URL Details

URL
http://ubrlksrulbch.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Dec. 10, 2018, 12:59 p.m. Dec. 10, 2018, 1:03 p.m. 259 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-12-10 12:59:29 2018-12-10 13:03:49

Analyzer Log

2018-12-10 04:59:29,030 [analyzer] DEBUG: Starting analyzer from: C:\iuttrmt
2018-12-10 04:59:29,062 [analyzer] DEBUG: Pipe server name: \\.\PIPE\akaOAHwmeTgxxCxI
2018-12-10 04:59:29,062 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\NVxGrpdBpblKjWWUCrgphzNyrZS
2018-12-10 04:59:31,059 [analyzer] DEBUG: Started auxiliary module Disguise
2018-12-10 04:59:31,417 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-12-10 04:59:31,417 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-12-10 04:59:31,417 [analyzer] DEBUG: Started auxiliary module Human
2018-12-10 04:59:31,417 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-12-10 04:59:31,417 [analyzer] DEBUG: Started auxiliary module Reboot
2018-12-10 04:59:31,744 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-12-10 04:59:31,744 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-12-10 04:59:31,744 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-12-10 04:59:32,181 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' with arguments ['c:\\users\\zamen\\appdata\\local\\temp\\tmplnhcsg.html'] and pid 2316
2018-12-10 04:59:34,927 [analyzer] DEBUG: Loaded monitor into process with pid 2316
2018-12-10 04:59:36,410 [analyzer] DEBUG: Received request to inject pid=2316, but we are already injected there.
2018-12-10 04:59:37,688 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-journal
2018-12-10 04:59:37,750 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2018-12-10.json
2018-12-10 04:59:42,930 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
2018-12-10 04:59:46,957 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
2018-12-10 04:59:49,703 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
2018-12-10 04:59:49,890 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
2018-12-10 04:59:49,951 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
2018-12-10 04:59:49,967 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
2018-12-10 04:59:50,140 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
2018-12-10 04:59:51,293 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-stmtjrnl
2018-12-10 04:59:51,341 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
2018-12-10 04:59:58,609 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2018-12-10 04:59:58,625 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2018-12-10 04:59:58,625 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2018-12-10 04:59:58,641 [analyzer] INFO: Added new file to list with pid 2316 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
2018-12-10 05:03:34,686 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-12-10 05:03:37,681 [lib.api.process] INFO: Memory dump of process with pid 2316 completed
2018-12-10 05:03:37,681 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-12-10 05:03:37,681 [lib.api.process] INFO: Successfully terminated process with pid 2316.
2018-12-10 05:03:37,743 [analyzer] WARNING: File at path "u'c:\\users\\zamen\\appdata\\roaming\\mozilla\\firefox\\profiles\\l13jpjzr.default\\places.sqlite-stmtjrnl'" does not exist, skip.
2018-12-10 05:03:37,838 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-12-10 12:59:29,811 [lib.cuckoo.core.scheduler] INFO: Task #168: acquired machine win7x64 (label=win7x64)
2018-12-10 12:59:29,855 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 15344 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/168/dump.pcap)
2018-12-10 12:59:34,828 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-12-10 13:03:45,896 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2018-12-10 13:03:46,837 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-12-10 13:03:55,384 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-12-10 13:03:58,649 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f4449c58750>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 13:03:58,650 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f443b7eaa50>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 13:03:58,651 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f4449c58150>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 13:03:58,652 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f443b7eaa50>: Failed to establish a new connection: [Errno 111] Connection refused
2018-12-10 13:03:58,652 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f443b7eaa50>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f443b7eaa50>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (1 event)
Time & API Arguments Status Return Repeated
Dec. 10, 2018, 7:59 a.m.
GetComputerNameA
computer_name: ZAMEN-PC
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\nsIeTabWatchFactory.js
Starts servers listening on {0} (6 events)
Time & API Arguments Status Return Repeated
Dec. 10, 2018, 7:59 a.m.
bind
ip_address: 127.0.0.1
socket: 496
port: 0
success 0 0
Dec. 10, 2018, 7:59 a.m.
listen
socket: 496
backlog: 5
success 0 0
Dec. 10, 2018, 7:59 a.m.
accept
ip_address: 127.0.0.1
socket: 496
port: 49162
success 520 0
Dec. 10, 2018, 7:59 a.m.
bind
ip_address: 127.0.0.1
socket: 912
port: 0
success 0 0
Dec. 10, 2018, 7:59 a.m.
listen
socket: 912
backlog: 5
success 0 0
Dec. 10, 2018, 7:59 a.m.
accept
ip_address: 127.0.0.1
socket: 912
port: 49165
success 924 0
Creates executable files on the filesystem (1 event)
file C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 event)
file C:\Windows\SysWOW64\mfcsubs.dll

Screenshots

No screenshots available.

Network

Hosts

No hosts contacted.

Summary

Process firefox.exe (2316)

  • Opened files

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\quirk.css
    • C:\
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files (x86)\Mozilla Firefox\browserconfig.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Windows\System32\NlsData0039.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\mimeTypes.rdf
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Windows\System32\aclui.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compatibility.ini
    • C:\Program Files (x86)\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.cache
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.rdf
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\modules\DownloadUtils.jsm
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_001_
    • C:\Program Files (x86)\Mozilla Firefox\chrome\comm.manifest
    • C:\Windows\System32\ActionCenter.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files (x86)\Mozilla Firefox\application.ini
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\search.sqlite
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\res\ua.css
    • C:\Windows\System32\xwizards.dll
    • C:\Program Files (x86)\Mozilla Firefox\foxyproxy.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\content-prefs.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\permissions.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.manifest
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\forms.css
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.ini
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Windows\System32\grpconv.exe
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Program Files (x86)\Mozilla Firefox\blocklist.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\prefs.js
    • C:\Windows\System32\dinput.dll
    • c:\Users\zamen\AppData\Local\Temp\tmplnhcsg.html
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\modules\PluralForm.jsm
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files (x86)\Mozilla Firefox\components\browser.xpt
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\html.css
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XUL.mfl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_002_
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\xpti.dat
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\platform.ini
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\localstore.rdf
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.manifest
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_003_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compreg.dat
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Windows\System32\aaclient.dll
  • Written files

    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-stmtjrnl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2018-12-10.json
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
  • Files Read

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\quirk.css
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files (x86)\Mozilla Firefox\browserconfig.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Windows\System32\NlsData0039.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\mimeTypes.rdf
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Windows\System32\aclui.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compatibility.ini
    • C:\Program Files (x86)\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.cache
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.rdf
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_001_
    • C:\Program Files (x86)\Mozilla Firefox\chrome\comm.manifest
    • C:\Windows\System32\ActionCenter.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files (x86)\Mozilla Firefox\application.ini
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\search.sqlite
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\res\ua.css
    • C:\Windows\System32\xwizards.dll
    • C:\Program Files (x86)\Mozilla Firefox\foxyproxy.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\content-prefs.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\permissions.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.manifest
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\forms.css
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.ini
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Windows\System32\grpconv.exe
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Program Files (x86)\Mozilla Firefox\blocklist.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\prefs.js
    • C:\Windows\System32\dinput.dll
    • c:\Users\zamen\AppData\Local\Temp\tmplnhcsg.html
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files (x86)\Mozilla Firefox\components\browser.xpt
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\html.css
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XUL.mfl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_002_
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\xpti.dat
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\platform.ini
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\localstore.rdf
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.manifest
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_003_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compreg.dat
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Windows\System32\aaclient.dll

Process firefox.exe (2316)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
    • HKEY_CLASSES_ROOT\.js
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\(Default)
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\
    • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
    • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\firefox.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\(Default)
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\(Default)
    • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\InstallPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp
    • HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\MIMEAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations
    • HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
    • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
    • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
    • HKEY_CURRENT_USER\Software\MozillaPlugins
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
    • HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
    • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
    • HKEY_CLASSES_ROOT\.dtd
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2
    • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2\Path
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\70F6B3D
    • HKEY_CURRENT_USER\HTTP\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Extension
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_CURRENT_USER\HTTPS\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\InstallPath\(Default)
    • HKEY_CURRENT_USER\HTTPS\DefaultIcon\(Default)
    • HKEY_CURRENT_USER\Software\Clients\StartMenuInternet\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\1603
    • HKEY_CURRENT_USER\HTTP\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\9999
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications\Firefox
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dtd\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312

Process firefox.exe (2316)

  • Mutexes accessed

    • Local\FirefoxStartupMutex

Process firefox.exe (2316)

  • Directories created

    • C:\Users\zamen\AppData\Roaming\Mozilla
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox
    • C:\Users\zamen\AppData\Local
    • C:\Program Files (x86)\Mozilla Firefox
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\0
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups
    • C:\Users\zamen\AppData\Roaming
    • C:\Program Files (x86)
    • C:\Users\zamen
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox
    • C:\Users
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates
    • C:\Users\zamen\AppData
    • C:\Users\zamen\AppData\Local\Mozilla
  • Directories enumerated

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Windows\System32\*.*
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\*
    • C:\Windows\System32\GroupPolicyUsers
    • C:\Users\zamen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\*
    • C:\Windows\System32\ActionCenter.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions\*
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\*
    • C:\Windows\System32
    • C:\Windows\System32\NlsData0039.dll
    • C:\Windows\System32\grpconv.exe
    • C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c\ATL80.dll
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\*
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Windows\System32\0409
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\*
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\*
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\*
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\*
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\*
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\*
    • C:\Windows\System32\xwizards.dll
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\plugins\*
    • C:\Windows\System32\aclui.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\*
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\*
    • C:\Windows\SysWOW64\*
    • C:\Windows\System32\GroupPolicy
    • C:\Program Files (x86)\Mozilla Firefox\extensions\*
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\chrome\*
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Windows\System32\dinput.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\*
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\*
    • C:\Windows
    • C:\Windows\winsxs
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\*
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Windows\System32\aaclient.dll

Process firefox.exe (2316)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default/nssckbi.dll
    • C:\Windows\system32\pnrpnsp.dll
    • C:\Program Files (x86)\Mozilla Firefox\nssdbm3.dll
    • DNSAPI.dll
    • UXTHEME.DLL
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\napinsp.dll
    • C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • cryptbase.dll
    • advapi32.dll
    • C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
    • CRYPTSP.dll
    • Comctl32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • Kernel32.DLL
    • uxtheme.dll
    • msimg32
    • C:\Windows\System32\mswsock.dll
    • Shell32.dll
    • C:\Windows\System32\winrnr.dll
    • comctl32.dll
    • C:\Windows\system32\NLAapi.dll
    • iphlpapi.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll
    • MSImg32.dll
    • RpcRtRemote.dll
    • C:\Program Files (x86)\Mozilla Firefox\nssckbi.dll
    • user32.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll
    • ws2_32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


firefox.exe, PID: 2316, Parent PID: 2292

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 52096 192.168.128.111 53
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 64209 192.168.128.111 53
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name cccc0768449585b1_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2316 (firefox.exe)
Type data
MD5 582d10aa33cc555f6f3c8e5d9d550b7d
SHA1 5cddb09d704c792a588ff3112e8a4f7222c95c97
SHA256 cccc0768449585b1e44b9829c62177f58d547b7dba36033db2e9ccf2c21ab867
CRC32 0F035822
ssdeep 3:7FEG2l/SF9llh//ll:7+/l/I
Yara None matched
VirusTotal Search for analysis
Name 854957603b22ed0c_pluginreg.dat
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
Size 2.0KB
Processes 2316 (firefox.exe)
Type ASCII text
MD5 0b83265b81236922d454dfbb4d41c814
SHA1 040e390405ce1569661bd83eb04b2a959759db8e
SHA256 854957603b22ed0c29a08c8be0511b16a127e31a8d8ef922eab443d5885b0147
CRC32 CF433F05
ssdeep 48:Z7RZ+OfLdoz5gN9wnISPmv4+M33OIfol3hu3jPkov4+M33r:PMOjyzy9wnr9folxu8v
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 74526bfe745e60aa__cache_map_
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
Size 8.3KB
Processes 2316 (firefox.exe)
Type raw G3 data, byte-padded
MD5 8b876137ecbb9404fec2ed367f6edb19
SHA1 e8cab7eee92e5d42096a2fb98efc523a863e91a1
SHA256 74526bfe745e60aae9a75642bbb83b875fdca8b45548316d8afe5273c68a4f6d
CRC32 9EC49CAF
ssdeep 3:6/:
Yara None matched
VirusTotal Search for analysis
Name 97e2558c45a6337d_sessionstore.js
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
Size 319.0B
Processes 2316 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 79ecd8df6db8acd81ce10f2238fd2296
SHA1 c5a927d2d4e8dbbc6c998f091740cf1b9cfc93a0
SHA256 97e2558c45a6337d55541814e3cf1ae0164b45a4f5c631637e9355423ff3e371
CRC32 2A319AC1
ssdeep 6:0XmOiDf3SWM8WAq9u4RnqqWHpIfRNRNMn9UHRvVGHu/Lqpkxh:0vCfiWM19uPqWHEDNMn9UHR9GHqOpa
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 7bf116ffa7bc0e4d_urlclassifier3.sqlite-journal
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
Size 24.0KB
Processes 2316 (firefox.exe)
Type data
MD5 887016ebe6ff82930b24240f3b4a8f6c
SHA1 41ca5329ab7bca45da4a9b561e695c86e97872e7
SHA256 7bf116ffa7bc0e4da662045958dc2ab186c6d13e1601ff6946a80908336c1b2f
CRC32 62E1994F
ssdeep 48:7ejGL8RRgKFRq2U5MYNe0Itr56DlkEqWERlDNK:7eCchzLUSj0
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name e3b0c44298fc1c14_update.test
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 46c2ef66ccc576a8_xpc.mfl
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
Size 2.1MB
Processes 2316 (firefox.exe)
Type Mozilla XUL fastload data
MD5 e03e3ad6ec7f61999df76b77c947a85e
SHA1 72b3f5a50b43ea9dddaff671295fe68440efdbdb
SHA256 46c2ef66ccc576a8717630477488f1bc76b475a79e85ee01735860003f672b15
CRC32 985BBF3E
ssdeep 12288:2KLN3sa3UOfVUYnj0+AZbKfzLcqymM18P0bAeRMd3ovUYoaBo34fWLtI4e6O4Kxt:9UQXaOueSJmGBOfLda6G
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 83e243ebc2bf8871_urlclassifier3.sqlite
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
Size 32.0KB
Processes 2316 (firefox.exe)
Type SQLite 3.x database, user version 5
MD5 658fbf0e1f75a8dd6c160eaed00b828d
SHA1 37f10d0cd480ec2fbd191a2b03d5c18980ad44c1
SHA256 83e243ebc2bf88718a911871463cf60fdb8640c34fc3f98595806cf6b251d750
CRC32 C35F5DFF
ssdeep 48:TY5MYNe0Itr56DlkEqWERlDNcRvgKm3t6:MSj+vmt6
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 9337333a2219422f_places.sqlite
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
Size 136.0KB
Processes 2316 (firefox.exe)
Type SQLite 3.x database, user version 6
MD5 ef9c1a3452c1f0cad326fc07bcc7b9e8
SHA1 ae3526154c5489e34c81e5e5305f17b3fce05951
SHA256 9337333a2219422fc5f2711c5dc865c4ae9cb27265731b7f3c52b80c9efc23ec
CRC32 3FAFADE2
ssdeep 192:FP7IpyuAhFT2/lXlpfE2Czt8Zc/924u2+u1A+u14+u1U+u17csK+u1M:FDvhq1kOC/924uPu1Zu1Ru11u17cYu1M
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name c9938b584acacba5_bookmarks-2018-12-10.json
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2018-12-10.json
Size 3.9KB
Processes 2316 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 7e5c69123625077e22e51b14a535a612
SHA1 d0985c228c3a634254e2e38fddd4f3fd0810d5b5
SHA256 c9938b584acacba5622897d894dca6142a004b13bb67a5ea313ac59e1c097969
CRC32 74D96362
ssdeep 48:YbOcwkt2zb26dP/rZXi/G0XA6yBjQBzBT5BJFL+DlwksGN+2p9:QubTdrZX/0XAuDLOl1Nb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name cc01ff50a0d8e98c_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2316 (firefox.exe)
Type data
MD5 3518080a7c4ca0ee791664a65afb540c
SHA1 b3a5c21e035df545c2cfb1bf9ca225c1f8a33632
SHA256 cc01ff50a0d8e98cbb422b70911e174ae2b435dd46f2dde1011687fbf563ba94
CRC32 5426B12A
ssdeep 3:7FEG2l/um4j//ll:7+/l/
Yara None matched
VirusTotal Search for analysis
Name ab2a83dd4b8c3530_cookies.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
Size 1.0KB
Processes 2316 (firefox.exe)
Type data
MD5 f17e6884ad7ed0e028ae4454848f4071
SHA1 69b388aca46ce818a975524737e1a7693755f3a4
SHA256 ab2a83dd4b8c3530096c0d16163996333a82cfaf68a99f5b2fd8fca992c19596
CRC32 4775C0EE
ssdeep 3:7FEGURYbVllh//ll:7+/uJ
Yara None matched
VirusTotal Search for analysis
Name 5b01d03879c83edf_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2316 (firefox.exe)
Type data
MD5 48c9d06a36949eee97cdf935ccf6f298
SHA1 3ac6e3cb2a2ca2b0d071c9862339f2c3dd94cc52
SHA256 5b01d03879c83edf2dcd401959685f0c084243fc28842698dd5a407c9cd18046
CRC32 944E5803
ssdeep 3:7FEG2l/qjJlh//ll:7+/l/Y
Yara None matched
VirusTotal Search for analysis
Name 342c14fd7202730f_formhistory.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
Size 1.0KB
Processes 2316 (firefox.exe)
Type data
MD5 61bcf2b26b92aca3c7201e77d38163fb
SHA1 d38feb797a3d6f62d0c6abdf3faa6b1181b0d035
SHA256 342c14fd7202730f1fac136555ef1de717ce8bcf77a479e97b7cb6ab99b537b7
CRC32 5B8B5AD3
ssdeep 3:7FEG2l/Zbl9tll:7+/l/Z
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 168
Mongo ID 5c0eaa9611d3081ae0b0a450
Cuckoo release 2.0-dev