'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-10-26 16:50:06.337087 2016-10-26 16:52:29.969383 143 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-10-26 16:50:06 2016-10-26 16:52:29

File Details

File name bdc8720acb0fe025214ba272e7ae8d493d0c8677.exe
File size 990464 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 4BB4BB93
MD5 12198664e043248b3223d360aa36cc1d
SHA1 bdc8720acb0fe025214ba272e7ae8d493d0c8677
SHA256 2ab8c19df84bb9d0a1e985915412b925f223ffb3b7cdbf40e4bb5848f073c798
SHA512 6087836c422b8926f88972f376d871f7a6b3b62bd6c7b433913bae4e936c1316e2a3ec7eb507352de55956a036e500c6c6533a5e9bb56a224f5d18b95c5ad939
Ssdeep 24576:WFNOuGQRVjv+FLVX7bs8wg9yNTqfOOsA60KjvX1jErMf:wYrQRpv+/3vI2xKjdwe
PEiD
  • UPX 2.93 - 3.00 [LZMA] -> Markus Oberhumer, Laszlo Molnar & John Reiser
Yara
  • Str_Win32_Winsock2_Library (Match Winsock 2 API library declaration)
  • Str_Win32_Wininet_Library (Match Windows Inet API library declaration)
VirusTotal Permalink
VirusTotal Scan Date: 2016-10-25 06:28:39
Detection Rate: 1/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=4, VT[1477500759]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

antivm_memory_available details
antivm_network_adapters details
packer_upx details
antivm_generic_disk details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Opened
  • C:\
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ProductOptions
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Webroot Software
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
  • HKEY_LOCAL_MACHINE\Software\WRData\Ecom
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinPE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{1FCC574F-AFA2-4432-9EF1-79CA7BA73431}_is1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\Software\webroot
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\WRData\Sensor
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{B4B5AD48-8D34-41D3-BD8A-8A10BD9BDED3}_is1
  • HKEY_LOCAL_MACHINE\Software\SpySweeper
  • HKEY_CURRENT_USER\Software\WRData
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{5AE68DC3-F16E-457D-947A-092D614C7ABD}_is1
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{76F8CB2B-6516-4E1E-B6F1-AED4ABDB4B0A}_is1
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{846EE342-7039-11DE-9D20-806E6F6E6963}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{22E9CF2B-4063-4dab-A251-93FA46F7DECC}_is1
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\bdc8720acb0fe025214ba272e7ae8d493d0c8677.exe
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
  • HKEY_LOCAL_MACHINE\Software\WRData
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpScopeId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\ScopeId
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseEdns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheTtl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateSecurityLevel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterAdapterName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UpdateSecurityLevel
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastResponderFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQueryTimeouts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenDefaultServers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\CacheAllCompartments
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\DisableAdapterDomainName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterReverseLookup
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationTtl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\FilterClusterIp
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\SearchList
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseDomainNameDevolution
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseNewRegistration
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCachedSockets
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DowncaseSpnCauseApiOwnerIsTooLazy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\UseDomainNameDevolution
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationTTL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderMaxTimeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ProductOptions\ProductSuite
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsSecureNameQueryFallback
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\EnableMulticast
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CloneTimeStampFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxCacheSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\RegistrationEnabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistration
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\RegisterAdapterName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenBadTlds
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationEnabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationOverwrite
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableMulticast
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterPrimaryName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UpdateTopLevelDomainZones
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryAdapterName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\EnableDAForAllNetworks
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableDns
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationMaxAddressCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DnsQuickQueryTimeouts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\NodeType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableAdapterDomainName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AllowUnqualifiedQuery
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQuickQueryTimeouts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\PrioritizeRecordData
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseHostsFile
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsQueryTimeouts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\QueryAdapterName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\UseCompartments
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\DhcpNodeType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\MaxNumberOfAddressesToRegister
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegistrationRefreshInterval
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AddrConfigControl
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\RegisterWanAdapters
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DynamicServerQueryOrder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\NetBT\Parameters\EnableProxy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\Domain
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ScreenUnreachableServers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableReverseAddressRegistrations
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableWanDynamicUpdate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\RegistrationMaxAddressCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AdapterTimeoutLimit
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Interfaces\{87979D8F-DBB2-48D6-A984-D5B3AF417131}\DhcpDomain
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\WaitForNameErrorOnAll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\DisableDynamicUpdate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DomainNameDevolutionLevel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DnsTest
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\AllowUnqualifiedQuery
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ResolverRegistrationOnly
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\ServerPriorityTimeLimit
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\QueryIpMatching
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MaxNegativeCacheTtl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\MulticastSenderFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\DirectAccessQueryOrder
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Dnscache\Parameters\AppendToMultiLabelName
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\PrioritizeRecordData
Registry Key-Written
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\webroot\initialOSBuildNumber
Mutex-Accessed
  • Global\WRGUI_1

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Users\Harry Dresden\AppData\Local\Temp\bdc8720acb0fe025214ba272e7ae8d493d0c8677.exe" PID: 2816, Parent PID: 5508

Volatility

Nothing to display.