URL Details

URL
http://wnxelsiizfsa.com/

Score

This url appears fairly benign with a score of 0.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL March 6, 2019, 6:50 a.m. March 6, 2019, 6:56 a.m. 349 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-03-06 06:50:28 2019-03-06 06:56:15

Analyzer Log

2019-03-06 03:50:25,015 [analyzer] DEBUG: Starting analyzer from: C:\vmhuxzxiq
2019-03-06 03:50:25,046 [analyzer] DEBUG: Pipe server name: \\.\PIPE\VILiuOyPotWBzyXlVbfUNLrzICCguLtM
2019-03-06 03:50:25,046 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\BVYdYuutAgMmVWxzldxtQubM
2019-03-06 03:50:27,171 [analyzer] DEBUG: Started auxiliary module Disguise
2019-03-06 03:50:27,328 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-03-06 03:50:27,328 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-03-06 03:50:27,390 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-03-06 03:50:27,390 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-03-06 03:50:27,390 [analyzer] DEBUG: Started auxiliary module Human
2019-03-06 03:50:27,390 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-03-06 03:50:27,390 [analyzer] DEBUG: Started auxiliary module Reboot
2019-03-06 03:50:27,750 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-03-06 03:50:27,750 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-03-06 03:50:28,046 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files\\Microsoft Office\\Office12\\WINWORD.EXE' with arguments ['http://wnxelsiizfsa.com/'] and pid 1092
2019-03-06 03:50:28,108 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-03-06 03:50:28,108 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-03-06 03:50:28,171 [analyzer] DEBUG: Loaded monitor into process with pid 1092
2019-03-06 03:50:29,500 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
2019-03-06 03:50:30,750 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Application Data\Microsoft\Office\MSO1033.acl
2019-03-06 03:50:31,125 [analyzer] INFO: Added new file to list with pid 1092 and path \Device\NamedPipe\lsass
2019-03-06 03:50:31,280 [analyzer] INFO: Added new file to list with pid 1092 and path \Device\NamedPipe\ROUTER
2019-03-06 03:50:46,828 [analyzer] CRITICAL: Encountered an unknown process while in monitoring mode: /S /C {BDEADF00-C265-11D0-BCED-00A0C90AB50F} /I {000214E6-0000-0000-C000-000000000046} /X 0x401!
2019-03-06 03:50:46,875 [analyzer] INFO: Injected into process with pid 1996 and name u'verclsid.exe'
2019-03-06 03:50:46,967 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-03-06 03:50:46,967 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-03-06 03:50:47,125 [analyzer] DEBUG: Loaded monitor into process with pid 1996
2019-03-06 03:50:49,015 [lib.api.process] INFO: Memory dump of process with pid 1996 completed
2019-03-06 03:50:49,092 [analyzer] INFO: Process with pid 1996 has terminated
2019-03-06 03:51:20,592 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
2019-03-06 03:51:20,703 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
2019-03-06 03:51:21,765 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\6CC51E40.gif
2019-03-06 03:51:21,890 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\4500941.gif
2019-03-06 03:51:22,015 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{3B477591-762E-48C0-80A2-2B85E6884D25}.tmp
2019-03-06 03:51:22,092 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{6D3E43DF-DF3F-4481-BE05-05617AD85C17}.tmp
2019-03-06 03:51:22,108 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\3195E4E.gif
2019-03-06 03:51:22,171 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{8EA805C2-F072-4483-8CD3-FC4197F27E20}.tmp
2019-03-06 03:51:22,233 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\797ADDF7.gif
2019-03-06 03:51:22,312 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\CCCCAF8C.gif
2019-03-06 03:51:22,608 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\1902B21D.jpeg
2019-03-06 03:51:22,640 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\mso1.tmp
2019-03-06 03:51:22,655 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\mso2.tmp
2019-03-06 03:51:25,608 [analyzer] INFO: Added new file to list with pid 1092 and path C:\Documents and Settings\zamen\Application Data\Microsoft\UProof\CUSTOM.DIC
2019-03-06 03:54:27,140 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-03-06 03:55:29,421 [analyzer] INFO: Added new file to list with pid 1092 and path \Device\NamedPipe\wkssvc
2019-03-06 03:55:34,546 [lib.api.process] INFO: Memory dump of process with pid 1092 completed
2019-03-06 03:55:34,546 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-03-06 03:55:34,562 [lib.api.process] INFO: Successfully terminated process with pid 1092.
2019-03-06 03:55:34,562 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\lsass'" does not exist, skip.
2019-03-06 03:55:34,562 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\router'" does not exist, skip.
2019-03-06 03:55:34,592 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\6cc51e40.gif'" does not exist, skip.
2019-03-06 03:55:34,592 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\797addf7.gif'" does not exist, skip.
2019-03-06 03:55:34,592 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\ccccaf8c.gif'" does not exist, skip.
2019-03-06 03:55:34,592 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\3195e4e.gif'" does not exist, skip.
2019-03-06 03:55:34,608 [analyzer] INFO: Error dumping file from path "c:\documents and settings\zamen\local settings\temporary internet files\content.mso\mso2.tmp": [Errno 13] Permission denied: u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\mso2.tmp'
2019-03-06 03:55:34,625 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\1902b21d.jpeg'" does not exist, skip.
2019-03-06 03:55:34,625 [analyzer] INFO: Error dumping file from path "c:\documents and settings\zamen\local settings\temporary internet files\content.mso\mso1.tmp": [Errno 13] Permission denied: u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\mso1.tmp'
2019-03-06 03:55:34,625 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\wkssvc'" does not exist, skip.
2019-03-06 03:55:34,655 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\local settings\\temporary internet files\\content.mso\\4500941.gif'" does not exist, skip.
2019-03-06 03:55:34,655 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-03-06 06:50:28,455 [lib.cuckoo.core.scheduler] INFO: Task #1383: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-03-06 06:50:28,484 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 2188 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/1383/dump.pcap)
2019-03-06 06:50:53,813 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-03-06 06:56:13,751 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-03-06 06:56:14,033 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-03-06 06:57:39,143 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-03-06 06:57:41,040 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f296d90>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:41,040 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f296250>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:41,041 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f296d10>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:41,042 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f296e90>: Failed to establish a new connection: [Errno 111] Connection refused
2019-03-06 06:57:41,043 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f296e90>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f296e90>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)
cve CVE-2013-3906

Network

DNS

Name Response Post-Analysis Lookup
wnxelsiizfsa.com
javadl-esd-secure.oracle.com 23.14.119.135

Hosts

No hosts contacted.

Summary

Process WINWORD.EXE (1092)

  • Opened files

    • C:\Program Files\Microsoft Office\Office12\1033\MSO.ACL
    • C:\Documents and Settings\zamen\Cookies\
    • C:\
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\1902B21D.jpeg
    • C:\Program Files\Microsoft Office\Office12\Document Parts\1033\Building Blocks.dotx
    • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
    • C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Connections\Pbk\
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\
    • c:\AUTOEXEC.BAT
    • C:\Program Files\Microsoft Office\Office12\ID_00030.DPC
    • C:\Documents and Settings\zamen\Application Data\Microsoft\
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO
    • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\OPA12.BAK
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\
    • C:\WINDOWS\system32\ras\
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\0SKK3S0I\PYFATJCU\Offline\
    • C:\WINDOWS\system32\shell32.dll
    • C:\Program Files\Microsoft Office\Office12\Document Parts\
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word
    • C:\Program Files\Microsoft Office\Office12\MSPUB.EXE
    • C:\Documents and Settings\zamen\Cookies\index.dat
    • C:\Documents and Settings\zamen\Application Data\Microsoft\UProof\CUSTOM.DIC
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
    • C:\Documents and Settings\zamen\Application Data\desktop.ini
    • C:\Program Files\Messenger\msmsgs.exe
    • C:\Documents and Settings\zamen\
    • \\?\PIPE\lsarpc
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.IE5\
    • C:\Documents and Settings\All Users\Documents\desktop.ini
    • C:\Program Files\Common Files\System\ado\msadox.dll
    • C:\Program Files\Microsoft Office\Office12\
    • C:\Program Files\Microsoft Office\Office12\STARTUP\
    • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
    • \\?\PIPE\ROUTER
    • C:\Documents and Settings\zamen\My Documents\desktop.ini
    • C:\WINDOWS\system32\wininet.dll
    • C:\Program Files\Common Files\Microsoft Shared\
    • C:\WINDOWS\system32\imm32.dll
    • C:\WINDOWS\Registration\R000000000007.clb
    • C:\WINDOWS\AppPatch\sysmain.sdb
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\797ADDF7.gif
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\6CC51E40.gif
    • C:\WINDOWS\system32\urlmon.dll
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\3195E4E.gif
    • C:\Documents and Settings\
    • C:\Documents and Settings\zamen\Local Settings\History
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\CCCCAF8C.gif
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\0SKK3S0I\PYFATJCU\Offline\0x00000003_R
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\WINDOWS\system32\tapi32.dll
    • C:\WINDOWS\system32
    • C:\Program Files\
    • C:\WINDOWS\system32\oleacc.dll
    • C:\WINDOWS\system32\rpcss.dll
    • C:\Documents and Settings\All Users\
    • C:\WINDOWS\system32\mlang.dll
    • C:\Program Files\Microsoft Office\Office12\WORD.PIP
    • C:\Program Files\Common Files\Microsoft Shared\Web Folders\MSONSEXT.DLL
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
    • \\?\PIPE\wkssvc
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&1435b2e2&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Documents and Settings\zamen\Local Settings\History\History.IE5\
    • C:\Documents and Settings\zamen\Application Data\
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Proof\
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Word\STARTUP\
    • C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
    • C:\Program Files\Microsoft Office\Office12\Document Parts\1033\
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Microsoft\Office\
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Templates\
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\4500941.gif
    • C:\Documents and Settings\zamen\Local Settings\History\History.IE5\index.dat
    • C:\Program Files\Common Files\Microsoft Shared\Web Folders\
  • Written files

    • C:\Documents and Settings\zamen\Application Data\Microsoft\Office\MSO1033.acl
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\1902B21D.jpeg
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\mso1.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{8EA805C2-F072-4483-8CD3-FC4197F27E20}.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{6D3E43DF-DF3F-4481-BE05-05617AD85C17}.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\6CC51E40.gif
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{3B477591-762E-48C0-80A2-2B85E6884D25}.tmp
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\3195E4E.gif
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
    • \\?\PIPE\lsarpc
    • C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\mso2.tmp
    • \\?\PIPE\wkssvc
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\CCCCAF8C.gif
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\4500941.gif
    • C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
    • C:\Documents and Settings\zamen\Application Data\Microsoft\UProof\CUSTOM.DIC
    • C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.MSO\797ADDF7.gif
    • \\?\PIPE\ROUTER

Process verclsid.exe (1996)

Process WINWORD.EXE (1092)

Process verclsid.exe (1996)

  • Registry keys read

    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Process WINWORD.EXE (1092)

Process verclsid.exe (1996)

Process WINWORD.EXE (1092)

Process verclsid.exe (1996)

Process WINWORD.EXE (1092)

  • Processes created

    • /S /C {BDEADF00-C265-11D0-BCED-00A0C90AB50F} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
  • DLLs Loaded

    • C:\WINDOWS\system32\IMM32.DLL
    • C:\WINDOWS\system32\SHELL32.dll
    • C:\WINDOWS\System32\mswsock.dll
    • RASAPI32.DLL
    • urlmon.dll
    • C:\WINDOWS\system32\ADVAPI32.DLL
    • DNSAPI.dll
    • C:\Program Files\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
    • kernel32.dll
    • UxTheme.dll
    • gdi32.DLL
    • netapi32.dll
    • C:\WINDOWS\System32\wshtcpip.dll
    • ntdll.dll
    • C:\WINDOWS\system32\normaliz.dll
    • shlwapi.dll
    • C:\WINDOWS\system32\msv1_0.dll
    • C:\Program Files\Microsoft Office\Office12\msproof6.dll
    • C:\WINDOWS\system32\kernel32.dll
    • C:\WINDOWS\system32\mswsock.dll
    • USERENV.dll
    • URLMON.DLL
    • rasadhlp.dll
    • wsock32
    • wwlib.dll
    • WININET.dll
    • C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\msonpui.dll
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Program Files\Microsoft Office\Office12\wwlib.dll
    • UxTheme.DLL
    • OLE32
    • OLEAUT32.DLL
    • C:\WINDOWS\system32\KERNEL32.DLL
    • version.dll
    • advapi32.dll
    • Secur32.dll
    • ole32.dll
    • C:\WINDOWS\system32\uxtheme.dll
    • C:\Program Files\Common Files\Microsoft Shared\office12\riched20.dll
    • Comctl32.dll
    • WTSAPI32.DLL
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • IMM32.dll
    • RASMAN.DLL
    • MSO.dll
    • C:\Program Files\Microsoft Office\Office12\1033\wwintl.dll
    • RTUTILS.DLL
    • VERSION.DLL
    • WININET.DLL
    • C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
    • shell32.dll
    • Kernel32.DLL
    • uxtheme.dll
    • secur32.dll
    • Winspool.DRV
    • sensapi.dll
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
    • SHELL32.dll
    • C:\Program Files\Microsoft Office\Office12\MSOHEV.DLL
    • SHLWAPI.DLL
    • mlang.dll
    • CLBCATQ.DLL
    • comctl32.dll
    • mso.dll
    • C:\WINDOWS\system32\mscoree.dll
    • NETAPI32.dll
    • hnetcfg.dll
    • C:\WINDOWS\system32\MSCTF.dll
    • appHelp.dll
    • ws2_32
    • HLINK.DLL
    • C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll
    • POWRPROF.dll
    • SHELL32.DLL
    • rpcrt4.dll
    • OLE32.DLL
    • SETUPAPI.dll
    • WS2_32.dll
    • OLEAUT32.dll

Process verclsid.exe (1996)

No static analysis available.
No antivirus signatures available.

Process Tree


WINWORD.EXE, PID: 1092, Parent PID: 1048

default registry file network process services synchronisation iexplore office pdf

verclsid.exe, PID: 1996, Parent PID: 1092

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
wnxelsiizfsa.com
javadl-esd-secure.oracle.com 23.14.119.135

TCP

Source Source Port Destination Destination Port
192.168.128.102 1057 192.168.128.112 139
192.168.128.102 1060 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.102 1025 192.168.128.111 53
192.168.128.102 137 192.168.128.112 137
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138
192.168.128.112 138 192.168.128.102 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 6e9bd1e5638d48c1_building blocks.dotx
Filepath C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
Size 314.8KB
Processes 1092 (WINWORD.EXE)
Type Microsoft Word 2007+
MD5 89e2626a866bc9a18da185e35228a404
SHA1 4bc5718e114fa9cd2d60af37ba3d58d382ed18da
SHA256 6e9bd1e5638d48c1219c2312b67f2134ff404ab9f9644431df9b3b33ec33de66
CRC32 9DF23CE3
ssdeep 6144:nxl82xfVaZUt2Km7Jh+u0O7Ss5SuSfNaEf1e/PR5Oa52G0jlE0:n78+VamMKicBO7SaSuSx85Oa5CR
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name ddf845d734d9e0bf_~wrs{6d3e43df-df3f-4481-be05-05617ad85c17}.tmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{6D3E43DF-DF3F-4481-BE05-05617AD85C17}.tmp
Size 1.5KB
Processes 1092 (WINWORD.EXE)
Type data
MD5 5dffafc1f52d64d60d6ee3d741551205
SHA1 3f58d8f928b9689c0d9144d3a24bdb0867e18a10
SHA256 ddf845d734d9e0bf3460c1f147d64e1459f62b30569aabed053d76f6128aac91
CRC32 77F8762A
ssdeep 3:Nzyxwnml0baZ4PON8DCBPl7l2xllVlzlpDll3/J/jvfllZtLQXZlhlhlhlZ/Z/nW:NmWmG2GW2GJxl2oXlgdRpj4K
Yara None matched
VirusTotal Search for analysis
Name 0f93da9d51abb988_~wrs{3b477591-762e-48c0-80a2-2b85e6884d25}.tmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{3B477591-762E-48C0-80A2-2B85E6884D25}.tmp
Size 158.0KB
Processes 1092 (WINWORD.EXE)
Type data
MD5 cb51e13d1c00b6a3c9b812fb70cb06c2
SHA1 7ff0140b540a29e2b8b5866caf0fd3653c3c7713
SHA256 0f93da9d51abb9888c42fd6dc5e7f50e3ac1047f6a03c7a1e9e74d8b2863a6a0
CRC32 215B2F57
ssdeep 1536:fzNr1LyfN1dFtcR/kiXV5pL9PFBHUpN0+l:fJ1YjAIj
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
VirusTotal Search for analysis
Name 2d849c741a411570_~wrs{8ea805c2-f072-4483-8cd3-fc4197f27e20}.tmp
Filepath C:\Documents and Settings\zamen\Local Settings\Temporary Internet Files\Content.Word\~WRS{8EA805C2-F072-4483-8CD3-FC4197F27E20}.tmp
Size 1.0KB
Processes 1092 (WINWORD.EXE)
Type data
MD5 0d855a25d9bb7039958259ee8e64c4e1
SHA1 da98de7b61d71d6d7674eb1daca1726f905b88c9
SHA256 2d849c741a4115706c678d12f51f7969368c0010c6b7679aa9e1cb6bc658bf83
CRC32 CA3CBC77
ssdeep 24:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNwwNpueHUqe:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNw7
Yara None matched
VirusTotal Search for analysis
Name c682b438a9becd6b_mso1033.acl
Filepath C:\Documents and Settings\zamen\Application Data\Microsoft\Office\MSO1033.acl
Size 36.9KB
Processes 1092 (WINWORD.EXE)
Type data
MD5 31ac804577f3f2208aa40cb4da0cd769
SHA1 74d8e403f426fa175acfd7f8235ab409b7cdaa71
SHA256 c682b438a9becd6bcf81e5ead656c0aac6430a4618d7c681d823b7977c4c5da0
CRC32 17A51397
ssdeep 768:fatNbFeZKdogeyHMOeYhYVi+iOFOwbPXdEma1b:u/eLAhYVzbw
Yara None matched
VirusTotal Search for analysis
Name 62c1549ff1c3c8ae_~$ilding blocks.dotx
Filepath C:\Documents and Settings\zamen\Application Data\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
Size 162.0B
Processes 1092 (WINWORD.EXE)
Type data
MD5 5296e67d77ed7a46d433e2626e1c83fc
SHA1 34751a816a240a5c49e15900fe6921c78b0242d6
SHA256 62c1549ff1c3c8ae4e6662f63732962f6b04819bf48a93ff43cbb1e574565618
CRC32 2ED24C7C
ssdeep 3:fBplxl/Zlxl//TSltll:fJ3DWX
Yara None matched
VirusTotal Search for analysis
Name b3d510ef04275ca8_custom.dic
Filepath C:\Documents and Settings\zamen\Application Data\Microsoft\UProof\CUSTOM.DIC
Size 2.0B
Processes 1092 (WINWORD.EXE)
Type Little-endian UTF-16 Unicode text, with no line terminators
MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
CRC32 88F83096
ssdeep 3:Qn:Qn
Yara None matched
VirusTotal Search for analysis
Name 3d5bc0c3c759609b_opa12.dat
Filepath C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa12.dat
Size 8.0KB
Processes 1092 (WINWORD.EXE)
Type data
MD5 0e7e24ed21bd5da96b0d882d5a043ad4
SHA1 543bba04369e50dfb74d27d24e1069810a5707ea
SHA256 3d5bc0c3c759609b3637e8efb7508600ec8a175e601779916097537c80092f2d
CRC32 E4BF56FA
ssdeep 192:12xaaUyse71abxl0fatpNnxa/2WvVJBZHp5isu/dY/tBNLqu5Xw2a:12x3slgatpNnxZGplu1Yte2ba
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1383
Mongo ID 5c7fb5b511d30812ab72072a
Cuckoo release 2.0-dev