'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-05-05 02:45:07.546491 2017-05-05 02:47:13.636652 126 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2017-05-05 02:45:07 2017-05-05 02:47:13

File Details

File name f5c34affa964f132e4373681a8ad7c016d68b6aa.exe
File size 163328 bytes
File type PE32 executable for MS Windows (GUI) Intel 80386 32-bit
CRC32 D8181511
MD5 99d1503cff471b8e5d3b282a3ccb56b2
SHA1 f5c34affa964f132e4373681a8ad7c016d68b6aa
SHA256 7035a7b85f3f13f5d6ae8a049dcb75c3c63f8a45a98839304be58c803dba226f
SHA512 7ad89b76a0c41d4bb3c77074a3d9573b3139795f4d15a697d11be5c336085c3eafc9c06b318ebc4752392d5bd0d828464fffaf24f505fa98a74e165e2cd74c8b
Ssdeep 1536:CXNczU8AU7HqPBbL5FPkLXASYMEYPlkXrzEAPg2/4PsXO8:usR7mbL5FmeMKbbg2QPsXv
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1493952441]=0): Snort Events=0, AV Events=0
Total Score=125

Signatures

antivm_memory_available details
dumped_buffer details
dumped_buffer2 details
antivm_generic_scsi details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Sections

Resources

Imports

Strings

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Opened
  • C:\
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Disk\Enum
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\Windows\LoadAppInit_DLLs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\kernel32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\TSUserEnabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\TSAppCompat
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\ntdll.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\f5c34affa964f132e4373681a8ad7c016d68b6aa.exe" PID: 3264, Parent PID: 3308

explorer.exe PID: 1652, Parent PID: 3264

Volatility

Nothing to display.