'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-06-26 18:00:38.889247 2017-06-26 18:03:07.079935 148 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-06-26 18:00:40 2017-06-26 18:03:06

File Details

File name 33b83015ddf53a1ece8b921117239510b6250a00.zip
File size 21456434 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 E0EF61D1
MD5 6bbc89b2c9abe777b8fcafd71b202a21
SHA1 33b83015ddf53a1ece8b921117239510b6250a00
SHA256 3dd32a371ceb116d0b07b178a9ee65d3b9cc7332d717bd0beeaa477993423418
SHA512 5db1fcd8fc7592d63a190ad26c2460069d9bf78a6f64ac0062b4b7a0315d89806dcd0234874eb284abf28898a134c8dcfb22d07aa54e0cbc72cc1ca331bd4cab
Ssdeep 393216:/WsXEq4CQhA1bIKVS9ed9Efnj+QFp4ZgZCDRJYJmvvsw:usXYCH1R09ed06IRZCDssvvsw
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1498500289]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

dropper details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

d4086db343d26ced_libcomd25.eid

1df9911f2dd5e39b_readme.txt

cd8e8e7f9e0096f3_setup.exe

7007280a9241f0e5_history.txt

4e3aab4d1d6f7e34_source.eid

8ace18c76e2f636a_licteam4.eid

ed5d3a90f2a6616e_setup.ini

70d04dcbc01c9c95_licent.eid

67346e8173fb955d_shared.eid

ff807f7f1b00be7e_licsite.eid

17ff8aa4aa302ba7_licteam8.eid

ed6af68878b58ef2_liccom.eid

d358a20fc60ee74c_licpro.eid

799c6719e280b2a7_logo.bmp

install.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\install.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Logo.bmp
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicEnt.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Logo.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\readme.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd25.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Shared.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicSite.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam8.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicPro.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicCom.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Source.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\history.txt
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicEnt.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\install.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\readme.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd25.eid
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Shared.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Logo.bmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicSite.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam8.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicPro.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicCom.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Source.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\history.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Logo.bmp
  • C:\Windows\Globalization\Sorting\sortdefault.nls
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0
Directory-Enumerated
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicEnt.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\install.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd25.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Shared.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\readme.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\*.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Logo.bmp
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicSite.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam8.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\setup.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicPro.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicCom.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Source.eid
  • C:\Users
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\history.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd12.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd11.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\readme.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComb5.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComb6.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrb5.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd7.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd19.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd5.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd25.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd18.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd9.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd21.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd7.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd9.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd19.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrb6.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd10.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicTeam8.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicSite.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd20.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd5.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd11.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd22.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Source.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicEnt.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd15.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd23.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd22.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd25.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd24.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd20.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd13.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd10.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd6.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicPro.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LicCom.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd18.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd17.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd21.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd12.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\licpers.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd6.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd23.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd16.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd24.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Shared.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\history.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\Libcomb4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd13.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrb4.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd16.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibTrd17.eid
  • C:\Users\Harry Dresden\AppData\Local\Temp\ComponentAce_0\LibComd15.eid
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\install.exe
  • HKEY_LOCAL_MACHINE\Software\Borland\Locales
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Borland\Locales
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\Software\Embarcadero\BDS\19.0\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Borland\Locales
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\setup.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell Folders
  • HKEY_CURRENT_USER\Software\Embarcadero\BDS\19.0\
  • HKEY_CURRENT_USER\SOFTWARE\ComponentAce\ZipForge
  • HKEY_CURRENT_USER\Software\Borland\Locales
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_CURRENT_USER\Software\ComponentAce\ZipForge\InstallDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Folders\Common Documents

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Users\Harry Dresden\AppData\Local\Temp\install.exe" PID: 4872, Parent PID: 4080

"C:\Users\HARRYD~1\AppData\Local\Temp\ComponentAce_0\setup.exe" PID: 3236, Parent PID: 4872

Volatility

Nothing to display.