URL Details

URL
http://kwdibnvxxmvh.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Jan. 20, 2019, 1:46 p.m. Jan. 20, 2019, 1:50 p.m. 255 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2019-01-20 13:46:42 2019-01-20 13:50:58

Analyzer Log

2019-01-20 05:46:42,046 [analyzer] DEBUG: Starting analyzer from: C:\snnnyvva
2019-01-20 05:46:42,078 [analyzer] DEBUG: Pipe server name: \\.\PIPE\oIUfJQQXrulfXvboopOR
2019-01-20 05:46:42,078 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\bqBxBOrhRKkGHdOmKDLUAbALevx
2019-01-20 05:46:44,230 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-20 05:46:44,838 [analyzer] DEBUG: Loaded monitor into process with pid 508
2019-01-20 05:46:44,838 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-20 05:46:44,838 [analyzer] DEBUG: Started auxiliary module Human
2019-01-20 05:46:44,838 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-20 05:46:44,838 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-20 05:46:45,072 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-20 05:46:45,072 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2019-01-20 05:46:45,072 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-20 05:46:45,415 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' with arguments ['c:\\users\\zamen\\appdata\\local\\temp\\tmpsg4zol.html'] and pid 2352
2019-01-20 05:46:48,457 [analyzer] DEBUG: Loaded monitor into process with pid 2352
2019-01-20 05:46:49,596 [analyzer] DEBUG: Received request to inject pid=2352, but we are already injected there.
2019-01-20 05:46:51,562 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-journal
2019-01-20 05:46:51,594 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2019-01-20.json
2019-01-20 05:46:55,572 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
2019-01-20 05:46:57,217 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
2019-01-20 05:46:59,558 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
2019-01-20 05:46:59,744 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
2019-01-20 05:46:59,838 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
2019-01-20 05:46:59,993 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
2019-01-20 05:47:00,352 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
2019-01-20 05:47:01,164 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-stmtjrnl
2019-01-20 05:47:01,226 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
2019-01-20 05:47:08,434 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2019-01-20 05:47:08,434 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2019-01-20 05:47:08,450 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2019-01-20 05:47:08,450 [analyzer] INFO: Added new file to list with pid 2352 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
2019-01-20 05:50:47,848 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-20 05:50:50,484 [lib.api.process] INFO: Memory dump of process with pid 2352 completed
2019-01-20 05:50:50,484 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-20 05:50:50,484 [lib.api.process] INFO: Successfully terminated process with pid 2352.
2019-01-20 05:50:50,609 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\roaming\\mozilla\\firefox\\profiles\\l13jpjzr.default\\places.sqlite-stmtjrnl'" does not exist, skip.
2019-01-20 05:50:50,703 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-20 13:46:42,277 [lib.cuckoo.core.scheduler] INFO: Task #1179: acquired machine win7x64 (label=win7x64)
2019-01-20 13:46:42,299 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 5192 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/1179/dump.pcap)
2019-01-20 13:46:53,041 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2019-01-20 13:50:56,205 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2019-01-20 13:50:57,238 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2019-01-20 13:51:03,744 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-20 13:51:07,649 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f610e50>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-20 13:51:07,650 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f74c910>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-20 13:51:07,650 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f610950>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-20 13:51:07,651 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f937f74c910>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-20 13:51:07,652 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f74c910>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f937f74c910>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (1 event)
Time & API Arguments Status Return Repeated
Jan. 20, 2019, 8:46 a.m.
GetComputerNameA
computer_name: ZAMEN-PC
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\nsIeTabWatchFactory.js
Starts servers listening on {0} (6 events)
Time & API Arguments Status Return Repeated
Jan. 20, 2019, 8:46 a.m.
bind
ip_address: 127.0.0.1
socket: 508
port: 0
success 0 0
Jan. 20, 2019, 8:46 a.m.
listen
socket: 508
backlog: 5
success 0 0
Jan. 20, 2019, 8:46 a.m.
accept
ip_address: 127.0.0.1
socket: 508
port: 49162
success 528 0
Jan. 20, 2019, 8:46 a.m.
bind
ip_address: 127.0.0.1
socket: 924
port: 0
success 0 0
Jan. 20, 2019, 8:46 a.m.
listen
socket: 924
backlog: 5
success 0 0
Jan. 20, 2019, 8:46 a.m.
accept
ip_address: 127.0.0.1
socket: 924
port: 49165
success 932 0
Creates executable files on the filesystem (1 event)
file C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 event)
file C:\Windows\SysWOW64\mfcsubs.dll

Screenshots

No screenshots available.

Network

Hosts

No hosts contacted.

Summary

Process firefox.exe (2352)

  • Opened files

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\quirk.css
    • C:\
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files (x86)\Mozilla Firefox\browserconfig.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Windows\System32\NlsData0039.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\mimeTypes.rdf
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • c:\Users\zamen\AppData\Local\Temp\tmpsg4zol.html
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Windows\System32\aclui.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compatibility.ini
    • C:\Program Files (x86)\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.cache
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.rdf
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\modules\DownloadUtils.jsm
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_001_
    • C:\Program Files (x86)\Mozilla Firefox\chrome\comm.manifest
    • C:\Windows\System32\ActionCenter.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files (x86)\Mozilla Firefox\application.ini
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\search.sqlite
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\res\ua.css
    • C:\Windows\System32\xwizards.dll
    • C:\Program Files (x86)\Mozilla Firefox\foxyproxy.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\content-prefs.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\permissions.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.manifest
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\forms.css
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.ini
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Windows\System32\grpconv.exe
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Program Files (x86)\Mozilla Firefox\blocklist.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\prefs.js
    • C:\Windows\System32\dinput.dll
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\modules\PluralForm.jsm
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files (x86)\Mozilla Firefox\components\browser.xpt
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\html.css
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XUL.mfl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_002_
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\xpti.dat
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\platform.ini
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\localstore.rdf
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.manifest
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_003_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compreg.dat
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Windows\System32\aaclient.dll
  • Written files

    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-stmtjrnl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2019-01-20.json
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
  • Files Read

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\quirk.css
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files (x86)\Mozilla Firefox\browserconfig.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Windows\System32\NlsData0039.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\mimeTypes.rdf
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • c:\Users\zamen\AppData\Local\Temp\tmpsg4zol.html
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Windows\System32\aclui.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compatibility.ini
    • C:\Program Files (x86)\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.cache
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.rdf
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_001_
    • C:\Program Files (x86)\Mozilla Firefox\chrome\comm.manifest
    • C:\Windows\System32\ActionCenter.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files (x86)\Mozilla Firefox\application.ini
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\search.sqlite
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\res\ua.css
    • C:\Windows\System32\xwizards.dll
    • C:\Program Files (x86)\Mozilla Firefox\foxyproxy.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\content-prefs.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\permissions.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.manifest
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\forms.css
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.ini
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Windows\System32\grpconv.exe
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Program Files (x86)\Mozilla Firefox\blocklist.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\prefs.js
    • C:\Windows\System32\dinput.dll
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files (x86)\Mozilla Firefox\components\browser.xpt
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\html.css
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XUL.mfl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_002_
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\xpti.dat
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\platform.ini
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\localstore.rdf
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.manifest
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_003_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compreg.dat
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Windows\System32\aaclient.dll

Process firefox.exe (2352)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
    • HKEY_CLASSES_ROOT\.js
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\(Default)
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\
    • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
    • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\firefox.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\(Default)
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\(Default)
    • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\InstallPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp
    • HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\MIMEAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations
    • HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
    • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
    • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
    • HKEY_CURRENT_USER\Software\MozillaPlugins
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
    • HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
    • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
    • HKEY_CLASSES_ROOT\.dtd
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2
    • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2\Path
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\70F6B3D
    • HKEY_CURRENT_USER\HTTP\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Extension
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_CURRENT_USER\HTTPS\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\InstallPath\(Default)
    • HKEY_CURRENT_USER\HTTPS\DefaultIcon\(Default)
    • HKEY_CURRENT_USER\Software\Clients\StartMenuInternet\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\1603
    • HKEY_CURRENT_USER\HTTP\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\9999
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications\Firefox
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dtd\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312

Process firefox.exe (2352)

  • Mutexes accessed

    • Local\FirefoxStartupMutex

Process firefox.exe (2352)

  • Directories created

    • C:\Users\zamen\AppData\Roaming\Mozilla
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox
    • C:\Users\zamen\AppData\Local
    • C:\Program Files (x86)\Mozilla Firefox
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\0
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups
    • C:\Users\zamen\AppData\Roaming
    • C:\Program Files (x86)
    • C:\Users\zamen
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox
    • C:\Users
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates
    • C:\Users\zamen\AppData
    • C:\Users\zamen\AppData\Local\Mozilla
  • Directories enumerated

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Windows\System32\*.*
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\*
    • C:\Windows\System32\GroupPolicyUsers
    • C:\Users\zamen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\*
    • C:\Windows\System32\ActionCenter.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions\*
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\*
    • C:\Windows\System32
    • C:\Windows\System32\NlsData0039.dll
    • C:\Windows\System32\grpconv.exe
    • C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c\ATL80.dll
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\*
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Windows\System32\0409
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\*
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\*
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\*
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\*
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\*
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\*
    • C:\Windows\System32\xwizards.dll
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\plugins\*
    • C:\Windows\System32\aclui.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\*
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\*
    • C:\Windows\SysWOW64\*
    • C:\Windows\System32\GroupPolicy
    • C:\Program Files (x86)\Mozilla Firefox\extensions\*
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\chrome\*
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Windows\System32\dinput.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\*
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\*
    • C:\Windows
    • C:\Windows\winsxs
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\*
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Windows\System32\aaclient.dll

Process firefox.exe (2352)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default/nssckbi.dll
    • C:\Windows\system32\pnrpnsp.dll
    • C:\Program Files (x86)\Mozilla Firefox\nssdbm3.dll
    • DNSAPI.dll
    • UXTHEME.DLL
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\napinsp.dll
    • C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • cryptbase.dll
    • advapi32.dll
    • C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
    • CRYPTSP.dll
    • Comctl32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • Kernel32.DLL
    • uxtheme.dll
    • msimg32
    • C:\Windows\System32\mswsock.dll
    • Shell32.dll
    • C:\Windows\System32\winrnr.dll
    • comctl32.dll
    • C:\Windows\system32\NLAapi.dll
    • iphlpapi.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll
    • MSImg32.dll
    • RpcRtRemote.dll
    • C:\Program Files (x86)\Mozilla Firefox\nssckbi.dll
    • user32.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll
    • ws2_32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


firefox.exe, PID: 2352, Parent PID: 2328

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 64209 192.168.128.111 53
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 5f0a613715ef1470_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2352 (firefox.exe)
Type data
MD5 863f485666ccee52fea27e61c7cbb9d2
SHA1 8074b420a048f04b755dc3d735dd37834df0f3e2
SHA256 5f0a613715ef14709f85d19224f05952e349ae394a2f91d495cdadf58abdb75b
CRC32 9B10B969
ssdeep 3:7FEG2l/hxRllp//ll:7+/l/h
Yara None matched
VirusTotal Search for analysis
Name 854957603b22ed0c_pluginreg.dat
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
Size 2.0KB
Processes 2352 (firefox.exe)
Type ASCII text
MD5 0b83265b81236922d454dfbb4d41c814
SHA1 040e390405ce1569661bd83eb04b2a959759db8e
SHA256 854957603b22ed0c29a08c8be0511b16a127e31a8d8ef922eab443d5885b0147
CRC32 CF433F05
ssdeep 48:Z7RZ+OfLdoz5gN9wnISPmv4+M33OIfol3hu3jPkov4+M33r:PMOjyzy9wnr9folxu8v
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 74526bfe745e60aa__cache_map_
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
Size 8.3KB
Processes 2352 (firefox.exe)
Type raw G3 data, byte-padded
MD5 8b876137ecbb9404fec2ed367f6edb19
SHA1 e8cab7eee92e5d42096a2fb98efc523a863e91a1
SHA256 74526bfe745e60aae9a75642bbb83b875fdca8b45548316d8afe5273c68a4f6d
CRC32 9EC49CAF
ssdeep 3:6/:
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_update.test
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 46c2ef66ccc576a8_xpc.mfl
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
Size 2.1MB
Processes 2352 (firefox.exe)
Type Mozilla XUL fastload data
MD5 e03e3ad6ec7f61999df76b77c947a85e
SHA1 72b3f5a50b43ea9dddaff671295fe68440efdbdb
SHA256 46c2ef66ccc576a8717630477488f1bc76b475a79e85ee01735860003f672b15
CRC32 985BBF3E
ssdeep 12288:2KLN3sa3UOfVUYnj0+AZbKfzLcqymM18P0bAeRMd3ovUYoaBo34fWLtI4e6O4Kxt:9UQXaOueSJmGBOfLda6G
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 27aae80b215ac3da_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2352 (firefox.exe)
Type data
MD5 44914d69f0c4b8cbab5c6b07ec4fc997
SHA1 7bfef0b73ad6bc261c2dde5b20d243b79e4f0631
SHA256 27aae80b215ac3dae4e28bc9f5911301b42d192729c7da2e3dd6d7cc9e7749f3
CRC32 55687FAD
ssdeep 3:7FEG2l/+L//ll:7+/l/
Yara None matched
VirusTotal Search for analysis
Name 83e243ebc2bf8871_urlclassifier3.sqlite
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
Size 32.0KB
Processes 2352 (firefox.exe)
Type SQLite 3.x database, user version 5
MD5 658fbf0e1f75a8dd6c160eaed00b828d
SHA1 37f10d0cd480ec2fbd191a2b03d5c18980ad44c1
SHA256 83e243ebc2bf88718a911871463cf60fdb8640c34fc3f98595806cf6b251d750
CRC32 C35F5DFF
ssdeep 48:TY5MYNe0Itr56DlkEqWERlDNcRvgKm3t6:MSj+vmt6
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name c9938b584acacba5_bookmarks-2019-01-20.json
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2019-01-20.json
Size 3.9KB
Processes 2352 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 7e5c69123625077e22e51b14a535a612
SHA1 d0985c228c3a634254e2e38fddd4f3fd0810d5b5
SHA256 c9938b584acacba5622897d894dca6142a004b13bb67a5ea313ac59e1c097969
CRC32 74D96362
ssdeep 48:YbOcwkt2zb26dP/rZXi/G0XA6yBjQBzBT5BJFL+DlwksGN+2p9:QubTdrZX/0XAuDLOl1Nb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 6202d4fe28987bb1_sessionstore.js
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
Size 319.0B
Processes 2352 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 54ef4a376ef86f8935f2617d5efb17a0
SHA1 4c69b0d291eb26787f3169f350831bdb4732d0b7
SHA256 6202d4fe28987bb1c16c5c23f8053c4712508bf81a57117a7d6940bedad7ce53
CRC32 77C95A58
ssdeep 6:0XmOiDf3SWdJ68WAq9u4Rnq/CLWHpIfRNRNMn9UHRvVGHu/Lqpkxh:0vCfiWdg19uP/CLWHEDNMn9UHR9GHqOg
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e94e3e9352418415_formhistory.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
Size 1.0KB
Processes 2352 (firefox.exe)
Type data
MD5 ea5e10ebb84f5d74fbe563fcbee0dcaa
SHA1 c9f24ad6903cec907540e316b20899854d2fb5a1
SHA256 e94e3e9352418415aa20da6db198dc9f90983b90e23e396e48050805ddbce7bb
CRC32 897AC273
ssdeep 3:7FEG2l/6illlzhtll:7+/l//llz
Yara None matched
VirusTotal Search for analysis
Name ede61805b54ade22_urlclassifier3.sqlite-journal
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
Size 24.0KB
Processes 2352 (firefox.exe)
Type data
MD5 8bedf72dea17eb9541cdf146bb2fb3a0
SHA1 dd3db579acfb7ff58d1d3c8e985941a606f60650
SHA256 ede61805b54ade22932697977aec3dc008c355c4459f26f6991b5cc78a1f1902
CRC32 79C7E264
ssdeep 48:7ex8+RRgKFNq2U5MYNe0Itr56DlkEqWERlDNxV:7eBhbLUSjR
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 11cf0dc2721b16a5_places.sqlite
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
Size 136.0KB
Processes 2352 (firefox.exe)
Type SQLite 3.x database, user version 6
MD5 50871ec9d37ee31e7858028417aff949
SHA1 41bb25a1cf23c1c22584213e04c289de80212727
SHA256 11cf0dc2721b16a58051e6ff2ebf2189c567e8d3b4cfd27b6121d3b94db2e1b7
CRC32 41ACFCE8
ssdeep 384:FQl1Y1FKOC/924uPu1Zu1Ru11u17cYu1M:W1R/924uv
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name eb354f6957a10cde_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2352 (firefox.exe)
Type data
MD5 c019f0f654a58c9d30bc803601bd7fd0
SHA1 fa822b2fca93bbacb3d902412d39569b183350b0
SHA256 eb354f6957a10cde207b7e901228f441199c401952b0cc757beea9e30a794ecd
CRC32 16236252
ssdeep 3:7FEG2l/+nlnllh//ll:7+/l/0H
Yara None matched
VirusTotal Search for analysis
Name 6df87f72ebb01f74_cookies.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
Size 1.0KB
Processes 2352 (firefox.exe)
Type data
MD5 ea9d3b56c2eef94c05bf7ec6ee201ee9
SHA1 ec56f0b2beb6ac91c375964b717b2ecb0fc76a0e
SHA256 6df87f72ebb01f74f593d5534eec3ce9e27ef2bc5af3eee7394e3d3d8031a1ef
CRC32 264186AC
ssdeep 3:7FEGURIv//ll:7+/
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 1179
Mongo ID 5c44c32411d30812ab71eb64
Cuckoo release 2.0-dev