URL Details

URL
http://nbgomtvneepf.com/

Score

This url appears fairly benign with a score of 0.6 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Dec. 10, 2018, 11:27 a.m. Dec. 10, 2018, 11:32 a.m. 260 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-12-10 11:27:49 2018-12-10 11:32:09

Analyzer Log

2018-12-10 03:27:48,030 [analyzer] DEBUG: Starting analyzer from: C:\mndkwocey
2018-12-10 03:27:48,062 [analyzer] DEBUG: Pipe server name: \\.\PIPE\dKQiwXBnzkxWqCYxoTq
2018-12-10 03:27:48,062 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\DNQnenVzWzVWsTMBzVlN
2018-12-10 03:27:49,950 [analyzer] DEBUG: Started auxiliary module Disguise
2018-12-10 03:27:50,355 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-12-10 03:27:50,355 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-12-10 03:27:50,355 [analyzer] DEBUG: Started auxiliary module Human
2018-12-10 03:27:50,355 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-12-10 03:27:50,355 [analyzer] DEBUG: Started auxiliary module Reboot
2018-12-10 03:27:50,588 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-12-10 03:27:50,588 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-12-10 03:27:50,588 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-12-10 03:27:51,056 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Microsoft Office\\Office12\\WINWORD.EXE' with arguments ['http://nbgomtvneepf.com/'] and pid 2312
2018-12-10 03:27:52,398 [analyzer] DEBUG: Loaded monitor into process with pid 2312
2018-12-10 03:27:54,240 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Temp\65738.od
2018-12-10 03:27:55,706 [analyzer] INFO: Added new file to list with pid 2312 and path C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
2018-12-10 03:27:56,190 [analyzer] DEBUG: Ignoring Office process C:\Windows\splwow64.exe 12288!
2018-12-10 03:27:57,828 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
2018-12-10 03:28:15,049 [analyzer] INFO: Added new file to list with pid 2312 and path \Device\NamedPipe\DAV RPC SERVICE
2018-12-10 03:28:42,194 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
2018-12-10 03:28:42,256 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
2018-12-10 03:28:42,490 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FF4974C.gif
2018-12-10 03:28:42,552 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA1FF6DD.gif
2018-12-10 03:28:42,599 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A7591E1-9691-4DBF-8710-CA28C357E935}.tmp
2018-12-10 03:28:42,661 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{41C14016-5325-41B9-81CF-8716DE5823C2}.tmp
2018-12-10 03:28:42,677 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B90973A.gif
2018-12-10 03:28:42,740 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{20C0EED3-A652-43E7-8C97-60BA08F557E6}.tmp
2018-12-10 03:28:42,802 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A742C9F3.gif
2018-12-10 03:28:42,865 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3961358.gif
2018-12-10 03:28:42,943 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DEC0B79.jpeg
2018-12-10 03:28:42,973 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBF49.tmp
2018-12-10 03:28:42,973 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBF4A.tmp
2018-12-10 03:28:43,753 [analyzer] INFO: Added new file to list with pid 2312 and path C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
2018-12-10 03:31:53,418 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-12-10 03:31:58,630 [lib.common.results] ERROR: Exception uploading file c:\users\zamen\appdata\local\temp\tmphekafo to host: [Errno 9] Bad file descriptor
2018-12-10 03:31:58,644 [lib.api.process] INFO: Memory dump of process with pid 2312 completed
2018-12-10 03:31:58,644 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-12-10 03:31:58,661 [lib.api.process] INFO: Successfully terminated process with pid 2312.
2018-12-10 03:31:58,739 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\d3961358.gif'" does not exist, skip.
2018-12-10 03:31:58,848 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\aa1ff6dd.gif'" does not exist, skip.
2018-12-10 03:31:58,848 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\msobf49.tmp'" does not exist, skip.
2018-12-10 03:31:58,848 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\2ff4974c.gif'" does not exist, skip.
2018-12-10 03:31:58,848 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\7b90973a.gif'" does not exist, skip.
2018-12-10 03:31:58,848 [analyzer] WARNING: File at path "u'\\device\\namedpipe\\dav rpc service'" does not exist, skip.
2018-12-10 03:31:58,848 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\6dec0b79.jpeg'" does not exist, skip.
2018-12-10 03:31:58,864 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\a742c9f3.gif'" does not exist, skip.
2018-12-10 03:31:58,864 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.mso\\msobf4a.tmp'" does not exist, skip.
2018-12-10 03:31:58,864 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-12-10 11:27:49,274 [lib.cuckoo.core.scheduler] INFO: Task #166: acquired machine win7x64 (label=win7x64)
2018-12-10 11:27:49,299 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 13930 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/166/dump.pcap)
2018-12-10 11:27:53,009 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-12-10 11:32:07,848 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2018-12-10 11:32:09,054 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-12-10 11:32:12,023 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-12-10 11:32:13,235 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f444876e4d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 11:32:13,236 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f444876e050>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 11:32:13,237 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f444876e490>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 11:32:13,237 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f444876e6d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 11:32:13,238 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f444876e6d0>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f444876e6d0>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Libraries known to be associated with a CVE were requested (may be False Positive) (1 event)
cve CVE-2013-3906

Screenshots

No screenshots available.

Network

DNS

Name Response Post-Analysis Lookup
nbgomtvneepf.com

Hosts

No hosts contacted.

Summary

Process WINWORD.EXE (2312)

  • Opened files

    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA1FF6DD.gif
    • C:\Windows\AppPatch\sysmain.sdb
    • C:\
    • C:\Windows\SysWOW64\wininet.dll
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A742C9F3.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DEC0B79.jpeg
    • C:\Program Files (x86)\Microsoft Office\Office12\WWLIB.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\1033\Building Blocks.dotx
    • \device\webdavredirector
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Word\STARTUP\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Network\Connections\Pbk\
    • C:\Users\zamen\Desktop\desktop.ini
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FF4974C.gif
    • C:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE11\msxml5.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\1033\MSO.ACL
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\
    • C:\Users
    • \??\FDC#GENERIC_FLOPPY_DRIVE#6&3b4c39bd&0&0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
    • C:\Users\zamen\AppData\
    • C:\Users\zamen\AppData\Roaming\Microsoft\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Proof\
    • C:\Users\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
    • C:\ProgramData\Microsoft\OFFICE\DATA\OPA12.BAK
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\
    • C:\Program Files (x86)\Microsoft Office\Office12\
    • C:\Users\zamen\AppData\Roaming
    • C:\Windows\SysWOW64\shell32.dll
    • C:\Windows\WindowsShell.Manifest
    • C:\Users\zamen\AppData\Local\Temp\CVR6D.tmp
    • C:\Windows\SysWOW64\en-US\urlmon.dll.mui
    • C:\Users\zamen
    • C:\Program Files (x86)\Microsoft Office\Office12\EXCEL.EXE
    • C:\Windows\System32\cryptui.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks
    • C:\Users\zamen\AppData\Roaming\
    • C:\Program Files (x86)\Microsoft Office\Office12\STARTUP\
    • C:\Users\desktop.ini
    • C:\Program Files (x86)\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\ProgramData\Microsoft\OFFICE\DATA\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\ID_00030.DPC
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3961358.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\Windows\System32\davhlpr.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\Document Parts\1033\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    • C:\Users\zamen\AppData
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\
    • C:\Windows\SysWOW64\en-US\MSCTF.dll.mui
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Office\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Templates\
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    • C:\Program Files (x86)\Microsoft Office\Office12\MSOHEV.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\MSPUB.EXE
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Program Files (x86)\Microsoft Office\Office12\WORD.PIP
    • C:\Program Files (x86)\Common Files\Microsoft Shared\
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • C:\Windows\Fonts\staticcache.dat
    • C:\Program Files (x86)\Microsoft Office\Office12\OART.DLL
    • C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\RICHED20.DLL
    • C:\Windows\System32\rsaenh.dll
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B90973A.gif
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Cultures\OFFICE.ODF
    • C:\Users\zamen\AppData\Roaming\Microsoft
    • C:\Users\zamen\
    • C:\Windows\System32\ras\
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO
  • Written files

    • C:\Users\zamen\AppData\Local\Temp\65738.od
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3961358.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBF49.tmp
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
    • C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{20C0EED3-A652-43E7-8C97-60BA08F557E6}.tmp
    • C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA1FF6DD.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{41C14016-5325-41B9-81CF-8716DE5823C2}.tmp
    • \\?\PIPE\DAV RPC SERVICE
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7B90973A.gif
    • C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A7591E1-9691-4DBF-8710-CA28C357E935}.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6DEC0B79.jpeg
    • C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A742C9F3.gif
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\msoBF4A.tmp
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2FF4974C.gif

Process WINWORD.EXE (2312)

Process WINWORD.EXE (2312)

Process WINWORD.EXE (2312)

Process WINWORD.EXE (2312)

  • DLLs Loaded

    • netutils.dll
    • API-MS-Win-Security-LSALookup-L1-1-0.dll
    • DNSAPI.dll
    • UxTheme.dll
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\uxtheme.dll
    • MPR.DLL
    • API-MS-WIN-Service-Management-L2-1-0.dll
    • wwlib.dll
    • SspiCli.dll
    • ole32.dll
    • SHLWAPI.dll
    • USER32.dll
    • RASMAN.DLL
    • VERSION.DLL
    • WININET.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\riched20.dll
    • WTSAPI32.DLL
    • C:\Windows\System32\mswsock.dll
    • SHELL32.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSPTLS.DLL
    • C:\Windows\System32\wship6.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\MSOHEV.DLL
    • HLINK.DLL
    • C:\Windows\SysWOW64\KERNEL32.DLL
    • rpcrt4.dll
    • C:\Windows\System32\wshtcpip.dll
    • IMM32.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\1033\wwintl.dll
    • C:\Windows\System32\drprov.dll
    • urlmon.dll
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\1033\MSOINTL.DLL
    • WINSTA.dll
    • kernel32.dll
    • CRYPTBASE.dll
    • Netapi32.DLL
    • C:\Windows\system32\napinsp.dll
    • C:\Windows\system32\apphelp.dll
    • shlwapi.dll
    • URLMON.DLL
    • UxTheme.DLL
    • Comctl32.dll
    • C:\Windows\System32\fwpuclnt.dll
    • rtutils.dll
    • IPHLPAPI.DLL
    • RASAPI32.dll
    • winspool.drv
    • profapi.dll
    • comctl32.dll
    • SETUPAPI.dll
    • C:\Windows\system32\kernel32.dll
    • VERSION.dll
    • RpcRtRemote.dll
    • C:\Program Files (x86)\Microsoft Office\Office12\msproof6.dll
    • Winspool.DRV
    • C:\Program Files (x86)\Common Files\Microsoft Shared\office12\mso.dll
    • C:\Windows\system32\rsaenh.dll
    • Shlwapi.DLL
    • iphlpapi
    • C:\Windows\SysWOW64\ADVAPI32.DLL
    • C:\Windows\syswow64\MSCTF.dll
    • CRYPTSP.dll
    • API-MS-WIN-Service-winsvc-L1-1-0.dll
    • sensapi.dll
    • C:\Windows\system32\normaliz.dll
    • C:\Windows\system32\NLAapi.dll
    • mso.dll
    • ADVAPI32.dll
    • C:\Windows\System32\davclnt.dll
    • WS2_32.dll
    • gdi32.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\OGL.DLL
    • imm32.dll
    • ntmarta.dll
    • C:\Windows\system32\mscoree.dll
    • API-MS-WIN-Service-Management-L1-1-0.dll
    • rasadhlp.dll
    • C:\Windows\System32\ntlanman.dll
    • dnsapi
    • OLEAUT32.DLL
    • C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\MSORES.DLL
    • DwmApi.DLL
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • C:\Windows\system32\pnrpnsp.dll
    • MSO.dll
    • version.dll
    • wininet.dll
    • Kernel32.DLL
    • OLEAUT32.dll
    • RPCRT4.dll
    • SHLWAPI.DLL
    • C:\Windows\System32\winrnr.dll
    • cryptui.dll
    • ws2_32
    • C:\Windows\system32\mswsock.dll
    • SHELL32.DLL
    • Shlwapi.dll
    • Normaliz.dll
No static analysis available.
No antivirus signatures available.

Process Tree


WINWORD.EXE, PID: 2312, Parent PID: 2288

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

Name Response Post-Analysis Lookup
nbgomtvneepf.com

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 60037 192.168.128.111 53
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 65476 192.168.128.111 53
192.168.128.109 137 192.168.128.255 137
192.168.128.109 138 192.168.128.255 138
192.168.128.109 52096 224.0.0.252 5355

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name eb154e1c80251e4d_~wrs{20c0eed3-a652-43e7-8c97-60ba08f557e6}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{20C0EED3-A652-43E7-8C97-60BA08F557E6}.tmp
Size 1.0KB
Processes 2312 (WINWORD.EXE)
Type data
MD5 096a53a4773885b59eeb8a0971fa6ee3
SHA1 2507fdea6e4145699a7b43b55eafe2aec67b9e43
SHA256 eb154e1c80251e4dd23b8a1386f9057fc4fa22aab9be9eff6279f9693d186c4d
CRC32 816F49C5
ssdeep 24:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNwwNru4HiqNGFbeZyx9f:GNwSNNNwwwwwvwwwwwwwwwwwwwwwNNw1
Yara None matched
VirusTotal Search for analysis
Name e0bbc2058bcfc9c5_mso1033.acl
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Office\MSO1033.acl
Size 36.9KB
Processes 2312 (WINWORD.EXE)
Type data
MD5 8c8cb76cf6a14a9808f8a584cdef3d29
SHA1 4783a75fd7e9e0d079c9169e168e7a42e0dc2eb3
SHA256 e0bbc2058bcfc9c58306a0eadcc1c824f9e7dff6fc42917160fa0b3c20e57b9d
CRC32 3CD59FF4
ssdeep 768:CatNbFeZKdogeyHMOeYhYVi+iOFOwbPXdEma1b:9/eLAhYVzbw
Yara None matched
VirusTotal Search for analysis
Name 6e9bd1e5638d48c1_building blocks.dotx
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\Building Blocks.dotx
Size 314.8KB
Processes 2312 (WINWORD.EXE)
Type Microsoft Word 2007+
MD5 89e2626a866bc9a18da185e35228a404
SHA1 4bc5718e114fa9cd2d60af37ba3d58d382ed18da
SHA256 6e9bd1e5638d48c1219c2312b67f2134ff404ab9f9644431df9b3b33ec33de66
CRC32 9DF23CE3
ssdeep 6144:nxl82xfVaZUt2Km7Jh+u0O7Ss5SuSfNaEf1e/PR5Oa52G0jlE0:n78+VamMKicBO7SaSuSx85Oa5CR
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers1 - Looks for big numbers 32:sized
VirusTotal Search for analysis
Name ff89540154dc4e3d_~$ilding blocks.dotx
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\Document Building Blocks\1033\~$ilding Blocks.dotx
Size 162.0B
Processes 2312 (WINWORD.EXE)
Type data
MD5 1f98b56cc21da45242bf81bed87ee6d4
SHA1 4065ddcd4b38161d3c0930d96adf7cba9183ea34
SHA256 ff89540154dc4e3d1884856c0601c98f6813f7d5a87a1bc45a29cf60b7edb729
CRC32 1E6FEF1E
ssdeep 3:fBplxl/Zlxl/vHlVgXl:fJ3HlVgX
Yara None matched
VirusTotal Search for analysis
Name b3d510ef04275ca8_custom.dic
Filepath C:\Users\zamen\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
Size 2.0B
Processes 2312 (WINWORD.EXE)
Type Little-endian UTF-16 Unicode text, with no line terminators
MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
CRC32 88F83096
ssdeep 3:Qn:Qn
Yara None matched
VirusTotal Search for analysis
Name c8154aa14041094a_~wrs{1a7591e1-9691-4dbf-8710-ca28c357e935}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1A7591E1-9691-4DBF-8710-CA28C357E935}.tmp
Size 158.0KB
Processes 2312 (WINWORD.EXE)
Type data
MD5 f0153e38144d2c5b5a24253ea8f387e6
SHA1 d1bb2132b9aa2392233d90fec231b233c24e6907
SHA256 c8154aa14041094a12cf352b7e0da42e0312bbdbb1433d95edbc1c353ef8679a
CRC32 67F3C3DF
ssdeep 1536:HaIEgdLXe451JVzYfdTXVdUu97FB3csN0Xq:HqIRePMk
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • PEiD_03512_Xtreme_Protector_v1_05_ - [Xtreme-Protector v1.05]
VirusTotal Search for analysis
Name dcf5ce99ed5c8bd9_65738.od
Filepath C:\Users\zamen\AppData\Local\Temp\65738.od
Size 134.0B
Processes 2312 (WINWORD.EXE)
Type ASCII text, with CRLF line terminators
MD5 1a9a4e64b94e5369b1a94ad5ade18183
SHA1 70867d6edfaf5be23987128a356b6192eafb25c5
SHA256 dcf5ce99ed5c8bd909825e281d9192fe30dfe232af01835b4d776f91474fceea
CRC32 082208DA
ssdeep 3:OFrpRCMKLovyafNREalYEBicIEcK99wW6IXInTT7uZWZ:OKMKcaaYal1b/9dX8
Yara
  • contentis_base64 - This rule finds for base64 strings
  • Big_Numbers0 - Looks for big numbers 20:sized
VirusTotal Search for analysis
Name 3d5bc0c3c759609b_opa12.dat
Filepath C:\ProgramData\Microsoft\OFFICE\DATA\opa12.dat
Size 8.0KB
Processes 2312 (WINWORD.EXE)
Type data
MD5 0e7e24ed21bd5da96b0d882d5a043ad4
SHA1 543bba04369e50dfb74d27d24e1069810a5707ea
SHA256 3d5bc0c3c759609b3637e8efb7508600ec8a175e601779916097537c80092f2d
CRC32 E4BF56FA
ssdeep 192:12xaaUyse71abxl0fatpNnxa/2WvVJBZHp5isu/dY/tBNLqu5Xw2a:12x3slgatpNnxZGplu1Yte2ba
Yara None matched
VirusTotal Search for analysis
Name 9dd040b42dd030b1_~wrs{41c14016-5325-41b9-81cf-8716de5823c2}.tmp
Filepath C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{41C14016-5325-41B9-81CF-8716DE5823C2}.tmp
Size 1.5KB
Processes 2312 (WINWORD.EXE)
Type data
MD5 c4029a1a7779917d1f5091c2debce44d
SHA1 ec7a97adbd03c72f969a107f00f93c5f88374e9e
SHA256 9dd040b42dd030b1dc12eb60cf6bea86e98558d4664eb1d59e47a7d8657d0869
CRC32 29005411
ssdeep 3:Nzyxwnml0baZ4PON8DCBPl7l2xllVlzlpDll3/J/jvfllZtLQXZlhlhlhlZ/Z/nW:NmWmG2GW2GJxl2oXlgdRpj43K
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 166
Mongo ID 5c0e950d11d3081ae0b0a312
Cuckoo release 2.0-dev