URL Details

URL
http://cabeyysdwpix.com/

Score

This url shows some signs of potential malicious behavior.

The score of this url is 1.8 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
URL Nov. 5, 2018, 4:23 a.m. Nov. 5, 2018, 4:27 a.m. 256 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-11-05 04:23:16 2018-11-05 04:27:32

Analyzer Log

2018-11-04 20:23:15,030 [analyzer] DEBUG: Starting analyzer from: C:\kjlndzzco
2018-11-04 20:23:15,155 [analyzer] DEBUG: Pipe server name: \\.\PIPE\rAEuezgpIQsiBzlrQRp
2018-11-04 20:23:15,155 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\wjdooiCudpgKiZmgaEvwj
2018-11-04 20:23:16,684 [analyzer] DEBUG: Started auxiliary module Disguise
2018-11-04 20:23:17,167 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-11-04 20:23:17,167 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-11-04 20:23:17,167 [analyzer] DEBUG: Started auxiliary module Human
2018-11-04 20:23:17,167 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-11-04 20:23:17,167 [analyzer] DEBUG: Started auxiliary module Reboot
2018-11-04 20:23:17,448 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-11-04 20:23:17,448 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-11-04 20:23:17,448 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-11-04 20:23:17,979 [lib.api.process] INFO: Successfully executed process from path 'C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe' with arguments ['http://cabeyysdwpix.com/'] and pid 2280
2018-11-04 20:23:20,802 [analyzer] DEBUG: Loaded monitor into process with pid 2280
2018-11-04 20:23:22,285 [analyzer] DEBUG: Received request to inject pid=2280, but we are already injected there.
2018-11-04 20:23:23,766 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-journal
2018-11-04 20:23:23,813 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2018-11-05.json
2018-11-04 20:23:28,477 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
2018-11-04 20:23:30,375 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
2018-11-04 20:23:30,640 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
2018-11-04 20:23:30,796 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
2018-11-04 20:23:33,026 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
2018-11-04 20:23:33,042 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
2018-11-04 20:23:33,105 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
2018-11-04 20:23:36,989 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
2018-11-04 20:23:41,793 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2018-11-04 20:23:41,809 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2018-11-04 20:23:41,809 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
2018-11-04 20:23:41,825 [analyzer] INFO: Added new file to list with pid 2280 and path C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
2018-11-04 20:27:20,365 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2018-11-04 20:27:22,815 [lib.api.process] INFO: Memory dump of process with pid 2280 completed
2018-11-04 20:27:22,815 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-11-04 20:27:22,815 [lib.api.process] INFO: Successfully terminated process with pid 2280.
2018-11-04 20:27:22,924 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-11-05 04:23:16,192 [lib.cuckoo.core.scheduler] INFO: Task #44: acquired machine win7x64 (label=win7x64)
2018-11-05 04:23:16,405 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 6280 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/44/dump.pcap)
2018-11-05 04:23:21,803 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-11-05 04:27:30,939 [lib.cuckoo.core.resultserver] WARNING: Uploaded file length larger than upload_max_size, stopping upload.
2018-11-05 04:27:31,941 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-11-05 04:27:40,493 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-11-05 04:28:20,525 [modules.processing.virustotal] WARNING: Error fetching results from VirusTotal for "http://cabeyysdwpix.com/": Unable to fetch VirusTotal results: MaxRetryError("HTTPSConnectionPool(host='www.virustotal.com', port=443): Max retries exceeded with url: /vtapi/v2/url/report (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f728c263f50>: Failed to establish a new connection: [Errno -2] Name or service not known',))",)
2018-11-05 04:28:23,034 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.007s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c84f190>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 04:28:23,035 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c84fe90>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 04:28:23,036 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c84f6d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 04:28:23,036 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f728c84fc10>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-05 04:28:23,037 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f728c84fc10>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f728c84fc10>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (1 event)
Time & API Arguments Status Return Repeated
Nov. 4, 2018, 11:23 p.m.
GetComputerNameA
computer_name: ZAMEN-PC
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\nsIeTabWatchFactory.js
Starts servers listening on {0} (6 events)
Time & API Arguments Status Return Repeated
Nov. 4, 2018, 11:23 p.m.
bind
ip_address: 127.0.0.1
socket: 496
port: 0
success 0 0
Nov. 4, 2018, 11:23 p.m.
listen
socket: 496
backlog: 5
success 0 0
Nov. 4, 2018, 11:23 p.m.
accept
ip_address: 127.0.0.1
socket: 496
port: 49162
success 520 0
Nov. 4, 2018, 11:23 p.m.
bind
ip_address: 127.0.0.1
socket: 916
port: 0
success 0 0
Nov. 4, 2018, 11:23 p.m.
listen
socket: 916
backlog: 5
success 0 0
Nov. 4, 2018, 11:23 p.m.
accept
ip_address: 127.0.0.1
socket: 916
port: 49165
success 928 0
Creates executable files on the filesystem (1 event)
file C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
Creates known Dyreza Banking Trojan files, registry keys and/or mutexes (1 event)
file C:\Windows\SysWOW64\mfcsubs.dll

Screenshots

No screenshots available.

Network

Hosts

No hosts contacted.

Summary

Process firefox.exe (2280)

  • Opened files

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\quirk.css
    • C:\
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files (x86)\Mozilla Firefox\browserconfig.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Windows\System32\NlsData0039.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\mimeTypes.rdf
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Windows\System32\aclui.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compatibility.ini
    • C:\Program Files (x86)\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.cache
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.rdf
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\modules\DownloadUtils.jsm
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_001_
    • C:\Program Files (x86)\Mozilla Firefox\chrome\comm.manifest
    • C:\Windows\System32\ActionCenter.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files (x86)\Mozilla Firefox\application.ini
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\search.sqlite
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\res\ua.css
    • C:\Windows\System32\xwizards.dll
    • C:\Program Files (x86)\Mozilla Firefox\foxyproxy.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\content-prefs.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\permissions.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.manifest
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\forms.css
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.ini
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Windows\System32\grpconv.exe
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Program Files (x86)\Mozilla Firefox\blocklist.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\prefs.js
    • C:\Windows\System32\dinput.dll
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\modules\PluralForm.jsm
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files (x86)\Mozilla Firefox\components\browser.xpt
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\html.css
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XUL.mfl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_002_
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\xpti.dat
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Program Files (x86)\Mozilla Firefox\platform.ini
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\localstore.rdf
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.manifest
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_003_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compreg.dat
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Windows\System32\aaclient.dll
  • Written files

    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2018-11-05.json
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
  • Files Read

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\quirk.css
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Program Files (x86)\Mozilla Firefox\browserconfig.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Windows\System32\NlsData0039.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\mimeTypes.rdf
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Windows\System32\aclui.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compatibility.ini
    • C:\Program Files (x86)\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\reporter.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.cache
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.rdf
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_001_
    • C:\Program Files (x86)\Mozilla Firefox\chrome\comm.manifest
    • C:\Windows\System32\ActionCenter.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files (x86)\Mozilla Firefox\application.ini
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\search.sqlite
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\res\ua.css
    • C:\Windows\System32\xwizards.dll
    • C:\Program Files (x86)\Mozilla Firefox\foxyproxy.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Crash Reports\UserID
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\content-prefs.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\permissions.sqlite
    • C:\Program Files (x86)\Mozilla Firefox\chrome\en-US.manifest
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\res\forms.css
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.jar
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions.ini
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Windows\System32\grpconv.exe
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\profiles.ini
    • C:\Program Files (x86)\Mozilla Firefox\blocklist.xml
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\prefs.js
    • C:\Windows\System32\dinput.dll
    • C:\Windows\Fonts\staticcache.dat
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.jar
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Program Files (x86)\Mozilla Firefox\chrome\classic.jar
    • C:\Program Files (x86)\Mozilla Firefox\components\browser.xpt
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\all.js
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files (x86)\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\html.css
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XUL.mfl
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_002_
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\xpti.dat
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\Program Files (x86)\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Program Files (x86)\Mozilla Firefox\platform.ini
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\localstore.rdf
    • C:\Program Files (x86)\Mozilla Firefox\chrome\browser.manifest
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_003_
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\compreg.dat
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Windows\System32\aaclient.dll

Process firefox.exe (2280)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
    • HKEY_CLASSES_ROOT\.js
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{FA445657-9379-11D6-B41A-00065B83EE53}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\(Default)
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\
    • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
    • HKEY_CURRENT_USER\Software\Microsoft\CTF\DirectSwitchHotkeys
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\firefox.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\(Default)
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\(Default)
    • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\InstallPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp
    • HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\MIMEAssociations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations
    • HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
    • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
    • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
    • HKEY_CURRENT_USER\Software\MozillaPlugins
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Extensions
    • HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
    • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
    • HKEY_CLASSES_ROOT\.dtd
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{3697C5FA-60DD-4B56-92D4-74A569205C16}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\Category\Category\{534C48C1-0607-4098-A521-4FC899C73E90}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\Category\Item\{A48FA74E-F767-44E4-BFBC-169E8B38FF58}
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2
    • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.7.2\Path
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b9-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma Armenian
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Miriam Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Fixed Miriam Transparent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\70F6B3D
    • HKEY_CURRENT_USER\HTTP\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Rod Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Extension
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\FangSong_GB2312
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_CURRENT_USER\HTTPS\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\David Transparent
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b8-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b4-63cb-11e6-bd5e-806e6f6e6963}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\9.0\InstallPath\(Default)
    • HKEY_CURRENT_USER\HTTPS\DefaultIcon\(Default)
    • HKEY_CURRENT_USER\Software\Clients\StartMenuInternet\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\1603
    • HKEY_CURRENT_USER\HTTP\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\9999
    • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications\Firefox
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{23c7429a-63cf-11e6-844a-0050569395d7}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.dtd\Content Type
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d292a6b5-63cb-11e6-bd5e-806e6f6e6963}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arabic Transparent Bold,0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2006
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\KaiTi_GB2312

Process firefox.exe (2280)

  • Mutexes accessed

    • Local\FirefoxStartupMutex

Process firefox.exe (2280)

  • Directories created

    • C:\Users\zamen\AppData\Roaming\Mozilla
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox
    • C:\Users\zamen\AppData\Local
    • C:\Program Files (x86)\Mozilla Firefox
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\0
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups
    • C:\Users\zamen\AppData\Roaming
    • C:\Program Files (x86)
    • C:\Users\zamen
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox
    • C:\Users
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates
    • C:\Users\zamen\AppData
    • C:\Users\zamen\AppData\Local\Mozilla
  • Directories enumerated

    • C:\Windows\System32\ActionCenterCPL.dll
    • C:\Windows\System32\*.*
    • C:\Windows\System32\ACCTRES.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\*
    • C:\Windows\System32\GroupPolicyUsers
    • C:\Users\zamen\AppData\Roaming\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\*
    • C:\Windows\System32\ActionCenter.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\extensions\*
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\*
    • C:\Windows\System32
    • C:\Windows\System32\NlsData0039.dll
    • C:\Windows\System32\grpconv.exe
    • C:\Windows\winsxs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c\ATL80.dll
    • C:\Windows\System32\acledit.dll
    • C:\Program Files (x86)\Mozilla Firefox\greprefs\*
    • C:\Windows\System32\mscpxl32.dLL
    • C:\Windows\System32\0409
    • C:\Windows\System32\12520850.cpx
    • C:\Windows\System32\activeds.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\*
    • C:\Windows\System32\accessibilitycpl.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\*
    • C:\Windows\System32\vsstrace.dll
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\*
    • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\*
    • C:\Windows\System32\12520437.cpx
    • C:\Program Files (x86)\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\*
    • C:\Windows\System32\spbcd.dll
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\*
    • C:\Windows\System32\xwizards.dll
    • C:\Windows\System32\pscript.sep
    • C:\Program Files (x86)\Mozilla Firefox\plugins\*
    • C:\Windows\System32\aclui.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\*
    • C:\Program Files (x86)\Mozilla Firefox\searchplugins\*
    • C:\Windows\SysWOW64\*
    • C:\Windows\System32\GroupPolicy
    • C:\Program Files (x86)\Mozilla Firefox\extensions\*
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\secmod.db
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cert8.db
    • C:\Windows\System32\compstui.dll
    • C:\Windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
    • C:\Windows\System32\acppage.dll
    • C:\Program Files (x86)\Mozilla Firefox\chrome\*
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\key3.db
    • C:\Windows\System32\dinput.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\*
    • C:\Users\zamen\AppData\Local\Mozilla\Firefox\Mozilla Firefox\updates\*
    • C:\Windows
    • C:\Windows\winsxs
    • C:\Program Files (x86)\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\*
    • C:\Windows\System32\KBDIULAT.DLL
    • C:\Windows\System32\aaclient.dll

Process firefox.exe (2280)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default/nssckbi.dll
    • C:\Windows\system32\pnrpnsp.dll
    • C:\Program Files (x86)\Mozilla Firefox\nssdbm3.dll
    • DNSAPI.dll
    • UXTHEME.DLL
    • C:\Windows\system32\ole32.dll
    • dwmapi.dll
    • C:\Windows\system32\napinsp.dll
    • C:\Program Files (x86)\Mozilla Firefox\softokn3.dll
    • API-MS-Win-Core-LocalRegistry-L1-1-0.dll
    • cryptbase.dll
    • advapi32.dll
    • C:\Program Files (x86)\Mozilla Firefox\freebl3.dll
    • CRYPTSP.dll
    • Comctl32.dll
    • API-MS-Win-Security-SDDL-L1-1-0.dll
    • Kernel32.DLL
    • uxtheme.dll
    • msimg32
    • C:\Windows\System32\mswsock.dll
    • Shell32.dll
    • C:\Windows\System32\winrnr.dll
    • comctl32.dll
    • C:\Windows\system32\NLAapi.dll
    • iphlpapi.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll
    • MSImg32.dll
    • RpcRtRemote.dll
    • C:\Program Files (x86)\Mozilla Firefox\nssckbi.dll
    • user32.dll
    • ADVAPI32.dll
    • rpcrt4.dll
    • SETUPAPI.dll
    • WS2_32.dll
    • C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll
    • ws2_32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


firefox.exe, PID: 2280, Parent PID: 2256

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 52096 192.168.128.111 53
192.168.128.109 56743 192.168.128.111 53
192.168.128.109 60037 192.168.128.111 53
192.168.128.109 60112 192.168.128.111 53
192.168.128.109 64209 192.168.128.111 53
192.168.128.109 65476 192.168.128.111 53
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 781ae27999adec8d_formhistory.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\formhistory.sqlite-journal
Size 1.0KB
Processes 2280 (firefox.exe)
Type data
MD5 abc86aaeb335752b1b973cfd8a673fea
SHA1 305e60050b45f3eefae7c6fea9ed856325874185
SHA256 781ae27999adec8d6068faeb970e32f8039b126062d2d0570f26f22640bc487b
CRC32 93EF089A
ssdeep 3:7FEG2l/9rLtll:7+/l/9
Yara None matched
VirusTotal Search for analysis
Name c9938b584acacba5_bookmarks-2018-11-05.json
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\bookmarkbackups\bookmarks-2018-11-05.json
Size 3.9KB
Processes 2280 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 7e5c69123625077e22e51b14a535a612
SHA1 d0985c228c3a634254e2e38fddd4f3fd0810d5b5
SHA256 c9938b584acacba5622897d894dca6142a004b13bb67a5ea313ac59e1c097969
CRC32 74D96362
ssdeep 48:YbOcwkt2zb26dP/rZXi/G0XA6yBjQBzBT5BJFL+DlwksGN+2p9:QubTdrZX/0XAuDLOl1Nb
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 9f8ecaee004ed8b2_sessionstore.js
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\sessionstore.js
Size 262.0B
Processes 2280 (firefox.exe)
Type ASCII text, with no line terminators
MD5 24ab3220544b67a7e9a677377be8b3e1
SHA1 8247f2005e42f8232ff0119dc57f1340be6932c7
SHA256 9f8ecaee004ed8b28fe31fa4f57906421fdde11e323aea89a20f8ce7085e1606
CRC32 031B9D35
ssdeep 6:0XzguGXq9u4Rnq3/OWHpIfR09UHRvVGHu/Lqpkxh:0f9uP3WWHE09UHR9GHqOpa
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 89cc48f2585756b0_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2280 (firefox.exe)
Type data
MD5 16d7fce0b430a1d4a1a5f47fb77aaa0f
SHA1 4d758a75d4c477d6ade99372880e0f0009eee3db
SHA256 89cc48f2585756b001504c8077af0d0edd35f9cbbbdd27c695432a8e0ab18313
CRC32 47E9BB14
ssdeep 3:7FEG2l/ihl9/h//ll:7+/l/A
Yara None matched
VirusTotal Search for analysis
Name 854957603b22ed0c_pluginreg.dat
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\pluginreg.dat
Size 2.0KB
Processes 2280 (firefox.exe)
Type ASCII text
MD5 0b83265b81236922d454dfbb4d41c814
SHA1 040e390405ce1569661bd83eb04b2a959759db8e
SHA256 854957603b22ed0c29a08c8be0511b16a127e31a8d8ef922eab443d5885b0147
CRC32 CF433F05
ssdeep 48:Z7RZ+OfLdoz5gN9wnISPmv4+M33OIfol3hu3jPkov4+M33r:PMOjyzy9wnr9folxu8v
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 74526bfe745e60aa__cache_map_
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\Cache\_CACHE_MAP_
Size 8.3KB
Processes 2280 (firefox.exe)
Type raw G3 data, byte-padded
MD5 8b876137ecbb9404fec2ed367f6edb19
SHA1 e8cab7eee92e5d42096a2fb98efc523a863e91a1
SHA256 74526bfe745e60aae9a75642bbb83b875fdca8b45548316d8afe5273c68a4f6d
CRC32 9EC49CAF
ssdeep 3:6/:
Yara None matched
VirusTotal Search for analysis
Name 478a0c307b64efcd_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2280 (firefox.exe)
Type data
MD5 a1a813b35001796f38d909e8d0a4cca9
SHA1 41e86308d682916f8ce509fd8f33b4cdef38a70a
SHA256 478a0c307b64efcd88ce4eef10ff324ee2b459b9bf952b66fcb884e723fc2e4c
CRC32 4131CE8B
ssdeep 3:7FEG2l/9xnvp//ll:7+/l/9Bv
Yara None matched
VirusTotal Search for analysis
Name 785ea86c8318cce4_cookies.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\cookies.sqlite-journal
Size 1.0KB
Processes 2280 (firefox.exe)
Type data
MD5 22a505c708c2df43e1b9905c370a3b97
SHA1 35693b9fa30c0048484dae577f191871c5be34ee
SHA256 785ea86c8318cce462d6f4c3cf0d8ce9c7435841fb6aac19915f52cb096a97d0
CRC32 BE1CE965
ssdeep 3:7FEGURkm/h//ll:7+/
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_update.test
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 46c2ef66ccc576a8_xpc.mfl
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\XPC.mfl
Size 2.1MB
Processes 2280 (firefox.exe)
Type Mozilla XUL fastload data
MD5 e03e3ad6ec7f61999df76b77c947a85e
SHA1 72b3f5a50b43ea9dddaff671295fe68440efdbdb
SHA256 46c2ef66ccc576a8717630477488f1bc76b475a79e85ee01735860003f672b15
CRC32 985BBF3E
ssdeep 12288:2KLN3sa3UOfVUYnj0+AZbKfzLcqymM18P0bAeRMd3ovUYoaBo34fWLtI4e6O4Kxt:9UQXaOueSJmGBOfLda6G
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name be305ff5fc1a91ee_downloads.sqlite-journal
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\downloads.sqlite-journal
Size 1.0KB
Processes 2280 (firefox.exe)
Type data
MD5 e536d433bcefd8dc84722c5773b348b8
SHA1 14a650b56b33858c36e959c4211fd77dc12c20b8
SHA256 be305ff5fc1a91ee5fe6db4a756778ad6c9aad6016c1bd68f1c64bc5156d2cab
CRC32 DF49CCA7
ssdeep 3:7FEG2l/S5l/h//ll:7+/l/C
Yara None matched
VirusTotal Search for analysis
Name 83e243ebc2bf8871_urlclassifier3.sqlite
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite
Size 32.0KB
Processes 2280 (firefox.exe)
Type SQLite 3.x database, user version 5
MD5 658fbf0e1f75a8dd6c160eaed00b828d
SHA1 37f10d0cd480ec2fbd191a2b03d5c18980ad44c1
SHA256 83e243ebc2bf88718a911871463cf60fdb8640c34fc3f98595806cf6b251d750
CRC32 C35F5DFF
ssdeep 48:TY5MYNe0Itr56DlkEqWERlDNcRvgKm3t6:MSj+vmt6
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 4be6867ff00495e8_places.sqlite
Filepath C:\Users\zamen\AppData\Roaming\Mozilla\Firefox\Profiles\l13jpjzr.default\places.sqlite
Size 136.0KB
Processes 2280 (firefox.exe)
Type SQLite 3.x database, user version 6
MD5 207808980c565dab45d606652e63c88f
SHA1 e393956a4fe97348cdc2b984d863ff300f0dfa19
SHA256 4be6867ff00495e86401bf0885b0ec635ea01ebfae7a56d1f5947684b8cc402d
CRC32 897E3430
ssdeep 384:YOOjx1HpOC/924uPu1Zu1Ru11u17cYu1M:qjf1/924uv
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 09daa4ab3602190b_urlclassifier3.sqlite-journal
Filepath C:\Users\zamen\AppData\Local\Mozilla\Firefox\Profiles\l13jpjzr.default\urlclassifier3.sqlite-journal
Size 24.0KB
Processes 2280 (firefox.exe)
Type data
MD5 3a3ab2b18166f9160aedd4a983acc4ed
SHA1 5b75dabdba4d6ba6b07b14337f66102231a49193
SHA256 09daa4ab3602190b5c5aa57ab7dc27d7ada3f0313d6fc977947d09f696e36f56
CRC32 D5090BE2
ssdeep 48:7eFYSRRgK7q2U5MYNe0Itr56DlkEqWERlDNr:7eth7LUSj5
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 44
Mongo ID 5be00d3f11d30814d163df81
Cuckoo release 2.0-dev