4489c998d58ce68ed7afce286aafd64d8820ce4a3dc69e90f24ac599f20bade
CRC32 F5DA9B7D
ssdeep 12:rlfFXtrrEgmfR16FVbYrEgmfN1qjNlYfOD+/Nl089iDjoIu2A1qSh:r7hGUYGgNljsNl08iDcGAf
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name b079383c400a7c3d_recoverystore.{9f79a3d5-29d6-11e9-b036-0050569395d7}.dat
Download Submit file
Filepath C:\Users\zamen\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9F79A3D5-29D6-11E9-B036-0050569395D7}.dat
Size 3.5KB
Processes 2316 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 aa4289f170561f7027686601a7dbd6bd
SHA1 396aba5009698bfc5f3c170f75639ea69bcc0212
SHA256 b079383c400a7c3d63ec40a4dd3bdb56be5da467f7566180b9ae3c870f1e5c82
CRC32 64BE150A
ssdeep 12:rl0YmGF2hDOrEg5+IaCrI017+F0sDrEgmf+IaCy8qgQNlTqni:rI85/7YGv/TQNlWni
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1234
Mongo ID 5c5ac2ea11d30812ab71f47b
Cuckoo release 2.0-dev