URL Details

URL
https://1drv.ms/w/s!AhA9Bl0Y0vIzcF2R4Ng25SpmYZg

Score

This url appears fairly benign with a score of 0.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL March 7, 2019, 5 p.m. March 7, 2019, 5:05 p.m. 281 seconds

Machine

Name Label Started On Shutdown On
win7x32 win7x32 2019-03-07 17:01:00 2019-03-07 17:05:40

Analyzer Log

2019-03-07 09:00:59,108 [analyzer] DEBUG: Starting analyzer from: C:\qfxvvi
2019-03-07 09:00:59,108 [analyzer] DEBUG: Pipe server name: \\.\PIPE\wSxfigNrowuoDNURPObZUzVv
2019-03-07 09:00:59,108 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\LQkYGOCXYeLznxshtjomeRBceAuLv
2019-03-07 09:00:59,108 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-03-07 09:00:59,108 [analyzer] INFO: Automatically selected analysis package "ie"
2019-03-07 09:01:03,023 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-07 09:01:03,368 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-07 09:01:03,368 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-07 09:01:03,430 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-03-07 09:01:03,430 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit ncrypt.dll (with timestamp 0x586e85bb)
2019-03-07 09:01:03,430 [analyzer] DEBUG: Loaded monitor into process with pid 476
2019-03-07 09:01:03,430 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-07 09:01:03,446 [analyzer] DEBUG: Started auxiliary module Human
2019-03-07 09:01:03,446 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-07 09:01:03,446 [analyzer] DEBUG: Started auxiliary module Reboot
2019-03-07 09:01:03,726 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-07 09:01:03,726 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-07 09:01:03,928 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Internet Explorer\\iexplore.exe' with arguments ['https://1drv.ms/w/s!AhA9Bl0Y0vIzcF2R4Ng25SpmYZg'] and pid 2860
2019-03-07 09:01:04,709 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-07 09:01:04,709 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-07 09:01:04,895 [analyzer] DEBUG: Loaded monitor into process with pid 2860
2019-03-07 09:01:05,707 [analyzer] DEBUG: Ignoring process "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon!
2019-03-07 09:01:08,312 [analyzer] INFO: Added new file to list with pid 2860 and path \Device\NamedPipe\wkssvc
2019-03-07 09:01:08,750 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{984AA0E0-40FA-11E9-93EF-00505693AED0}.dat
2019-03-07 09:01:08,765 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\~DF5B0AE231FF905FDA.TMP
2019-03-07 09:01:09,217 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{984AA0E2-40FA-11E9-93EF-00505693AED0}.dat
2019-03-07 09:01:09,217 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\~DFEA2D25647D0D671B.TMP
2019-03-07 09:01:09,326 [analyzer] DEBUG: Following legitimate iexplore process: "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2860 CREDAT:209921 /prefetch:2!
2019-03-07 09:01:09,374 [analyzer] INFO: Injected into process with pid 3040 and name u'iexplore.exe'
2019-03-07 09:01:09,483 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-07 09:01:09,483 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x56eb2fb8)
2019-03-07 09:01:09,545 [analyzer] DEBUG: Loaded monitor into process with pid 3040
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2019-03-07 09:01:09,920 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit MSHTML.dll (with timestamp 0x58275c38)
2019-03-07 09:01:09,920 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2019-03-07 09:01:24,864 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A3626A86-40FA-11E9-93EF-00505693AED0}.dat
2019-03-07 09:01:24,864 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\~DF9A32ECE7E46787CB.TMP
2019-03-07 09:01:41,993 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\Favorites\Links\Suggested Sites.url
2019-03-07 09:01:42,009 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
2019-03-07 09:01:42,196 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
2019-03-07 09:01:42,243 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
2019-03-07 09:01:42,351 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\www4CF6.tmp
2019-03-07 09:01:42,368 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\www4D07.tmp
2019-03-07 09:01:42,382 [analyzer] INFO: Added new file to list with pid 2860 and path C:\Users\admin\AppData\Local\Temp\www4D18.tmp
2019-03-07 09:05:07,023 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-07 09:05:09,489 [lib.api.process] INFO: Memory dump of process with pid 2860 completed
2019-03-07 09:05:32,250 [lib.common.results] ERROR: Exception uploading file c:\users\admin\appdata\local\temp\tmpwqs35z to host: [Errno 9] Bad file descriptor
2019-03-07 09:05:32,250 [lib.api.process] INFO: Memory dump of process with pid 3040 completed
2019-03-07 09:05:32,265 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-07 09:05:32,265 [lib.api.process] INFO: Successfully terminated process with pid 2860.
2019-03-07 09:05:32,265 [lib.api.process] INFO: Successfully terminated process with pid 3040.
2019-03-07 09:05:32,265 [analyzer] INFO: Error dumping file from path "c:\users\admin\appdata\local\temp\~dfea2d25647d0d671b.tmp": [Errno 13] Permission denied: u'c:\\users\\admin\\appdata\\local\\temp\\~dfea2d25647d0d671b.tmp'
2019-03-07 09:05:32,265 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\wkssvc'" does not exist, skip.
2019-03-07 09:05:32,296 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www4d07.tmp'" does not exist, skip.
2019-03-07 09:05:32,342 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\~df5b0ae231ff905fda.tmp'" does not exist, skip.
2019-03-07 09:05:32,358 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\~df9a32ece7e46787cb.tmp'" does not exist, skip.
2019-03-07 09:05:32,358 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www4d18.tmp'" does not exist, skip.
2019-03-07 09:05:32,358 [analyzer] WARNING: File at path "u'c:\\users\\admin\\appdata\\local\\temp\\www4cf6.tmp'" does not exist, skip.
2019-03-07 09:05:32,358 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-07 17:00:59,976 [lib.cuckoo.core.scheduler] INFO: Task #1417: acquired machine win7x32 (label=win7x32)
2019-03-07 17:01:00,003 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 9479 (interface=eth2, host=192.168.128.112, pcap=/opt/cuckoo/storage/analyses/1417/dump.pcap)
2019-03-07 17:01:06,936 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x32, ip=192.168.128.112)
2019-03-07 17:05:39,258 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-03-07 17:05:40,001 [lib.cuckoo.core.guest] INFO: win7x32: analysis completed successfully
2019-03-07 17:06:04,473 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-07 17:06:06,411 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6e2f10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-07 17:06:06,412 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6e2250>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-07 17:06:06,413 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6e24d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-07 17:06:06,413 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f6e2950>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-07 17:06:06,414 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f6e2950>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f6e2950>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Internet Explorer creates one or more martian processes (1 event)
cmdline "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2860 CREDAT:209921 /prefetch:2

Network

Summary

Process iexplore.exe (2860)

  • Opened files

    • C:\
    • C:\Users\admin\AppData\Local\Microsoft
    • C:\Windows\System32\sspicli.dll
    • C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    • C:\Users\admin\Favorites\desktop.ini
    • C:\Windows\System32\en-US\MSCTF.dll.mui
    • C:\Users\admin\Favorites\Microsoft Websites\
    • C:\Users\admin\Favorites\
    • C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
    • C:\Users\admin\AppData\Roaming\Adobe\Flash Player\NativeCache
    • C:\Windows\System32\shell32.dll
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active
    • C:\Program Files\
    • C:\Users\admin\AppData\Local\Microsoft\Windows
    • C:\Users\admin\Favorites\MSN Websites\MSN.url
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
    • C:\Users\admin\Favorites\MSN Websites\
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection
    • C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low
    • C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
    • C:\Users\admin\AppData\Local\Temp\www4D18.tmp
    • C:\Windows\System32\ieframe.dll
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~
    • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\IECompatCache\Low
    • C:\Windows\System32\en-US\IEFRAME.dll.mui
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\DNTException\Low
    • C:\Program Files\Microsoft Office\Office12\
    • C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
    • C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat
    • C:\Program Files\Common Files\Adobe\Acrobat\
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\IECompatUACache\Low
    • C:\Users\admin\AppData\Local\Temp\www4CF6.tmp
    • C:\Program Files\Common Files\Adobe\
    • C:\Windows\Fonts\staticcache.dat
    • C:\Users\admin\Favorites\Links\Web Slice Gallery.url
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low
    • C:\Users\admin\AppData\Local\Microsoft\PlayReady
    • C:\Users\admin\Favorites
    • C:\Users\admin
    • C:\Users\admin\AppData\Local\Temp\www4D07.tmp
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low
    • \\?\PIPE\wkssvc
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000002.db
    • C:\Users\admin\AppData\Local\Microsoft\Feeds
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\
    • C:\Users\admin\AppData\Local\Microsoft\Windows\History\desktop.ini
    • C:\Users\admin\Favorites\Links for United States\
    • C:\Users\admin\AppData\Local
    • C:\Users
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized
    • C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
    • C:\Users\desktop.ini
    • C:\Program Files\Common Files\
    • C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Users\admin\Favorites\Links\Suggested Sites.url
    • C:\Users\admin\Favorites\Windows Live\
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
    • C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
    • C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
    • C:\Users\admin\AppData\Local\Temp\Low
    • C:\Users\admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\
    • C:\Users\admin\Favorites\Links\desktop.ini
    • C:\Users\admin\Favorites\Links for United States\USA.gov.url
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
    • C:\Users\admin\Desktop\desktop.ini
    • C:\Users\admin\Desktop
    • C:\Windows\System32\en-US\shell32.DLL.mui
    • C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
    • C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
    • C:\Program Files\Microsoft Office\
    • C:\Users\admin\Favorites\Links\
    • C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
    • C:\Users\admin\Favorites\MSN Websites\MSN Money.url
    • C:\Windows\System32\en-US\SETUPAPI.dll.mui
    • C:\Users\admin\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
    • C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
    • C:\Users\admin\AppData
    • C:\Users\admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
  • Written files

    • C:\Users\admin\AppData\Local\Temp\~DFEA2D25647D0D671B.TMP
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
    • C:\Users\admin\Favorites\Links\Suggested Sites.url
    • \\?\PIPE\wkssvc
    • C:\Users\admin\AppData\Local\Temp\www4CF6.tmp
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A3626A86-40FA-11E9-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{984AA0E2-40FA-11E9-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
    • C:\Users\admin\AppData\Local\Temp\www4D18.tmp
    • C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{984AA0E0-40FA-11E9-93EF-00505693AED0}.dat
    • C:\Users\admin\AppData\Local\Temp\~DF5B0AE231FF905FDA.TMP
    • C:\Users\admin\AppData\Local\Temp\~DF9A32ECE7E46787CB.TMP
    • C:\Users\admin\AppData\Local\Temp\www4D07.tmp

Process iexplore.exe (2860)

Process iexplore.exe (2860)

Process iexplore.exe (2860)

Process iexplore.exe (2860)

  • Processes created

    • "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2860 CREDAT:209921 /prefetch:2
  • DLLs Loaded

    • IEFRAME.dll
    • C:\Windows\System32\mswsock.dll
    • urlmon.dll
    • apphelp.dll
    • CRYPT32.dll
    • DNSAPI.dll
    • C:\Program Files\Internet Explorer\ieproxy.dll
    • kernel32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • CRYPTBASE.dll
    • C:\Windows\system32\ole32.dll
    • RPCRT4.dll
    • dwmapi.dll
    • rasadhlp.dll
    • dhcpcsvc.DLL
    • winhttp.dll
    • ntmarta.dll
    • api-ms-win-downlevel-advapi32-l1-1-0.dll
    • api-ms-win-downlevel-advapi32-l2-1-0.dll
    • C:\Windows\system32\MSCTF.dll
    • PROPSYS.dll
    • NTDLL.DLL
    • WININET.dll
    • msfeeds.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • api-ms-win-downlevel-ole32-l1-1-0.dll
    • Secur32.dll
    • OLEAUT32.DLL
    • MLANG.dll
    • IPHLPAPI.DLL
    • API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL
    • cryptbase.dll
    • ole32.dll
    • USERENV.dll
    • CRYPTSP.dll
    • USER32.dll
    • IMM32.dll
    • C:\Program Files\Internet Explorer\sqmapi.dll
    • comdlg32.dll
    • NETAPI32.dll
    • SspiCli.dll
    • api-ms-win-downlevel-shell32-l1-1-0.dll
    • USP10.DLL
    • C:\Program Files\Internet Explorer\suspend.dll
    • IEUI.dll
    • WindowsCodecs.dll
    • OLEAUT32.dll
    • profapi.dll
    • SHELL32.dll
    • IEShims.dll
    • C:\Windows\System32\wship6.dll
    • comctl32.dll
    • C:\Windows\system32\oleaut32.dll
    • api-ms-win-core-winrt-string-l1-1-0.dll
    • C:\Windows\system32\IEUI.dll
    • dhcpcsvc6.DLL
    • UxTheme.dll
    • CRYPTBASE.DLL
    • C:\Windows\system32\mswsock.dll
    • api-ms-win-downlevel-shlwapi-l2-1-0.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • user32.dll
    • MSIMG32.dll
No static analysis available.
Antivirus Result
CLEAN MX Clean Site
DNS8 Clean Site
VX Vault Clean Site
ZDB Zeus Clean Site
Tencent Clean Site
Netcraft Unrated Site
desenmascara_me Clean Site
Dr_Web Clean Site
PhishLabs Unrated Site
Zerofox Clean Site
K7AntiVirus Clean Site
Virusdie External Site Scan Clean Site
SCUMWARE_org Clean Site
Quttera Clean Site
AegisLab WebGuard Clean Site
MalwareDomainList Clean Site
ZeusTracker Clean Site
zvelo Clean Site
Google Safebrowsing Clean Site
Kaspersky Clean Site
BitDefender Clean Site
Certly Clean Site
G-Data Clean Site
C-SIRT Clean Site
OpenPhish Clean Site
Malware Domain Blocklist Clean Site
MalwarePatrol Clean Site
Trustwave Clean Site
Web Security Guard Clean Site
CyRadar Clean Site
ADMINUSLabs Clean Site
Malwarebytes hpHosts Clean Site
Opera Clean Site
AlienVault Clean Site
Emsisoft Clean Site
Malc0de Database Clean Site
Spam404 Clean Site
Phishtank Clean Site
Malwared Clean Site
Avira Clean Site
NotMining Unrated Site
CyberCrime Clean Site
Antiy-AVL Clean Site
Forcepoint ThreatSeeker Clean Site
FraudSense Clean Site
malwares_com URL checker Clean Site
Comodo Site Inspector Clean Site
Malekal Clean Site
ESET Clean Site
Sophos Unrated Site
Yandex Safebrowsing Clean Site
SecureBrain Clean Site
Nucleon Clean Site
Sucuri SiteCheck Clean Site
Blueliv Clean Site
ZCloudsec Clean Site
AutoShun Unrated Site
ThreatHive Clean Site
FraudScore Clean Site
Rising Clean Site
URLQuery Unrated Site
StopBadware Unrated Site
Fortinet Clean Site
ZeroCERT Clean Site
Baidu-International Clean Site
securolytics Clean Site

Process Tree


iexplore.exe, PID: 2860, Parent PID: 2836

default registry file network process services synchronisation iexplore office pdf

iexplore.exe, PID: 3040, Parent PID: 2860

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.112 49208 192.168.128.111 53
192.168.128.112 49254 192.168.128.111 53
192.168.128.112 50804 192.168.128.111 53
192.168.128.112 51336 192.168.128.111 53
192.168.128.112 51778 192.168.128.111 53
192.168.128.112 52039 192.168.128.111 53
192.168.128.112 52481 192.168.128.111 53
192.168.128.112 53921 192.168.128.111 53
192.168.128.112 56984 192.168.128.111 53
192.168.128.112 58297 192.168.128.111 53
192.168.128.112 58300 192.168.128.111 53
192.168.128.112 62123 192.168.128.111 53
192.168.128.112 62873 192.168.128.111 53
192.168.128.112 63356 192.168.128.111 53
192.168.128.112 63597 192.168.128.111 53
192.168.128.112 137 192.168.128.255 137
192.168.128.112 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name cea011fee6c17478_feedsstore.feedsdb-ms
Filepath C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
Size 7.0KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 ebb3bd68246da285d566d8e186fbeaed
SHA1 2688805df6f9fe051e1d82bcd8efd8f247814f6c
SHA256 cea011fee6c17478f8cb764b6c8d8bd5bd3ce4be67f56cc57c81c363ec7032e4
CRC32 71ACDDCC
ssdeep 192:IENLjPHAwjPHaw+1pw+16Z/cASgUbwRwKI3:IENjPHAwjPHaw+1pw+16Z/c3gUbwRBI3
Yara
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name 0f07848d36e27269_recoverystore.{984aa0e0-40fa-11e9-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{984AA0E0-40FA-11E9-93EF-00505693AED0}.dat
Size 5.5KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 63dfaecff17d3aee0231cc04cb09ed43
SHA1 960d8d8d3d8ea74a566c77698559dc11ea52f6b5
SHA256 0f07848d36e272697748e39580463a23c5009cfa3b3126053618f739a72a5131
CRC32 FBF6660C
ssdeep 24:rZGW/GLFIplXHGo/QCLFIplX19NlWenNLLFIplXFLFIplXyNlWenN:rZGWt3Go45FoWue7W
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name 06be638e1dc764b5_{a3626a86-40fa-11e9-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A3626A86-40FA-11E9-93EF-00505693AED0}.dat
Size 3.5KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 8e2641219fdf3161436876dd52ece307
SHA1 911cd1257f899f3b20142c5c98bc2b9848a29f4b
SHA256 06be638e1dc764b56535c6337e4b4616e5e16060157dd807cc2fb9e0c68effa7
CRC32 6AEA10D7
ssdeep 12:rlxAFrwsDrEgm8GD7KFRXklXDrEgm8GD7qjNlpQA9dI:rHYG8p0lTG8NNlaAg
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name 59e9401f60a6acb3_msapplication.xml
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml
Size 385.0B
Processes 2860 (iexplore.exe)
Type XML document text
MD5 da10acbaabb7dc2762ef7ff7ce531ef3
SHA1 ecf5c3b1eb7e6850e09f05f5db5878d9a5889ad4
SHA256 59e9401f60a6acb344506cec2d5a6825aa4350b927a79a2cfcf13fbfc48a01a2
CRC32 57AC966F
ssdeep 12:TMHdNMNxvDGn/jfnWimI00OhJabU5EtMb:2d6NxvC/jfSZ7Paeb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e3ab045d746a0821_suggested sites.url
Filepath C:\Users\admin\Favorites\Links\Suggested Sites.url
Size 236.0B
Processes 2860 (iexplore.exe)
Type ASCII text, with CRLF line terminators
MD5 11cede0563d1d61930e433cd638d6419
SHA1 366b26547292482b871404b33930cefca8810dbd
SHA256 e3ab045d746a0821cfb0c34aee9f98ce658caab2c99841464c68d49ab2cd85d9
CRC32 2C9F5B4E
ssdeep 6:J254vVG/4xPpuFVm4ADGZslbQKeADGZsuGsW/k2:3VW4x8FVmZDGilMKTDGj7W/k2
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 85377082fd8b3e4a_{984aa0e2-40fa-11e9-93ef-00505693aed0}.dat
Filepath C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{984AA0E2-40FA-11E9-93EF-00505693AED0}.dat
Size 3.5KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 1deac7625490193953f29ce5324cda1c
SHA1 62f5b646d3d8a1431951af3ea33a9c0aeda09283
SHA256 85377082fd8b3e4a98dc3beb820a610426cf7e183840782cf3e2a4ea10c8651f
CRC32 907002AE
ssdeep 12:rl0YmGF5EptOrEgmfu66FIrEgmfu6qwuNlSaJIye3Vk5hEd:rUaGxGxuNlgykgGd
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Name bd69e9d305a8198e_suggested sites~.feed-ms
Filepath C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\WebSlices~\Suggested Sites~.feed-ms
Size 32.0KB
Processes 2860 (iexplore.exe)
Type Composite Document File V2 Document, No summary info
MD5 e720aba8b6f563fcf081c200681f0e2e
SHA1 d4e2a6875fc458137d2f8791a99e7b792ae08d0d
SHA256 bd69e9d305a8198e9a7833a810e5fc183a4d1c5abe9e59b8a64d36bd7df5d7ac
CRC32 A73C2FEA
ssdeep 24:JObf+8Zbf+8z2AC7hbASdtfjOAC7hbASdt:cf+cf+KG7hn+7h
Yara
  • maldoc_OLE_file_magic_number -
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1417
Mongo ID 5c8195cf11d30812ab7208b8
Cuckoo release 2.0-dev