URL Details

URL
http://nvipgfrdixwl.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Jan. 21, 2019, 5:17 a.m. Jan. 21, 2019, 5:22 a.m. 298 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-21 05:17:14 2019-01-21 05:22:12

Analyzer Log

2019-01-21 03:17:12,000 [analyzer] DEBUG: Starting analyzer from: C:\xovtosfc
2019-01-21 03:17:12,046 [analyzer] DEBUG: Pipe server name: \\.\PIPE\WIxUIUjvSMcUXtWAZbK
2019-01-21 03:17:12,046 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\WbCZCxDENMhCfhpwQFkZX
2019-01-21 03:17:15,015 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-21 03:17:15,203 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 03:17:15,203 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 03:17:15,265 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-21 03:17:15,265 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-21 03:17:15,265 [analyzer] DEBUG: Started auxiliary module Human
2019-01-21 03:17:15,265 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-21 03:17:15,265 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-21 03:17:15,530 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-21 03:17:15,530 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-21 03:17:15,765 [lib.api.process] INFO: Successfully executed process from path 'C:\\WINDOWS\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"imEpDpA"', 'http://nvipgfrdixwl.com/'] and pid 400
2019-01-21 03:17:16,046 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 03:17:16,046 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 03:17:16,187 [analyzer] DEBUG: Loaded monitor into process with pid 400
2019-01-21 03:17:16,717 [analyzer] INFO: Injected into process with pid 1452 and name u'firefox.exe'
2019-01-21 03:17:17,375 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 03:17:17,375 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-21 03:17:17,467 [analyzer] DEBUG: Loaded monitor into process with pid 1452
2019-01-21 03:17:19,108 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite-journal
2019-01-21 03:17:19,140 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\bookmarks-2019-01-21.json
2019-01-21 03:17:24,655 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
2019-01-21 03:17:35,437 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite-journal
2019-01-21 03:17:36,140 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite-journal
2019-01-21 03:17:36,328 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
2019-01-21 03:17:36,703 [analyzer] DEBUG: Received request to inject pid=1452, but we are already injected there.
2019-01-21 03:17:38,421 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite-journal
2019-01-21 03:17:38,546 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
2019-01-21 03:17:38,875 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js
2019-01-21 03:17:42,828 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
2019-01-21 03:17:43,983 [lib.api.process] INFO: Memory dump of process with pid 400 completed
2019-01-21 03:17:44,046 [analyzer] INFO: Process with pid 400 has terminated
2019-01-21 03:17:48,296 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-21 03:17:48,375 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
2019-01-21 03:17:48,437 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-21 03:17:48,671 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-21 03:17:48,796 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-21 03:17:48,842 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-21 03:17:49,015 [analyzer] INFO: Added new file to list with pid 1452 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
2019-01-21 03:21:32,140 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-21 03:21:39,625 [lib.api.process] INFO: Memory dump of process with pid 1452 completed
2019-01-21 03:21:39,625 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-21 03:21:39,625 [lib.api.process] INFO: Successfully terminated process with pid 1452.
2019-01-21 03:21:40,171 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-21 05:17:14,558 [lib.cuckoo.core.scheduler] INFO: Task #1190: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-21 05:17:14,572 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 7406 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/1190/dump.pcap)
2019-01-21 05:17:38,592 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-21 05:22:10,948 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-21 05:24:46,656 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-21 05:24:51,654 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f573810>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:51,656 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f573250>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:51,657 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f5739d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:51,658 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f573810>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-21 05:24:51,659 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f573810>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f573810>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (2 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
GetComputerNameW
computer_name: ZAMEN-D4C44BD73
success 1 0
Jan. 21, 2019, 12:17 a.m.
GetComputerNameA
computer_name: ZAMEN-D4C44BD73
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files\Mozilla Firefox\chrome\classic.manifest
Starts servers listening on {0} (6 events)
Time & API Arguments Status Return Repeated
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 432
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 432
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 432
port: 1042
success 456 0
Jan. 21, 2019, 12:17 a.m.
bind
ip_address: 127.0.0.1
socket: 644
port: 0
success 0 0
Jan. 21, 2019, 12:17 a.m.
listen
socket: 644
backlog: 5
success 0 0
Jan. 21, 2019, 12:17 a.m.
accept
ip_address: 127.0.0.1
socket: 644
port: 1045
success 664 0
Creates executable files on the filesystem (1 event)
file C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js

Network

Summary

Process cmd.exe (400)

Process firefox.exe (1452)

  • Opened files

    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cert8.db
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\
    • C:\Program Files\Mozilla Firefox\browserconfig.properties
    • C:\WINDOWS\system32\CONFIG.NT
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.ini
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.cache
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Program Files\Mozilla Firefox\modules\DownloadUtils.jsm
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\WINDOWS\system32\12520437.cpx
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_003_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\mimeTypes.rdf
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compatibility.ini
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\permissions.sqlite
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\xpti.dat
    • C:\WINDOWS\system32\sndvol32.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compreg.dat
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\search.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\content-prefs.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\WINDOWS\system32\ntdos.sys
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_002_
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Program Files\Mozilla Firefox\foxyproxy.xml
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XUL.mfl
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.rdf
    • C:\WINDOWS\system32\msdmo.dll
    • C:\Program Files\Mozilla Firefox\blocklist.xml
    • C:\WINDOWS\system32\VEN2232.OLB
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\secmod.db
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_001_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\WINDOWS\system32\icfgnt5.dll
    • C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files\Mozilla Firefox\modules\PluralForm.jsm
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\WINDOWS\system32\acctres.dll
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\WINDOWS\system32\xpsp2res.dll
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\WINDOWS\system32\kbdusx.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\key3.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\localstore.rdf
    • C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\WINDOWS\system32\access.cpl
    • C:\WINDOWS\system32\dplayx.dll
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\WINDOWS\system32\query.dll
  • Written files

    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\bookmarks-2019-01-21.json
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite-journal
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
  • Files Read

    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cert8.db
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.rdf
    • C:\Program Files\Mozilla Firefox\browserconfig.properties
    • C:\WINDOWS\system32\CONFIG.NT
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.ini
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.cache
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\WINDOWS\system32\12520437.cpx
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_003_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\mimeTypes.rdf
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compatibility.ini
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\permissions.sqlite
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\xpti.dat
    • C:\WINDOWS\system32\sndvol32.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compreg.dat
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\search.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\content-prefs.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\WINDOWS\system32\ntdos.sys
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_002_
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Program Files\Mozilla Firefox\foxyproxy.xml
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XUL.mfl
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
    • C:\WINDOWS\system32\msdmo.dll
    • C:\Program Files\Mozilla Firefox\blocklist.xml
    • C:\WINDOWS\system32\VEN2232.OLB
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\secmod.db
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_001_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\WINDOWS\system32\icfgnt5.dll
    • C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\WINDOWS\system32\acctres.dll
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
    • C:\WINDOWS\system32\xpsp2res.dll
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\WINDOWS\system32\kbdusx.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\key3.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\localstore.rdf
    • C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\WINDOWS\system32\access.cpl
    • C:\WINDOWS\system32\dplayx.dll
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\WINDOWS\system32\query.dll

Process cmd.exe (400)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\TimeZoneKeyName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Tzi
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Dlt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Std
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Process firefox.exe (1452)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/DTPlugin,version=11.111.2
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_111
    • HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla
    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Plug-in\1.8.0_111
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0_07
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
    • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_CLASSES_ROOT\.dtd
    • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin,version=11.111.2
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    • HKEY_CLASSES_ROOT\.js
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
    • HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
    • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
    • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
    • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Plug-in\1.7.0_07
    • HKEY_CURRENT_USER\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
    • HKEY_CURRENT_USER\http\shell\open\command\(Default)
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastListenLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0_07\JavaHome
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
    • HKEY_CURRENT_USER\https\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateZoneExcludeFile
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap\LdapClientIntegrity
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_CURRENT_USER\https\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\BrowserJavaVersion
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Extension
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsNbtLookupOrder
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin,version=11.111.2\Path
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsMulticastQueryTimeouts
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_111\JavaHome
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Installation Directory
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
    • HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSendLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/DTPlugin,version=11.111.2\Path
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\http\DefaultIcon\(Default)

Process cmd.exe (400)

Process firefox.exe (1452)

  • Mutexes accessed

    • MSCTF.Shared.MUTEX.EFG
    • Local\FirefoxStartupMutex

Process cmd.exe (400)

  • Directories enumerated

    • C:\Documents and Settings
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\WINDOWS
    • C:\WINDOWS\WinSxS
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll

Process firefox.exe (1452)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Application Data
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\0
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox
    • C:\Program Files
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default
    • C:\Documents and Settings\zamen\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles
    • C:\Program Files\Mozilla Firefox
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox
    • C:\Documents and Settings\zamen\Application Data
  • Directories enumerated

    • C:\WINDOWS\system32\1054
    • C:\WINDOWS\system32\VEN2232.OLB
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\secmod.db
    • C:\WINDOWS\system32\CONFIG.NT
    • C:\Program Files\Mozilla Firefox\plugins\*
    • C:\Program Files\Mozilla Firefox\greprefs\*
    • C:\WINDOWS\system32\1037
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cert8.db
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\Program Files\Adobe\Reader 9.0\Reader\Browser\*
    • C:\WINDOWS\system32\1033
    • C:\WINDOWS\system32\1031
    • C:\Program Files\Mozilla Firefox\components\*
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\*
    • C:\Program Files\Mozilla Firefox\chrome\*
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\key3.db
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Windows Media Player\*
    • C:\WINDOWS\system32\icfgnt5.dll
    • C:\Program Files\Mozilla Firefox\extensions\*
    • C:\WINDOWS\system32\access.cpl
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\*
    • C:\WINDOWS\system32\2052
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\defaults\pref\*
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Program Files\Java\jre1.8.0_111\bin\plugin2\*
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\*
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\*
    • C:\WINDOWS\system32\sndvol32.exe
    • C:\WINDOWS\system32\3076
    • C:\WINDOWS
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\*
    • C:\WINDOWS\system32\3com_dmi
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32
    • C:\WINDOWS\system32\1025
    • C:\WINDOWS\system32\1042
    • C:\WINDOWS\system32\1041
    • C:\WINDOWS\system32\acctres.dll
    • C:\WINDOWS\system32\1028
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\*
    • C:\Program Files\Mozilla Firefox\searchplugins\*
    • C:\WINDOWS\system32\ntdos.sys
    • C:\WINDOWS\system32\dplayx.dll
    • C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\*
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\*
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\*
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\*
    • C:\WINDOWS\system32\config
    • C:\WINDOWS\system32\xpsp2res.dll
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\*
    • C:\Program Files\Java\jre1.8.0_111\bin\*
    • C:\WINDOWS\system32\*.*
    • C:\WINDOWS\system32\12520437.cpx
    • C:\WINDOWS\system32\kbdusx.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions\*
    • C:\WINDOWS\system32\msdmo.dll
    • C:\WINDOWS\system32\query.dll

Process cmd.exe (400)

  • Processes created

    • http://nvipgfrdixwl.com/
    • "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "http://nvipgfrdixwl.com/"
  • DLLs Loaded

    • SHELL32.dll
    • Kernel32.DLL
    • UXTHEME.DLL
    • oleaut32.dll
    • ADVAPI32.dll
    • MSImg32.dll
    • user32.dll
    • Comctl32.dll

Process firefox.exe (1452)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
    • C:\Program Files\Mozilla Firefox\freebl3.dll
    • C:\Program Files\Mozilla Firefox\softokn3.dll
    • iphlpapi.dll
    • C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
    • msimg32
    • DNSAPI.dll
    • C:\Program Files\Mozilla Firefox\nssdbm3.dll
    • uxtheme.dll
    • OLE32
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default/nssckbi.dll
    • C:\WINDOWS\System32\mswsock.dll
    • advapi32.dll
    • Shell32.dll
    • rpcrt4.dll
    • OLE32.DLL
    • C:\WINDOWS\System32\winrnr.dll
    • C:\Program Files\Mozilla Firefox\nssckbi.dll
    • ws2_32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


cmd.exe, PID: 400, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

firefox.exe, PID: 1452, Parent PID: 400

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

Source Source Port Destination Destination Port
192.168.128.102 1066 192.168.128.112 139
192.168.128.102 1071 192.168.128.112 139
192.168.128.102 1072 192.168.128.112 139

UDP

Source Source Port Destination Destination Port
192.168.128.102 1025 192.168.128.111 53
192.168.128.102 1052 192.168.128.111 53
192.168.128.102 1056 192.168.128.111 53
192.168.128.102 137 192.168.128.112 137
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138
192.168.128.112 138 192.168.128.102 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name c07360caaf879fb6_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 1452 (firefox.exe)
Type data
MD5 48a135c24c2f13274d8c385685cf586d
SHA1 2e5b0e91b0f43c9ef13953cc42b0bb025cd3d31d
SHA256 c07360caaf879fb68c25b8361a0d7dc6b5616bc35031aa0a30c15ddff3e3594d
CRC32 92BB0E80
ssdeep 3:7FEG2l/Klvp//ll:7+/l/
Yara None matched
VirusTotal Search for analysis
Name 71dc30bf31124062_sessionstore.js
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js
Size 262.0B
Processes 1452 (firefox.exe)
Type ASCII text, with no line terminators
MD5 3bd5f516c8412ec62e549045c9d0f47a
SHA1 31abfa8a707d640125dcd9b0a1bfa531f8c1c204
SHA256 71dc30bf31124062a0b644045dde2a405fb9635f19d1adc19c0c2f4861109492
CRC32 8AF5F802
ssdeep 6:0XzguGXq9u4RnqcJ39WHpIfR09HlRvVGHu/Lqpkxh:0f9uPg9WHE09FR9GHqOpa
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9edf390e0cce58f1_downloads.sqlite
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
Size 2.0KB
Processes 1452 (firefox.exe)
Type SQLite 3.x database, user version 8
MD5 05688621ebe96046ca140fe325f24da1
SHA1 f1ebff51a361d3b878e0161a941a8e2ceaf5dc7f
SHA256 9edf390e0cce58f1277033b84c419ea731aeb99e27394e256861594acc98f31f
CRC32 0DE984A0
ssdeep 12:HL/cMWlV6mbJB2AUzbyhSCeJtJE9KYTe:rmOXWhQJtJEUYa
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name d6c9d4d1a4ee7ab4_pluginreg.dat
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
Size 4.1KB
Processes 1452 (firefox.exe)
Type UTF-8 Unicode text
MD5 4f75b27210f276261b541aef7411d131
SHA1 9dc5d8307cc020c0b8803ea825007674c3518e76
SHA256 d6c9d4d1a4ee7ab4f742511a8709e553940f8d80b29dcff0a146cbf7085eb885
CRC32 051EE917
ssdeep 48:Z7RdnjFTlCyYyXVAyCCPtv4+M33Z69HJZY6nCGJZeZ9De8n1nJo2oD+Hs9HF8E22:PdZTljYyXqyTEs56LyzB6wnu8lxF
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name c17e2e0a02d280a0_places.sqlite
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
Size 136.0KB
Processes 1452 (firefox.exe)
Type SQLite 3.x database, user version 6
MD5 fca76a975deeb0172b1e8dc634003c0e
SHA1 c7e2ac8828b2163c8e615b4a604d16da19de7e36
SHA256 c17e2e0a02d280a062f021ed08b84304322e6e711d06e46fc6fb4717ed3c5d43
CRC32 717DC3B7
ssdeep 384:ZBnrMl1HpOC/924uBu1Xu1Pu1ju1Zcqu1M:DrMr1/924uv
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 74526bfe745e60aa__cache_map_
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
Size 8.3KB
Processes 1452 (firefox.exe)
Type raw G3 data, byte-padded
MD5 8b876137ecbb9404fec2ed367f6edb19
SHA1 e8cab7eee92e5d42096a2fb98efc523a863e91a1
SHA256 74526bfe745e60aae9a75642bbb83b875fdca8b45548316d8afe5273c68a4f6d
CRC32 9EC49CAF
ssdeep 3:6/:
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_update.test
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 0cb50b9224eb208c_xpc.mfl
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
Size 2.1MB
Processes 1452 (firefox.exe)
Type Mozilla XUL fastload data
MD5 baa484595b75dcf8cddaed7299fa5649
SHA1 73376f58ed194d392d1517d90027c386594d2b81
SHA256 0cb50b9224eb208c443ff6d007319f107070adee5d13dc1dd5bbf5843943da2d
CRC32 69D3994F
ssdeep 12288:bLh0ne0JGAv3iJnhgycZRwXf5K+Esn76Aaea+3uKZgJGCm0T+FQ6MPGgk4cw+J59:WifRuLG/9JshvTkFw2RL
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name a0c2faf847d7acca_cookies.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite-journal
Size 1.0KB
Processes 1452 (firefox.exe)
Type data
MD5 b12d6f04e4044f1e87a8efc8e9be77c2
SHA1 686027ab96e84666be91e6eed5fac530cbe80bbc
SHA256 a0c2faf847d7acca2e98e3c84d3d62edc549acd66909982cabb4159079f46b9f
CRC32 7A677F98
ssdeep 3:7FEGURulll7//ll:7+/YlH
Yara None matched
VirusTotal Search for analysis
Name 83e243ebc2bf8871_urlclassifier3.sqlite
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
Size 32.0KB
Processes 1452 (firefox.exe)
Type SQLite 3.x database, user version 5
MD5 658fbf0e1f75a8dd6c160eaed00b828d
SHA1 37f10d0cd480ec2fbd191a2b03d5c18980ad44c1
SHA256 83e243ebc2bf88718a911871463cf60fdb8640c34fc3f98595806cf6b251d750
CRC32 C35F5DFF
ssdeep 48:TY5MYNe0Itr56DlkEqWERlDNcRvgKm3t6:MSj+vmt6
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 0af354b718cfea45_formhistory.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite-journal
Size 1.0KB
Processes 1452 (firefox.exe)
Type data
MD5 577df27aef16595402acc764adff4db1
SHA1 985ff9df78e5bb1fd0e625a6a4807fdeb4b5b6fa
SHA256 0af354b718cfea452bd770c31dcff9e692d2452fc6d7aeb331f5e41677fa963f
CRC32 A0DE7752
ssdeep 3:7FEG2l/b0zhtll:7+/l/b0
Yara None matched
VirusTotal Search for analysis
Name 285c13e9ed44339f_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 1452 (firefox.exe)
Type data
MD5 dd615fe75e7dabe303ccda5ecbe44492
SHA1 c327732fe9af5daa23deb87c0e0d100e9f425f90
SHA256 285c13e9ed44339f25574c78f28e6a6261bb4856ff6b2c8192e1625c2145050a
CRC32 92A8B8E8
ssdeep 3:7FEG2l/F3z/b//ll:7+/l/FD/
Yara None matched
VirusTotal Search for analysis
Name b94bb719fd11336a_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 1452 (firefox.exe)
Type data
MD5 82a0ae0c95b81a8cd205d83f85492be4
SHA1 8c977bf2327ac2edf6d945f4ce4dc4881020818e
SHA256 b94bb719fd11336af1ae6a216f840f8b702e08586b13df9148f400156dd69f6c
CRC32 ED9E842C
ssdeep 3:7FEG2l/hyP97//ll:7+/l/hyP
Yara None matched
VirusTotal Search for analysis
Name cd5439e65966fbb5_urlclassifier3.sqlite-journal
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite-journal
Size 24.0KB
Processes 1452 (firefox.exe)
Type data
MD5 6d1a92426afd2a9c286f65621d4ac3af
SHA1 827218cd14608ba5dbdeb4392bc3ca7453259912
SHA256 cd5439e65966fbb5736b0670664f4f208ae1a7c114584499d80793a28cba820f
CRC32 C49642C9
ssdeep 48:7eOwSERRgKjq2U5MYNe0Itr56DlkEqWERlDNG:7eOohjLUSjg
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 27ef8fa66d2c46bd_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 2.0KB
Processes 1452 (firefox.exe)
Type data
MD5 d0dc264bcf070509ca41762f2a2638c9
SHA1 34dbcb3968955f7021d8344db058c60961c12671
SHA256 27ef8fa66d2c46bda5cb84b939f00cba5b0eaa744d2eec344b7462bfeca21b2c
CRC32 F37D339A
ssdeep 3:7FEG2l+uGlEztll0pMRgSCbNFl/sl/ldlShXllG4n:7+/lRGlQgpbNFlEXSu4
Yara
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 2f20d3bf0611bb38_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 1452 (firefox.exe)
Type FoxPro FPT, blocks size 25559, next free block index 3654616569
MD5 7ecd8878327520dd59be2aec23939590
SHA1 a1d487145cab9e3a7cda6dd3ac229e31db93ed95
SHA256 2f20d3bf0611bb38f580d81ac6b2dc88651e2dd8b1e68d54c4fb7319770c6e1b
CRC32 E6D058E9
ssdeep 3:7FEG2l/qY/lDll:7+/l/L
Yara None matched
VirusTotal Search for analysis
Name 3b1dd2e52bb35105_bookmarks-2019-01-21.json
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\bookmarks-2019-01-21.json
Size 3.9KB
Processes 1452 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 dd5fff216ee4b43bf7aa6ae478f7d0ee
SHA1 af09a0ba763a1cee7719a7e42e0e1b4b05b569c9
SHA256 3b1dd2e52bb35105c955d7cca42f1603623973cc7a7d76ca0a0e659d930dd958
CRC32 C46AA46A
ssdeep 48:YRzwtJcwkt2zb26dP/rzXu/G6XAGyNjQNzNT56JS+L+DlwkAGZ+2p2zMzP:EK8ubTdrzXb6XAGx+LOl1twwD
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1190
Mongo ID 5c459e2011d30812ab71f040
Cuckoo release 2.0-dev