URL Details

URL
http://nvipgfrdixwl.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Jan. 21, 2019, 5:17 a.m. Jan. 21, 2019, 5:23 a.m. 374 seconds

Machine

Name Label Started On Shutdown On
winxpsp3x86 winxpsp3x86 2019-01-21 05:17:15 2019-01-21 05:23:27

Analyzer Log

2019-01-21 13:17:12,000 [analyzer] DEBUG: Starting analyzer from: C:\oxjkukfr
2019-01-21 13:17:12,000 [analyzer] DEBUG: Pipe server name: \\.\PIPE\rXCBtzQkTZbyxGPwIJrjfBeIb
2019-01-21 13:17:12,000 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\AeaPBAgPHUHFwOxXx
2019-01-21 13:17:19,217 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-21 13:17:19,421 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:19,421 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:19,483 [analyzer] DEBUG: Loaded monitor into process with pid 700
2019-01-21 13:17:19,483 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-21 13:17:19,483 [analyzer] DEBUG: Started auxiliary module Human
2019-01-21 13:17:19,483 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-21 13:17:19,483 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-21 13:17:19,717 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-21 13:17:19,733 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-21 13:17:19,937 [lib.api.process] INFO: Successfully executed process from path 'C:\\WINDOWS\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"cmDXNvHMKhrG"', 'http://nvipgfrdixwl.com/'] and pid 236
2019-01-21 13:17:20,187 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:20,187 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:20,296 [analyzer] DEBUG: Loaded monitor into process with pid 236
2019-01-21 13:17:20,640 [analyzer] INFO: Injected into process with pid 816 and name u'firefox.exe'
2019-01-21 13:17:20,812 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:20,953 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:21,046 [analyzer] DEBUG: Loaded monitor into process with pid 816
2019-01-21 13:17:21,358 [analyzer] INFO: Added new file to list with pid 816 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
2019-01-21 13:17:21,375 [analyzer] INFO: Added new file to list with pid 816 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
2019-01-21 13:17:22,062 [analyzer] INFO: Added new file to list with pid 816 and path C:\Program Files\Mozilla Firefox\components\xpti.dat.tmp
2019-01-21 13:17:25,108 [analyzer] DEBUG: Received request to inject pid=816, but we are already injected there.
2019-01-21 13:17:25,890 [analyzer] INFO: Added new file to list with pid 816 and path C:\Program Files\Mozilla Firefox\components\compreg.dat.tmp
2019-01-21 13:17:31,467 [analyzer] INFO: Added new file to list with pid 816 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
2019-01-21 13:17:31,578 [analyzer] INFO: Injected into process with pid 596 and name u'firefox.exe'
2019-01-21 13:17:31,717 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:31,717 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 13:17:31,875 [analyzer] DEBUG: Loaded monitor into process with pid 596
2019-01-21 13:17:32,187 [analyzer] INFO: Added new file to list with pid 596 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\compatibility.ini
2019-01-21 13:17:32,342 [analyzer] INFO: Added new file to list with pid 596 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\xpti.dat.tmp
2019-01-21 13:17:32,437 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:34,500 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:35,530 [analyzer] DEBUG: Received request to inject pid=596, but we are already injected there.
2019-01-21 13:17:35,562 [analyzer] INFO: Added new file to list with pid 596 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XPC.mfl
2019-01-21 13:17:36,453 [analyzer] INFO: Added new file to list with pid 596 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\compreg.dat.tmp
2019-01-21 13:17:36,578 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:40,625 [lib.api.process] INFO: Memory dump of process with pid 816 completed
2019-01-21 13:17:41,140 [analyzer] INFO: Process with pid 816 has terminated
2019-01-21 13:17:41,203 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:43,265 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:44,890 [analyzer] INFO: Added new file to list with pid 596 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XUL.mfl
2019-01-21 13:17:45,328 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:47,390 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:49,483 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:51,546 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:53,608 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:55,750 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:57,812 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:17:59,875 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:01,937 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:04,000 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:06,062 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:08,125 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:10,187 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:12,250 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:14,312 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:16,375 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:18,437 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:20,500 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:22,562 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:24,625 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:26,687 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:28,750 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:30,842 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:32,921 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:35,000 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:37,062 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:39,125 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:41,187 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:43,250 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:45,312 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:47,375 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:49,437 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:51,500 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:53,562 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:55,625 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:57,703 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:18:59,780 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:01,842 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:03,905 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:05,967 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:08,030 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:10,092 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:12,155 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:14,217 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:16,280 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:18,342 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:20,421 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:22,500 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:24,592 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:26,687 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:28,780 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:30,890 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:32,983 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:35,062 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:37,155 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:39,250 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:41,342 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:43,483 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:45,578 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:47,671 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:49,750 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:51,812 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:53,875 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:55,937 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:19:58,000 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:00,062 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:02,125 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:04,187 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:06,250 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:08,312 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:10,375 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:12,437 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:14,500 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:16,592 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:18,703 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:20,780 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:22,842 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:24,905 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:26,967 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:29,030 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:31,092 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:33,155 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:35,217 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:37,280 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:39,342 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:41,405 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:43,483 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:45,546 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:47,608 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:49,671 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:51,733 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:53,796 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:55,858 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:57,921 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:20:59,983 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:02,046 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:04,108 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:06,203 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:08,265 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:10,328 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:12,390 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:14,453 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:16,546 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:18,608 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:20,671 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:22,733 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:24,203 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-21 13:21:24,842 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:26,905 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:28,967 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:31,030 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:33,092 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:35,155 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:37,217 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:39,296 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:41,358 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:43,421 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:45,483 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:47,562 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:49,625 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:51,687 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:52,250 [lib.api.process] INFO: Memory dump of process with pid 236 completed
2019-01-21 13:21:53,780 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:55,842 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:57,905 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:21:59,967 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:02,030 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:04,125 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:06,217 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:08,280 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:10,342 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:12,405 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-21 13:22:13,015 [lib.api.process] INFO: Memory dump of process with pid 596 completed
2019-01-21 13:22:13,015 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-21 13:22:13,015 [lib.api.process] INFO: Successfully terminated process with pid 236.
2019-01-21 13:22:13,015 [lib.api.process] INFO: Successfully terminated process with pid 596.
2019-01-21 13:22:13,515 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\application data\\mozilla\\firefox\\profiles\\z3sxklrh.default\\xpti.dat.tmp'" does not exist, skip.
2019-01-21 13:22:13,578 [analyzer] WARNING: File at path "u'c:\\documents and settings\\zamen\\application data\\mozilla\\firefox\\profiles\\z3sxklrh.default\\compreg.dat.tmp'" does not exist, skip.
2019-01-21 13:22:14,405 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-21 05:17:15,595 [lib.cuckoo.core.scheduler] INFO: Task #1189: acquired machine winxpsp3x86 (label=winxpsp3x86)
2019-01-21 05:17:15,610 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 7408 (interface=eth2, host=192.168.128.101, pcap=/opt/cuckoo/storage/analyses/1189/dump.pcap)
2019-01-21 05:17:51,079 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3x86, ip=192.168.128.101)
2019-01-21 05:23:24,053 [lib.cuckoo.core.guest] INFO: winxpsp3x86: analysis completed successfully
2019-01-21 05:30:19,691 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-21 05:30:22,189 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c4dd350>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:30:22,190 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c4dd950>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:30:22,191 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c4dd510>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:30:22,192 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937c4dda50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:30:22,192 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937c4dda50>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937c4dda50>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (2 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
GetComputerNameW
computer_name: ZAMEN-E701CCF64
success 1 0
Jan. 21, 2019, 12:17 a.m.
GetComputerNameA
computer_name: ZAMEN-E701CCF64
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files\Mozilla Firefox\chrome\classic.manifest
Starts servers listening on {0} (9 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 420
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 420
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 420
port: 1046
success 456 0
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 432
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 432
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 432
port: 1052
success 456 0
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 608
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 608
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 608
port: 1057
success 628 0
Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)
dead_host 192.158.197.132:3460

Network

DNS

Name Response Post-Analysis Lookup
time.windows.com

Summary

Process firefox.exe (816)

  • Opened files

    • C:\Program Files\Mozilla Firefox\components\nsSidebar.js
    • C:\Program Files\Mozilla Firefox\components\aboutRobots.js
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Program Files\Mozilla Firefox\components\nsAddonRepository.js
    • C:\Program Files\Mozilla Firefox\components\nsURLFormatter.js
    • C:\Program Files\Mozilla Firefox\components\nsWebHandlerApp.js
    • C:\Program Files\Mozilla Firefox\components\nsSessionStartup.js
    • C:\Program Files\Mozilla Firefox\components\nsBlocklistService.js
    • C:\Program Files\Mozilla Firefox\components\nsSessionStore.js
    • C:\Program Files\Mozilla Firefox\components\nsHelperAppDlg.js
    • C:\Program Files\Mozilla Firefox\components\nsBrowserContentHandler.js
    • C:\Program Files\Mozilla Firefox\components\nsDownloadManagerUI.js
    • C:\Program Files\Mozilla Firefox\components\nsLoginInfo.js
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\Program Files\Mozilla Firefox\components\nsHandlerService.js
    • C:\Program Files\Mozilla Firefox\components\txEXSLTRegExFunctions.js
    • C:\Program Files\Mozilla Firefox\modules\JSON.jsm
    • C:\Program Files\Mozilla Firefox\components\fuelApplication.js
    • C:\Program Files\Mozilla Firefox\modules\ISO8601DateUtils.jsm
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\components\nsUrlClassifierLib.js
    • C:\Program Files\Mozilla Firefox\components\nsLoginManager.js
    • C:\Program Files\Mozilla Firefox\components\nsDefaultCLH.js
    • C:\Program Files\Mozilla Firefox\components\jsconsole-clhandler.js
    • C:\Program Files\Mozilla Firefox\components\nsLivemarkService.js
    • C:\Program Files\Mozilla Firefox\components\nsExtensionManager.js
    • C:\Program Files\Mozilla Firefox\modules\XPCOMUtils.jsm
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\components\nsSetDefaultBrowser.js
    • C:\Program Files\Mozilla Firefox\modules\distribution.js
    • C:\Program Files\Mozilla Firefox\components\nsSearchService.js
    • C:\Program Files\Mozilla Firefox\components\nsLoginManagerPrompter.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\components\nsPlacesTransactionsService.js
    • C:\Program Files\Mozilla Firefox\components\nsPostUpdateWin.js
    • C:\Program Files\Mozilla Firefox\components\nsProxyAutoConfig.js
    • C:\Program Files\Mozilla Firefox\components\nsSafebrowsingApplication.js
    • C:\Program Files\Mozilla Firefox\components\nsTaggingService.js
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Program Files\Mozilla Firefox\components\WebContentConverter.js
    • C:\Program Files\Mozilla Firefox\components\nsSearchSuggestions.js
    • C:\Program Files\Mozilla Firefox\components\FeedConverter.js
    • C:\Program Files\Mozilla Firefox\components\pluginGlue.js
    • C:\Program Files\Mozilla Firefox\components\nsTryToClose.js
    • C:\Program Files\Mozilla Firefox\components\nsUrlClassifierListManager.js
    • C:\Program Files\Mozilla Firefox\components\nsMicrosummaryService.js
    • C:\Program Files\Mozilla Firefox\components\FeedProcessor.js
    • C:\Program Files\Mozilla Firefox\components\FeedWriter.js
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\components\xpti.dat
    • C:\Program Files\Mozilla Firefox\components\nsUpdateService.js
    • C:\Program Files\Mozilla Firefox\components\storage-Legacy.js
    • C:\Program Files\Mozilla Firefox\components\nsContentPrefService.js
    • C:\Program Files\Mozilla Firefox\components\nsContentDispatchChooser.js
    • C:\Program Files\Mozilla Firefox\components\nsBrowserGlue.js
  • Written files

    • C:\Program Files\Mozilla Firefox\components\xpti.dat.tmp
    • C:\Program Files\Mozilla Firefox\components\compreg.dat.tmp
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
  • Files Read

    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\components\xpti.dat
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\greprefs\all.js

Process firefox.exe (596)

  • Opened files

    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files\Mozilla Firefox\components\nsSessionStartup.js
    • C:\Program Files\Mozilla Firefox\components\FeedConverter.js
    • C:\
    • C:\Program Files\Mozilla Firefox\components\fuelApplication.js
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files\Mozilla Firefox\components\nsLoginManager.js
    • C:\Program Files\Mozilla Firefox\components\nsExtensionManager.js
    • C:\Program Files\Mozilla Firefox\components\nsSetDefaultBrowser.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XUL.mfl
    • C:\Program Files\Mozilla Firefox\components\pluginGlue.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Program Files\Mozilla Firefox\components\nsMicrosummaryService.js
    • C:\Program Files\Mozilla Firefox\components\nsBrowserContentHandler.js
    • C:\Program Files\Mozilla Firefox\components\nsSearchSuggestions.js
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\WINDOWS\system32\12520437.cpx
    • C:\Program Files\Mozilla Firefox\components\nsUpdateService.js
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files\Mozilla Firefox\components\aboutRobots.js
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files\Mozilla Firefox\components\nsURLFormatter.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\components\nsHelperAppDlg.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XPC.mfl
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Program Files\Mozilla Firefox\components\jsconsole-clhandler.js
    • C:\Program Files\Mozilla Firefox\components\nsLivemarkService.js
    • C:\Program Files\Mozilla Firefox\components\nsLoginManagerPrompter.js
    • C:\Program Files\Mozilla Firefox\components\nsPostUpdateWin.js
    • C:\WINDOWS\system32\snmpapi.dll
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\WINDOWS\system32\msdtc.exe
    • C:\Program Files\Mozilla Firefox\components\nsTryToClose.js
    • C:\WINDOWS\system32\kbdycc.dll
    • C:\Program Files\Mozilla Firefox\components\nsUrlClassifierListManager.js
    • C:\Program Files\Mozilla Firefox\components\FeedWriter.js
    • C:\Program Files\Mozilla Firefox\components\nsContentDispatchChooser.js
    • C:\WINDOWS\system32\dplay.dll
    • C:\Program Files\Mozilla Firefox\components\storage-Legacy.js
    • C:\Program Files\Mozilla Firefox\components\nsAddonRepository.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\components\nsLoginInfo.js
    • C:\Program Files\Mozilla Firefox\components\nsUrlClassifierLib.js
    • C:\Program Files\Mozilla Firefox\components\nsSearchService.js
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\Program Files\Mozilla Firefox\modules\XPCOMUtils.jsm
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\WINDOWS\system32\acctres.dll
    • C:\Program Files\Mozilla Firefox\components\nsPlacesTransactionsService.js
    • C:\Program Files\Mozilla Firefox\components\nsSafebrowsingApplication.js
    • C:\Program Files\Mozilla Firefox\components\nsTaggingService.js
    • C:\WINDOWS\system32\zipfldr.dll
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\WINDOWS\system32\ntdos404.sys
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Program Files\Mozilla Firefox\components\nsBrowserGlue.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Program Files\Mozilla Firefox\components\nsSidebar.js
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\xpti.dat
    • C:\Program Files\Mozilla Firefox\modules\distribution.js
    • C:\Program Files\Mozilla Firefox\components\nsBlocklistService.js
    • C:\Program Files\Mozilla Firefox\components\nsSessionStore.js
    • C:\Program Files\Mozilla Firefox\components\nsDownloadManagerUI.js
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\WINDOWS\system32\comuid.dll
    • C:\WINDOWS\system32\access.cpl
    • C:\Program Files\Mozilla Firefox\components\nsHandlerService.js
    • C:\Program Files\Mozilla Firefox\components\txEXSLTRegExFunctions.js
    • C:\Program Files\Mozilla Firefox\modules\JSON.jsm
    • C:\Program Files\Mozilla Firefox\modules\ISO8601DateUtils.jsm
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\components\nsDefaultCLH.js
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\components\nsProxyAutoConfig.js
    • C:\Program Files\Mozilla Firefox\components\WebContentConverter.js
    • C:\WINDOWS\system32\ver.dll
    • C:\WINDOWS\system32\icaapi.dll
    • C:\WINDOWS\system32\qutil.dll
    • C:\Program Files\Mozilla Firefox\components\nsWebHandlerApp.js
    • C:\Program Files\Mozilla Firefox\components\FeedProcessor.js
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\components\nsContentPrefService.js
  • Written files

    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\compatibility.ini
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XPC.mfl
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\xpti.dat.tmp
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XUL.mfl
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\compreg.dat.tmp
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
  • Files Read

    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\WINDOWS\system32\dplay.dll
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\xpti.dat
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\WINDOWS\system32\kbdycc.dll
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\WINDOWS\system32\comuid.dll
    • C:\WINDOWS\system32\access.cpl
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\WINDOWS\system32\ntdos404.sys
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\WINDOWS\system32\acctres.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\WINDOWS\system32\msdtc.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XUL.mfl
    • C:\WINDOWS\system32\snmpapi.dll
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\WINDOWS\system32\ver.dll
    • C:\WINDOWS\system32\icaapi.dll
    • C:\WINDOWS\system32\qutil.dll
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\WINDOWS\system32\zipfldr.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\WINDOWS\system32\12520437.cpx
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XPC.mfl
    • C:\Program Files\Mozilla Firefox\res\forms.css

Process cmd.exe (236)

Process firefox.exe (816)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles

Process firefox.exe (596)

  • Registry keys opened

    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\NoNetAutodial
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastListenLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\HTTP\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateZoneExcludeFile
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsNbtLookupOrder
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap\LdapClientIntegrity
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsMulticastQueryTimeouts
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSendLevel
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl

Process cmd.exe (236)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\TimeZoneKeyName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Australia Standard Time\Tzi
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Australia Standard Time\Std
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Australia Standard Time\Dlt
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Process firefox.exe (816)

  • Mutexes accessed

    • Local\FirefoxStartupMutex

Process firefox.exe (596)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.MMG
    • Local\FirefoxStartupMutex

Process cmd.exe (236)

Process firefox.exe (816)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Application Data
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox
    • C:\Documents and Settings\zamen\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Application Data
  • Directories enumerated

    • C:\Program Files\Mozilla Firefox\components\*
    • C:\Program Files\Mozilla Firefox\greprefs\*
    • C:\Program Files\Mozilla Firefox\defaults\pref\*
    • C:\Documents and Settings\zamen\Application Data\Firefox\registry.dat
    • C:\Program Files\Mozilla Firefox\plugins\*

Process firefox.exe (596)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Application Data
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\chrome
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Extensions
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\extensions
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox
    • C:\Documents and Settings\zamen\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\minidumps
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Application Data
  • Directories enumerated

    • C:\WINDOWS\system32\1054
    • C:\WINDOWS\system32\dplay.dll
    • C:\Program Files\Mozilla Firefox\plugins\*
    • C:\Program Files\Mozilla Firefox\greprefs\*
    • C:\WINDOWS\system32\1037
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\WINDOWS\system32\msdtc.exe
    • C:\WINDOWS\system32\1033
    • C:\WINDOWS\system32\1031
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\defaults\profile\*
    • C:\Program Files\Mozilla Firefox\defaults\profile\chrome\*
    • C:\WINDOWS\system32\access.cpl
    • C:\WINDOWS\system32\2052
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\WINDOWS\system32\ntdos404.sys
    • C:\Program Files\Mozilla Firefox\defaults\pref\*
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Program Files\Mozilla Firefox\chrome\*
    • C:\WINDOWS\system32\3076
    • C:\WINDOWS
    • C:\WINDOWS\system32\acledit.dll
    • C:\WINDOWS\system32\3com_dmi
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32
    • C:\WINDOWS\system32\1025
    • C:\WINDOWS\system32\1042
    • C:\WINDOWS\system32\1041
    • C:\WINDOWS\system32\acctres.dll
    • C:\WINDOWS\system32\1028
    • C:\WINDOWS\system32\snmpapi.dll
    • C:\WINDOWS\system32\12520850.cpx
    • C:\WINDOWS\system32\comuid.dll
    • C:\WINDOWS\system32\ver.dll
    • C:\WINDOWS\system32\icaapi.dll
    • C:\Program Files\Mozilla Firefox\components\*
    • C:\WINDOWS\system32\qutil.dll
    • C:\WINDOWS\system32\kbdycc.dll
    • C:\WINDOWS\system32\zipfldr.dll
    • C:\WINDOWS\system32\*.*
    • C:\WINDOWS\system32\12520437.cpx
    • C:\WINDOWS\nsreg.dat

Process cmd.exe (236)

  • Directories enumerated

    • C:\Documents and Settings
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\WINDOWS
    • C:\WINDOWS\WinSxS
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll

Process firefox.exe (816)

  • Processes created

    • "C:\Program Files\Mozilla Firefox\firefox.exe" "-requestPending" "-osint" "-url" "http://nvipgfrdixwl.com/"
  • DLLs Loaded

    • dbghelp.dll
    • C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
    • iphlpapi.dll
    • C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
    • Shell32.dll
    • rpcrt4.dll

Process firefox.exe (596)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
    • C:\Program Files\Mozilla Firefox\freebl3.dll
    • iphlpapi.dll
    • C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
    • DNSAPI.dll
    • advapi32.dll
    • uxtheme.dll
    • OLE32
    • msimg32
    • C:\WINDOWS\System32\mswsock.dll
    • Shell32.dll
    • rpcrt4.dll
    • OLE32.DLL
    • C:\WINDOWS\System32\winrnr.dll
    • C:\Program Files\Mozilla Firefox\nssckbi.dll
    • C:\Program Files\Mozilla Firefox\softokn3.dll

Process cmd.exe (236)

  • Processes created

    • "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "http://nvipgfrdixwl.com/"
  • DLLs Loaded

    • SHELL32.dll
    • Kernel32.DLL
    • UXTHEME.DLL
    • oleaut32.dll
    • ADVAPI32.dll
    • MSImg32.dll
    • user32.dll
    • Comctl32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


cmd.exe, PID: 236, Parent PID: 1636

default registry file network process services synchronisation iexplore office pdf

firefox.exe, PID: 816, Parent PID: 236

default registry file network process services synchronisation iexplore office pdf

firefox.exe, PID: 596, Parent PID: 816

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

DNS

Name Response Post-Analysis Lookup
time.windows.com

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.101 1025 192.168.128.111 53
192.168.128.101 137 192.168.128.255 137
192.168.128.101 138 192.168.128.255 138
192.168.128.101 1036 239.255.255.250 1900

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 49480b1dceb1467b_compreg.dat
Filepath c:\program files\mozilla firefox\components\compreg.dat
Size 139.3KB
Processes 816 (firefox.exe)
Type ASCII text
MD5 2e8de2e5c2f36010c70c6a4a47b4d72d
SHA1 08b82460f59e79bf55b5e41d2c1138821e664947
SHA256 49480b1dceb1467b87c829762d0f2c81e67932da51c771ac1b22d3f084af6719
CRC32 9B0DF1E2
ssdeep 3072:o47eS5VbguPWp2PuoHUzmUiHGZTj26cONiBahlVZeE:x7MmWNjvV9
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 109d3442cc290e9a_userid
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
Size 36.0B
Processes 816 (firefox.exe)
Type ASCII text, with no line terminators
MD5 8930e835d907955a56575f95c9ac0ab0
SHA1 9c0a2028eb753f5b5d023458b895a53606212390
SHA256 109d3442cc290e9a85177b5efdc2804b58b87ab6236ccabe4338c71abd238386
CRC32 3F91B849
ssdeep 3:2KXXozToqyn:2KwToFn
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 2bdd80bf77860c97_xpti.dat
Filepath c:\program files\mozilla firefox\components\xpti.dat
Size 93.7KB
Processes 816 (firefox.exe)
Type ASCII text
MD5 21ea86340d5037257b5eec0ae6b79c3f
SHA1 ce6952256f12146b5242c4b12d7eb0443ae94c91
SHA256 2bdd80bf77860c97c2aeb97c78075d0d449e0c8a9e975c0c1a650fb1ef1687b7
CRC32 48093FBC
ssdeep 1536:XrZ4orMucoti+EeYRgO8sdvqs030yhLu9+trwrdQdlAz0BJX4kIPIxok3p:XrZ4orMuccxYRgObCs0kyhLugt+dQdln
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 103acd070b56360c_xpc.mfl
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XPC.mfl
Size 1.8MB
Processes 596 (firefox.exe)
Type Mozilla XUL fastload data
MD5 6cb02890ac239e0e6cb55a4275b57093
SHA1 e54f745721fafd122abc37482199185b06789bd5
SHA256 103acd070b56360c3f5d788ce8a3d7d2b48e55aa7aa921b64380531e449d891e
CRC32 7E86430A
ssdeep 12288:hLh0ne0JGAv3iJnhgycZRwXf5K+Esn76Aaea+3uKZgJGCm0T+FQ6MPGgk4cw+J5+:UifRuLG/9JshvTkq
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9cb43d1f40025528_profiles.ini
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
Size 111.0B
Processes 816 (firefox.exe) 596 (firefox.exe)
Type ASCII text, with CRLF line terminators
MD5 b59cee9503c0a3fa7d16b6268d5ab5d3
SHA1 132b629428eeacf819a791d1e8106e1f41545ed4
SHA256 9cb43d1f40025528ca96f019e44632eee8743ce281b7f33bdb02e73af7891b16
CRC32 B9DA9B2E
ssdeep 3:1EmuRzTIIXov++IN4EI89fyHAKMj+uIwLBAYQfyyn:1ETgv3IG8uAKMdI+AYQD
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 505e6c3196aeb9b1_compatibility.ini
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\compatibility.ini
Size 177.0B
Processes 596 (firefox.exe)
Type ASCII text, with CRLF line terminators
MD5 59bd03f23354b0173407878ac9fef4f2
SHA1 dfe4384b7f086070af24abec45c3df0fb0e8e7f0
SHA256 505e6c3196aeb9b1e73bd21e0634660793f9ca39a8138c586441185ec0a81777
CRC32 DFA788D9
ssdeep 3:tZAQW2V36TVADj2NEhWT/P4WX1rDZjrEFwHQ3ZjrEFw6:VKTVADimqN1rDVEFycVEFf
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9ba3f5bfd4750bb9_installtime2008052906
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
Size 10.0B
Processes 816 (firefox.exe)
Type ASCII text, with no line terminators
MD5 fd1e576d2632870b8dac666617fdcc01
SHA1 fd8c9e194199d9b2cd3cf321a1b69a9150a21b10
SHA256 9ba3f5bfd4750bb9894cc6e62e504bd6fb21d56fb0a8fa3188fcf145818c72a8
CRC32 082038A5
ssdeep 3:JRLn:fLn
Yara None matched
VirusTotal Search for analysis
Name f15b0b996c57fdea_xul.mfl
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\z3sxklrh.default\XUL.mfl
Size 29.0KB
Processes 596 (firefox.exe)
Type Mozilla XUL fastload data
MD5 4df725f7c12960a0c736952d93660c21
SHA1 f033084294c7986c0e56fc033faf051cfb742c65
SHA256 f15b0b996c57fdea97d345fd1cddceeffa15759573f1e73404cbdc835dd06283
CRC32 1BC0942A
ssdeep 768:RXcMalINlt7B15tyP/PaiSKTtXBMQPnNRO1KVs2vjQRWEL:RXc7INlt7B15tyniiSKTtXBMQlRO1KVW
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1189
Mongo ID 5c459f4411d30812ab71f119
Cuckoo release 2.0-dev