File 2438437234472e54_groove12.pip

Size 144.0B Resubmit sample
Type data
MD5 b7f9c831d347c365afe4d4fc912a6ccb
SHA1 6f76ef1ab1a02e9bed1b858ae5398b015c511e24
SHA256 2438437234472e54bca542fe8017405c269026aca4ed554beabba79dd3f12d89
SHA512
e70eb720e8a6109e22eea841a51afabb31dc51886fafaedeb3cfb54c1de53c4a9c19be510db549b8c95cbd124ae5a6edd495e4e72469a9fc65d6fd9ed6fcfa28
CRC32 A67B5A82
ssdeep 3:0/l3lldHllXlD//hllrllrllrll:87
Yara None matched

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Jan. 10, 2019, 4:35 a.m. Jan. 10, 2019, 4:40 a.m. 264 seconds

Machine

Name Label Started On Shutdown On
winxpsp3pro32 winxpsp3pro32 2019-01-10 04:35:39 2019-01-10 04:40:00

Analyzer Log

2019-01-10 02:35:35,015 [analyzer] DEBUG: Starting analyzer from: C:\qgcayrj
2019-01-10 02:35:35,015 [analyzer] DEBUG: Pipe server name: \\.\PIPE\uDuiuOjDIpChwLmpalcyszejEQyNYUof
2019-01-10 02:35:35,015 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\SFgOWWmSPSQiCeJSjLU
2019-01-10 02:35:35,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2019-01-10 02:35:35,015 [analyzer] INFO: Automatically selected analysis package "generic"
2019-01-10 02:35:36,905 [analyzer] DEBUG: Started auxiliary module Disguise
2019-01-10 02:35:37,062 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:37,062 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:37,140 [analyzer] DEBUG: Loaded monitor into process with pid 692
2019-01-10 02:35:37,140 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2019-01-10 02:35:37,140 [analyzer] DEBUG: Started auxiliary module Human
2019-01-10 02:35:37,140 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2019-01-10 02:35:37,140 [analyzer] DEBUG: Started auxiliary module Reboot
2019-01-10 02:35:37,280 [analyzer] DEBUG: Started auxiliary module RecentFiles
2019-01-10 02:35:37,280 [analyzer] DEBUG: Started auxiliary module Screenshots
2019-01-10 02:35:37,453 [lib.api.process] INFO: Successfully executed process from path 'C:\\WINDOWS\\System32\\cmd.exe' with arguments ['/c', 'start', '/wait', '"Wtuq"', u'C:\\DOCUME~1\\zamen\\LOCALS~1\\Temp\\2438437234472e54_groove12.pip'] and pid 1440
2019-01-10 02:35:37,703 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:37,703 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:37,828 [analyzer] DEBUG: Loaded monitor into process with pid 1440
2019-01-10 02:35:38,092 [analyzer] INFO: Injected into process with pid 1452 and name u'rundll32.exe'
2019-01-10 02:35:38,187 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:38,187 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:38,296 [analyzer] DEBUG: Loaded monitor into process with pid 1452
2019-01-10 02:35:38,437 [analyzer] DEBUG: Received request to inject pid=1452, but we are already injected there.
2019-01-10 02:35:39,530 [modules.auxiliary.human] INFO: Found button "&Open With...", clicking it
2019-01-10 02:35:41,703 [modules.auxiliary.human] INFO: Found button "OK", clicking it
2019-01-10 02:35:42,890 [analyzer] INFO: Injected into process with pid 860 and name u'firefox.exe'
2019-01-10 02:35:43,453 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:43,453 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit kernel32.dll (with timestamp 0x4802a12c)
2019-01-10 02:35:43,546 [analyzer] DEBUG: Loaded monitor into process with pid 860
2019-01-10 02:35:44,717 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite-journal
2019-01-10 02:35:44,733 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\bookmarks-2019-01-10.json
2019-01-10 02:35:46,405 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
2019-01-10 02:35:48,062 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite-journal
2019-01-10 02:35:48,296 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite-journal
2019-01-10 02:35:48,405 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
2019-01-10 02:35:49,983 [lib.api.process] INFO: Memory dump of process with pid 1452 completed
2019-01-10 02:35:50,453 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite-journal
2019-01-10 02:35:50,467 [analyzer] INFO: Process with pid 1452 has terminated
2019-01-10 02:35:50,515 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
2019-01-10 02:35:50,515 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js
2019-01-10 02:35:51,500 [lib.api.process] INFO: Memory dump of process with pid 1440 completed
2019-01-10 02:35:52,467 [analyzer] INFO: Process with pid 1440 has terminated
2019-01-10 02:35:53,750 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
2019-01-10 02:35:58,717 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-10 02:35:58,733 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
2019-01-10 02:35:58,750 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-10 02:35:58,858 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-10 02:35:58,890 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-10 02:35:58,905 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
2019-01-10 02:35:58,953 [analyzer] INFO: Added new file to list with pid 860 and path C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
2019-01-10 02:35:58,953 [analyzer] DEBUG: Received request to inject pid=860, but we are already injected there.
2019-01-10 02:39:41,125 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2019-01-10 02:39:46,655 [lib.api.process] INFO: Memory dump of process with pid 860 completed
2019-01-10 02:39:46,655 [analyzer] INFO: Terminating remaining processes before shutdown.
2019-01-10 02:39:46,655 [lib.api.process] INFO: Successfully terminated process with pid 860.
2019-01-10 02:39:46,890 [analyzer] INFO: Analysis completed.

Cuckoo Log

2019-01-10 04:35:36,784 [lib.cuckoo.core.scheduler] INFO: Task #643: acquired machine winxpsp3pro32 (label=winxpsp3pro32)
2019-01-10 04:35:39,588 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 11937 (interface=eth2, host=192.168.128.102, pcap=/opt/cuckoo/storage/analyses/643/dump.pcap)
2019-01-10 04:35:42,591 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=winxpsp3pro32, ip=192.168.128.102)
2019-01-10 04:39:59,452 [lib.cuckoo.core.guest] INFO: winxpsp3pro32: analysis completed successfully
2019-01-10 04:41:13,197 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2019-01-10 04:41:17,044 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b527625d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-10 04:41:17,046 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b527620d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-10 04:41:17,047 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b527622d0>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-10 04:41:17,047 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7f9b52762190>: Failed to establish a new connection: [Errno 111] Connection refused
2019-01-10 04:41:17,048 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b52762190>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7f9b52762190>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

Queries for the computername (2 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 11:35 p.m.
GetComputerNameW
computer_name: ZAMEN-D4C44BD73
success 1 0
Jan. 9, 2019, 11:35 p.m.
GetComputerNameA
computer_name: ZAMEN-D4C44BD73
success 1 0
Tries to locate where the browsers are installed (1 event)
file C:\Program Files\Mozilla Firefox\chrome\classic.manifest
Starts servers listening on {0} (6 events)
Time & API Arguments Status Return Repeated
Jan. 9, 2019, 11:35 p.m.
bind
ip_address: 127.0.0.1
socket: 432
port: 0
success 0 0
Jan. 9, 2019, 11:35 p.m.
listen
socket: 432
backlog: 5
success 0 0
Jan. 9, 2019, 11:35 p.m.
accept
ip_address: 127.0.0.1
socket: 432
port: 1046
success 456 0
Jan. 9, 2019, 11:35 p.m.
bind
ip_address: 127.0.0.1
socket: 640
port: 0
success 0 0
Jan. 9, 2019, 11:35 p.m.
listen
socket: 640
backlog: 5
success 0 0
Jan. 9, 2019, 11:35 p.m.
accept
ip_address: 127.0.0.1
socket: 640
port: 1049
success 660 0
Creates executable files on the filesystem (1 event)
file C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js

Network

Hosts

No hosts contacted.

Summary

Process cmd.exe (1440)

Process rundll32.exe (1452)

  • Opened files

    • C:\WINDOWS\system32\cscui.dll
    • C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    • C:\WINDOWS\system32\shell32.dll
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOICONS.EXE
  • Files Read

    • C:\WINDOWS\system32\shell32.dll
    • C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOICONS.EXE

Process firefox.exe (860)

  • Opened files

    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cert8.db
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\
    • C:\Program Files\Mozilla Firefox\browserconfig.properties
    • C:\WINDOWS\system32\CONFIG.NT
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.ini
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.cache
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Program Files\Mozilla Firefox\modules\DownloadUtils.jsm
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\WINDOWS\system32\12520437.cpx
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_003_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\mimeTypes.rdf
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compatibility.ini
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\permissions.sqlite
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\xpti.dat
    • C:\WINDOWS\system32\sndvol32.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compreg.dat
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\search.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\content-prefs.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\WINDOWS\system32\ntdos.sys
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_002_
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Program Files\Mozilla Firefox\foxyproxy.xml
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XUL.mfl
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.rdf
    • C:\WINDOWS\system32\msdmo.dll
    • C:\Program Files\Mozilla Firefox\blocklist.xml
    • C:\WINDOWS\system32\VEN2232.OLB
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\secmod.db
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_001_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\WINDOWS\system32\icfgnt5.dll
    • C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files\Mozilla Firefox\modules\PluralForm.jsm
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\WINDOWS\system32\acctres.dll
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\WINDOWS\system32\xpsp2res.dll
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\WINDOWS\system32\kbdusx.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\key3.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\localstore.rdf
    • C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\WINDOWS\system32\access.cpl
    • C:\WINDOWS\system32\dplayx.dll
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\WINDOWS\system32\query.dll
  • Written files

    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\bookmarks-2019-01-10.json
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite-journal
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
  • Files Read

    • C:\Program Files\Mozilla Firefox\chrome\classic.manifest
    • C:\Program Files\Mozilla Firefox\res\dtd\xhtml11.dtd
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cert8.db
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome\autocopy.jar
    • C:\Program Files\Mozilla Firefox\extensions\{0FED7D55-65D4-47b6-A6DE-9A4ADB55355F}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.dtd
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.rdf
    • C:\Program Files\Mozilla Firefox\browserconfig.properties
    • C:\WINDOWS\system32\CONFIG.NT
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.ini
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\UserID
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions.cache
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\modules\superadd.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\prefs.js
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite
    • C:\Program Files\Mozilla Firefox\res\charsetData.properties
    • C:\Program Files\Mozilla Firefox\res\hiddenWindow.html
    • C:\Program Files\Mozilla Firefox\res\forms.css
    • C:\Program Files\Mozilla Firefox\chrome\reporter.manifest
    • C:\WINDOWS\system32\12520437.cpx
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-branding.js
    • C:\Program Files\Mozilla Firefox\chrome\en-US.jar
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_003_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Crash Reports\InstallTime2008052906
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\mimeTypes.rdf
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compatibility.ini
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\permissions.sqlite
    • C:\Program Files\Mozilla Firefox\chrome\toolkit.jar
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\xpti.dat
    • C:\WINDOWS\system32\sndvol32.exe
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\compreg.dat
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\profiles.ini
    • C:\Program Files\Mozilla Firefox\res\html.css
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\search.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\content-prefs.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\proxy.js
    • C:\WINDOWS\system32\ntdos.sys
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\greprefs\all.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_002_
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome\skin\ietab-engine-fx.png
    • C:\Program Files\Mozilla Firefox\foxyproxy.xml
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XUL.mfl
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\searchplugins\eBay.xml
    • C:\WINDOWS\system32\msdmo.dll
    • C:\Program Files\Mozilla Firefox\blocklist.xml
    • C:\WINDOWS\system32\VEN2232.OLB
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\secmod.db
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome\clrtabs.jar
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome\inbasicph.jar
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome.manifest
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\defaults.js
    • C:\Program Files\Mozilla Firefox\chrome\comm.manifest
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_001_
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Mozilla Firefox\res\ua.css
    • C:\WINDOWS\system32\icfgnt5.dll
    • C:\Program Files\Mozilla Firefox\searchplugins\amazondotcom.xml
    • C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\chrome.manifest
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\match.js
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\autoconf.js
    • C:\Program Files\Mozilla Firefox\chrome\classic.jar
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\WINDOWS\system32\acctres.dll
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\pref.js
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\foxyproxy.css
    • C:\WINDOWS\system32\xpsp2res.dll
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\strings.xml
    • C:\Program Files\Mozilla Firefox\chrome\pippki.manifest
    • C:\Program Files\Mozilla Firefox\res\charsetalias.properties
    • C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js
    • C:\Program Files\Mozilla Firefox\chrome\browser.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
    • C:\Program Files\Mozilla Firefox\chrome\en-US.manifest
    • C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml
    • C:\Program Files\Mozilla Firefox\application.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox-l10n.js
    • C:\WINDOWS\system32\kbdusx.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\key3.db
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\content\images\disabled.gif
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\localstore.rdf
    • C:\Program Files\Mozilla Firefox\searchplugins\google.xml
    • C:\Program Files\Mozilla Firefox\components\browser.xpt
    • C:\WINDOWS\system32\access.cpl
    • C:\WINDOWS\system32\dplayx.dll
    • C:\Program Files\Mozilla Firefox\platform.ini
    • C:\Program Files\Mozilla Firefox\defaults\pref\reporter.js
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\chrome.manifest
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
    • C:\Program Files\Mozilla Firefox\greprefs\xpinstall.js
    • C:\Program Files\Mozilla Firefox\greprefs\security-prefs.js
    • C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
    • C:\Program Files\Mozilla Firefox\defaults\pref\firefox.js
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\chrome.manifest
    • C:\Program Files\Mozilla Firefox\res\quirk.css
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\chrome\locale\en-US\foxyproxy.properties
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\ietab.js
    • C:\WINDOWS\system32\query.dll

Process cmd.exe (1440)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DelayedExpansion
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\PathCompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\TimeZoneKeyName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\CompletionChar
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Tzi
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\DisableUNCCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Dlt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\EnableExtensions
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Std
    • HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

Process rundll32.exe (1452)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\Clsid
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2 (GFS Stub)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\AppLogLevels
    • HKEY_CLASSES_ROOT\Directory
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\shell
    • HKEY_CLASSES_ROOT\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\PIPFile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\ShellEx\IconHandler
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNT
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
    • HKEY_CLASSES_ROOT\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InProcServer32
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\LangBarAddIn\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{920E6DB1-9907-4370-B3A0-BAFC03D81399}
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Groove\Development
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers
    • HKEY_CLASSES_ROOT\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{99FD978C-D287-4F50-827F-B2C658EDA8E7}
    • HKEY_CLASSES_ROOT\Folder
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\Clsid
    • HKEY_CLASSES_ROOT\SystemFileAssociations\.pip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 4 (GFS Unread Mark)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_LOCAL_MACHINE\System\WPA\PnP
    • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{16F3DD56-1AF5-4347-846D-7C10C4192619}
    • HKEY_CLASSES_ROOT\CLSID\{750FDF0E-2A26-11D1-A3EA-080036587F03}\InProcServer32
    • HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\Clsid
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\CurVer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Clsid
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\rundll32.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 3 (GFS Folder)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\
    • HKEY_CLASSES_ROOT\.pip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\rundll32.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 1 (GFS Unread Stub)
    • HKEY_CLASSES_ROOT\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InProcServer32
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\CurVer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\(Default)
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\ShellEx\IconHandler
    • HKEY_CLASSES_ROOT\*
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530e-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530d-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530a-636a-11e6-ba0d-806d6172696f}\BaseClass
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d396530b-636a-11e6-ba0d-806d6172696f}\BaseClass
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32\(Default)
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\NoInternetOpenWith
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\NoNetCrawling
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\NeverShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pip\PerceivedType
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Associations\Application
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DontShowSuperHidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Filter
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\BrowseInPlace
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Dlt
    • HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics\Shell Icon Size
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\InternetOpenWith
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\DocObject
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideIcons
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2 (GFS Stub)\SuppressionPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 4 (GFS Unread Mark)\SuppressionPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\AlwaysShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\FriendlyTypeName
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OsLoaderPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\InternetOpenWith
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSimpleStartMenu
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32\LoadWithoutCOM
    • HKEY_LOCAL_MACHINE\SYSTEM\WPA\PnP\seed
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 1 (GFS Unread Stub)\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Offline Files\SuppressionPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32\LoadWithoutCOM
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\BrowseInPlace
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SeparateProcess
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared\CUAS
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetOpenWith
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\DontPrettyPath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Time Zones\TimeZoneKeyName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
    • HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics\Shell Icon Bpp
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}\InprocServer32\LoadWithoutCOM
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\WebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 4 (GFS Unread Mark)\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Std
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 2 (GFS Stub)\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\AllowFileCLSIDJunctions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\E. South America Standard Time\Tzi
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\AlwaysShowExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\MapNetDrvBtn
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Max Cached Icons
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}\InprocServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\IsShortcut
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.pip\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530e-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 3 (GFS Folder)\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogPath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\IsShortcut
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{16F3DD56-1AF5-4347-846D-7C10C4192619}\InprocServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{920E6DB1-9907-4370-B3A0-BAFC03D81399}\InprocServer32\LoadWithoutCOM
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{750fdf0e-2a26-11d1-a3ea-080036587f03}\InProcServer32\LoadWithoutCOM
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 3 (GFS Folder)\SuppressionPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\Groove Explorer Icon Overlay 1 (GFS Unread Stub)\SuppressionPolicy
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\DriverCachePath
    • HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics\Shell Small Icon Size
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{99FD978C-D287-4F50-827F-B2C658EDA8E7}\InprocServer32\LoadWithoutCOM
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\NeverShowExt
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemPartition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoWebView
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\DocObject
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackCachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530a-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530d-636a-11e6-ba0d-806d6172696f}\Generation
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{d396530b-636a-11e6-ba0d-806d6172696f}\Data
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PIPFile\NoOpen
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain

Process firefox.exe (860)

  • Registry keys opened

    • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/DTPlugin,version=11.111.2
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_111
    • HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes
    • HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla
    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Plug-in\1.8.0_111
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0_07
    • HKEY_CLASSES_ROOT\HTTP\shell\open\command
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
    • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_CLASSES_ROOT\.dtd
    • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin,version=11.111.2
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
    • HKEY_CLASSES_ROOT\.js
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
    • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath
    • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
    • HKEY_LOCAL_MACHINE\Software\Netscape\Netscape Navigator
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces
    • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
    • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
    • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
    • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Plug-in\1.7.0_07
    • HKEY_CURRENT_USER\Software\MozillaPlugins
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
  • Registry keys read

    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UseDomainNameDevolution
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CYR,204
    • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CYR,204
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationRefreshInterval
    • HKEY_CURRENT_USER\http\shell\open\command\(Default)
    • HKEY_CURRENT_USER\Software\Netscape\Netscape Navigator\Suffixes\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Acrobat Reader\9.0\InstallPath\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationRefreshInterval
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastListenLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.7.0_07\JavaHome
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryAdapterName
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutodial
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheTtl
    • HKEY_CURRENT_USER\https\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman TUR,162
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationEnabled
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\UpdateSecurityLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tms Rmn
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Hostname
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AllowUnqualifiedQuery
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateZoneExcludeFile
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationTtl
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseHostsFile
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Greek,161
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenBadTlds
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CE,238
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ldap\LdapClientIntegrity
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterReverseLookup
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\FilterClusterIp
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\DnsTest
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New CYR,204
    • HKEY_CURRENT_USER\https\DefaultIcon\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableReverseAddressRegistrations
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateSecurityLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\BrowserJavaVersion
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\Extension
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\PrioritizeRecordData
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\Content Type
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsNbtLookupOrder
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ServerPriorityTimeLimit
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\WaitForNameErrorOnAll
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQuickQueryTimeouts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterWanAdapters
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/JavaPlugin,version=11.111.2\Path
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UpdateTopLevelDomainZones
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\PrioritizeRecordData
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsMulticastQueryTimeouts
    • HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Runtime Environment\1.8.0_111\JavaHome
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MediaPlayer\Installation Directory
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AdapterTimeoutLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\MS Shell Dlg 2
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegistrationMaxAddressCount
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DefaultRegistrationTTL
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableDynamicUpdate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times New Roman Greek,161
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\AllowUnqualifiedQuery
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DnsQueryTimeouts
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCacheSize
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseDomainNameDevolution
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\UseEdns
    • HKEY_LOCAL_MACHINE\SOFTWARE\mozilla.org\Mozilla\CurrentVersion
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MulticastSendLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxNegativeCacheTtl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New TUR,162
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Arial CE,238
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Times
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\AppendToMultiLabelName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableAdapterDomainName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterPrimaryName
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\EnableAdapterDomainNameRegistration
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\MaxNumberOfAddressesToRegister
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\ScreenUnreachableServers
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\MaxCachedSockets
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\RegisterAdapterName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helvetica
    • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Helv
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Courier New Baltic,186
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@java.com/DTPlugin,version=11.111.2\Path
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Dnscache\Parameters\QueryIpMatching
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Domain
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\DisableWanDynamicUpdate
    • HKEY_CURRENT_USER\http\DefaultIcon\(Default)

Process cmd.exe (1440)

Process rundll32.exe (1452)

  • Mutexes accessed

    • CTF.Compart.MutexDefaultS-1-5-21-1960408961-1085031214-725345543-1003
    • CTF.LBES.MutexDefaultS-1-5-21-1960408961-1085031214-725345543-1003
    • CTF.TMD.MutexDefaultS-1-5-21-1960408961-1085031214-725345543-1003
    • CTF.TimListCache.FMPDefaultS-1-5-21-1960408961-1085031214-725345543-1003MUTEX.DefaultS-1-5-21-1960408961-1085031214-725345543-1003
    • CTF.Layouts.MutexDefaultS-1-5-21-1960408961-1085031214-725345543-1003
    • CTF.Asm.MutexDefaultS-1-5-21-1960408961-1085031214-725345543-1003
    • MSCTF.Shared.MUTEX.EFG

Process firefox.exe (860)

  • Mutexes accessed

    • Local\FirefoxStartupMutex

Process cmd.exe (1440)

  • Directories enumerated

    • C:\Documents and Settings
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\2438437234472e54_groove12.pip
    • C:\WINDOWS
    • C:\WINDOWS\WinSxS
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll

Process rundll32.exe (1452)

  • Directories enumerated

    • C:\Documents and Settings
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
    • C:\Documents and Settings\zamen\Local Settings\Temp
    • C:\Documents and Settings\zamen\Local Settings\Temp\2438437234472e54_groove12.pip
    • C:\WINDOWS
    • C:\WINDOWS\WinSxS
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll

Process firefox.exe (860)

  • Directories created

    • C:\Documents and Settings
    • C:\Documents and Settings\zamen\Local Settings\Application Data
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\0
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox
    • C:\Program Files
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default
    • C:\Documents and Settings\zamen\Application Data\Mozilla
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles
    • C:\Program Files\Mozilla Firefox
    • C:\Documents and Settings\zamen\Local Settings
    • C:\Documents and Settings\zamen
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox
    • C:\Documents and Settings\zamen\Application Data
  • Directories enumerated

    • C:\WINDOWS\system32\1054
    • C:\WINDOWS\system32\VEN2232.OLB
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\secmod.db
    • C:\WINDOWS\system32\CONFIG.NT
    • C:\Program Files\Mozilla Firefox\plugins\*
    • C:\Program Files\Mozilla Firefox\greprefs\*
    • C:\WINDOWS\system32\1037
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cert8.db
    • C:\WINDOWS\system32\aaaamon.dll
    • C:\Program Files\Adobe\Reader 9.0\Reader\Browser\*
    • C:\WINDOWS\system32\1033
    • C:\WINDOWS\system32\1031
    • C:\Program Files\Mozilla Firefox\components\*
    • C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Mozilla Firefox\updates\*
    • C:\Program Files\Mozilla Firefox\chrome\*
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\key3.db
    • C:\WINDOWS\system32\aaclient.dll
    • C:\Program Files\Windows Media Player\*
    • C:\WINDOWS\system32\icfgnt5.dll
    • C:\Program Files\Mozilla Firefox\extensions\*
    • C:\WINDOWS\system32\access.cpl
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\*
    • C:\WINDOWS\system32\2052
    • C:\WINDOWS\system32\$winnt$.inf
    • C:\Program Files\Mozilla Firefox\defaults\pref\*
    • C:\WINDOWS\system32\accwiz.exe
    • C:\Program Files\Java\jre1.8.0_111\bin\plugin2\*
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\defaults\preferences\*
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\plugins\*
    • C:\WINDOWS\system32\sndvol32.exe
    • C:\WINDOWS\system32\3076
    • C:\WINDOWS
    • C:\WINDOWS\system32\acledit.dll
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\defaults\preferences\*
    • C:\WINDOWS\system32\3com_dmi
    • C:\WINDOWS\system32\acelpdec.ax
    • C:\WINDOWS\system32\6to4svc.dll
    • C:\WINDOWS\system32
    • C:\WINDOWS\system32\1025
    • C:\WINDOWS\system32\1042
    • C:\WINDOWS\system32\1041
    • C:\WINDOWS\system32\acctres.dll
    • C:\WINDOWS\system32\1028
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\*
    • C:\Program Files\Mozilla Firefox\searchplugins\*
    • C:\WINDOWS\system32\ntdos.sys
    • C:\WINDOWS\system32\dplayx.dll
    • C:\Program Files\Java\jre1.8.0_111\bin\dtplugin\*
    • C:\WINDOWS\system32\12520850.cpx
    • C:\Program Files\Mozilla Firefox\extensions\foxyproxy@eric.h.jung\components\*
    • C:\Program Files\Mozilla Firefox\extensions\{77b819fa-95ad-4f2c-ac7c-486b356188a9}\components\*
    • C:\Program Files\Mozilla Firefox\extensions\{0545b830-f0aa-4d7e-8820-50a4629a56fe}\defaults\preferences\*
    • C:\WINDOWS\system32\config
    • C:\WINDOWS\system32\xpsp2res.dll
    • C:\Program Files\Mozilla Firefox\extensions\amin.eft_PhProxy@gmail.com\defaults\preferences\*
    • C:\Program Files\Java\jre1.8.0_111\bin\*
    • C:\WINDOWS\system32\*.*
    • C:\WINDOWS\system32\12520437.cpx
    • C:\WINDOWS\system32\kbdusx.dll
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\extensions\*
    • C:\WINDOWS\system32\msdmo.dll
    • C:\WINDOWS\system32\query.dll

Process cmd.exe (1440)

  • Processes created

    • "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\shell32.dll,OpenAs_RunDLL C:\DOCUME~1\zamen\LOCALS~1\Temp\2438437234472e54_groove12.pip
    • C:\Documents and Settings\zamen\Local Settings\Temp\2438437234472e54_groove12.pip
  • DLLs Loaded

    • SHELL32.dll
    • Kernel32.DLL
    • UXTHEME.DLL
    • oleaut32.dll
    • ADVAPI32.dll
    • MSImg32.dll
    • user32.dll
    • Comctl32.dll

Process rundll32.exe (1452)

  • Processes created

    • "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pip"
    • http://shell.windows.com/fileassoc/0409/xml/redir.asp?Ext=pip
  • DLLs Loaded

    • UxTheme.dll
    • C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    • C:\WINDOWS\system32\shell32.dll
    • C:\WINDOWS\system32\MSCTF.dll
    • MSImg32.dll
    • appHelp.dll
    • UXTHEME.DLL
    • Kernel32.DLL
    • uxtheme.dll
    • oleaut32.dll
    • SHELL32.dll
    • C:\WINDOWS\system32\SHELL32.dll
    • ole32.dll
    • SETUPAPI.dll
    • Comctl32.dll
    • user32.dll
    • C:\WINDOWS\system32\uxtheme.dll

Process firefox.exe (860)

  • DLLs Loaded

    • dbghelp.dll
    • C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
    • C:\Program Files\Mozilla Firefox\freebl3.dll
    • C:\Program Files\Mozilla Firefox\softokn3.dll
    • iphlpapi.dll
    • C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
    • msimg32
    • DNSAPI.dll
    • C:\Program Files\Mozilla Firefox\nssdbm3.dll
    • uxtheme.dll
    • OLE32
    • C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default/nssckbi.dll
    • C:\WINDOWS\System32\mswsock.dll
    • advapi32.dll
    • Shell32.dll
    • rpcrt4.dll
    • OLE32.DLL
    • C:\WINDOWS\System32\winrnr.dll
    • C:\Program Files\Mozilla Firefox\nssckbi.dll
    • ws2_32.dll
No static analysis available.
No antivirus signatures available.

Process Tree


cmd.exe, PID: 1440, Parent PID: 1312

default registry file network process services synchronisation iexplore office pdf

rundll32.exe, PID: 1452, Parent PID: 1440

default registry file network process services synchronisation iexplore office pdf

firefox.exe, PID: 860, Parent PID: 1452

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.102 1025 192.168.128.111 53
192.168.128.102 1057 192.168.128.111 53
192.168.128.102 1060 192.168.128.111 53
192.168.128.102 137 192.168.128.255 137
192.168.128.102 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name 9edf390e0cce58f1_downloads.sqlite
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite
Size 2.0KB
Processes 860 (firefox.exe)
Type SQLite 3.x database, user version 8
MD5 05688621ebe96046ca140fe325f24da1
SHA1 f1ebff51a361d3b878e0161a941a8e2ceaf5dc7f
SHA256 9edf390e0cce58f1277033b84c419ea731aeb99e27394e256861594acc98f31f
CRC32 0DE984A0
ssdeep 12:HL/cMWlV6mbJB2AUzbyhSCeJtJE9KYTe:rmOXWhQJtJEUYa
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name d6c9d4d1a4ee7ab4_pluginreg.dat
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\pluginreg.dat
Size 4.1KB
Processes 860 (firefox.exe)
Type UTF-8 Unicode text
MD5 4f75b27210f276261b541aef7411d131
SHA1 9dc5d8307cc020c0b8803ea825007674c3518e76
SHA256 d6c9d4d1a4ee7ab4f742511a8709e553940f8d80b29dcff0a146cbf7085eb885
CRC32 051EE917
ssdeep 48:Z7RdnjFTlCyYyXVAyCCPtv4+M33Z69HJZY6nCGJZeZ9De8n1nJo2oD+Hs9HF8E22:PdZTljYyXqyTEs56LyzB6wnu8lxF
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 84815c4432193a7e_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 860 (firefox.exe)
Type data
MD5 788429e6541d6a34384b1eae7129cf4a
SHA1 e076be945a8675193719c5482445cf628be51476
SHA256 84815c4432193a7e971605a133da70a1e26e7eb9a926f6ee6a7f44882cbdd981
CRC32 D27AC721
ssdeep 3:7FEG2l/qD/h//ll:7+/l/
Yara None matched
VirusTotal Search for analysis
Name 74526bfe745e60aa__cache_map_
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\Cache\_CACHE_MAP_
Size 8.3KB
Processes 860 (firefox.exe)
Type raw G3 data, byte-padded
MD5 8b876137ecbb9404fec2ed367f6edb19
SHA1 e8cab7eee92e5d42096a2fb98efc523a863e91a1
SHA256 74526bfe745e60aae9a75642bbb83b875fdca8b45548316d8afe5273c68a4f6d
CRC32 9EC49CAF
ssdeep 3:6/:
Yara None matched
VirusTotal Search for analysis
Name 7c361a27de2aa9e0_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 860 (firefox.exe)
Type data
MD5 21ee25369c152e4ae4f287b4dca8cfdd
SHA1 c53b34724a42fb4eabe9b133b7122bd360d43bbb
SHA256 7c361a27de2aa9e0074007b858aac45254fed202c8164444e82edadbf54f2e68
CRC32 A46F8FB8
ssdeep 3:7FEG2l/ysvp//ll:7+/l/9
Yara None matched
VirusTotal Search for analysis
Name e3b0c44298fc1c14_update.test
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name a829aff9708a4f53_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 2.0KB
Processes 860 (firefox.exe)
Type data
MD5 f9abf351f8be753fab27d0d4b3d31290
SHA1 7c2c4a2d371ba3da4e2b8ac2d155d1d85577159f
SHA256 a829aff9708a4f53457a3528370578728e48b5e6c1878c1d4eb5f72f19cfb944
CRC32 F07FE6BA
ssdeep 3:7FEG2l+8aZqtll0pMRgSCbNFl/sl/ldlShXllU0n:7+/lDhgpbNFlEXSM0
Yara
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 83ff974a05f5835d_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 860 (firefox.exe)
Type data
MD5 89bfa51e1eccb110ab797c83323425a3
SHA1 0e94969fe3015e0b654106522310da94e7a5f960
SHA256 83ff974a05f5835ddb7a8185a3d29da11c983d180b0185b6977b06968e892676
CRC32 54DBFE0B
ssdeep 3:7FEG2l/GL6//ll:7+/l/
Yara None matched
VirusTotal Search for analysis
Name 0cb50b9224eb208c_xpc.mfl
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\XPC.mfl
Size 2.1MB
Processes 860 (firefox.exe)
Type Mozilla XUL fastload data
MD5 baa484595b75dcf8cddaed7299fa5649
SHA1 73376f58ed194d392d1517d90027c386594d2b81
SHA256 0cb50b9224eb208c443ff6d007319f107070adee5d13dc1dd5bbf5843943da2d
CRC32 69D3994F
ssdeep 12288:bLh0ne0JGAv3iJnhgycZRwXf5K+Esn76Aaea+3uKZgJGCm0T+FQ6MPGgk4cw+J59:WifRuLG/9JshvTkFw2RL
Yara
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name 1c0e3c65ab312407_urlclassifier3.sqlite-journal
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite-journal
Size 24.0KB
Processes 860 (firefox.exe)
Type data
MD5 28980c35f0dabf008bfcf5248fdebbe5
SHA1 a10b2c3370e45b9692a5b3ef263c0cbb2df3414c
SHA256 1c0e3c65ab3124072973c625cae35c3bfa7a34cae62778981baf0d64eb82ad98
CRC32 114ED103
ssdeep 48:7etEeRRgKK8q2U5MYNe0Itr56DlkEqWERlDNk:7eBh/LUSjW
Yara
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 83e243ebc2bf8871_urlclassifier3.sqlite
Filepath C:\Documents and Settings\zamen\Local Settings\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\urlclassifier3.sqlite
Size 32.0KB
Processes 860 (firefox.exe)
Type SQLite 3.x database, user version 5
MD5 658fbf0e1f75a8dd6c160eaed00b828d
SHA1 37f10d0cd480ec2fbd191a2b03d5c18980ad44c1
SHA256 83e243ebc2bf88718a911871463cf60fdb8640c34fc3f98595806cf6b251d750
CRC32 C35F5DFF
ssdeep 48:TY5MYNe0Itr56DlkEqWERlDNcRvgKm3t6:MSj+vmt6
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 5708c7af760fb1bd_cookies.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\cookies.sqlite-journal
Size 1.0KB
Processes 860 (firefox.exe)
Type data
MD5 b7136589c3290d21d4b26f8a6df20b14
SHA1 f69c36a1af7d1858842ef0efca1e859cd9ec7845
SHA256 5708c7af760fb1bd5159deab2c6bfbb105c15dcbf3d88a2530ff2cf3de1d3c9e
CRC32 2AC7414B
ssdeep 3:7FEGUR0YlFh//ll:7+//
Yara None matched
VirusTotal Search for analysis
Name 6fb8d7e72e41665b_formhistory.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\formhistory.sqlite-journal
Size 1.0KB
Processes 860 (firefox.exe)
Type data
MD5 9c84593508bd7534e67fd6e8796103e1
SHA1 5ec360df1a97b08887951d954797691f128b1357
SHA256 6fb8d7e72e41665b79a4adafd43f554b5261ef2be291216634a303b83c9da7d2
CRC32 96AA9134
ssdeep 3:7FEG2l/jAPtll:7+/l/jA
Yara None matched
VirusTotal Search for analysis
Name a09c9549b0831fc6_sessionstore.js
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\sessionstore.js
Size 262.0B
Processes 860 (firefox.exe)
Type ASCII text, with no line terminators
MD5 2522137fe5a3bed858ca34d5c6efdeef
SHA1 55df6f4c1964ca2eaf6d3c78f261fa0c6e23d870
SHA256 a09c9549b0831fc67b831b72d66ef5c444929a757b6d6385e1babe745908aa61
CRC32 7828A837
ssdeep 6:0XzguGXq9u4RnqncUUWHpIfR09HlRvVGHu/Lqpkxh:0f9uPnlUWHE09FR9GHqOpa
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name e4b2e125d8c53055_places.sqlite
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\places.sqlite
Size 136.0KB
Processes 860 (firefox.exe)
Type SQLite 3.x database, user version 6
MD5 7190e6ff65a98f280c2f84ca076eec09
SHA1 7219a78f77dac1211ce5d98fb2288c8bff0c1a1b
SHA256 e4b2e125d8c53055e631220a25d5f6b242823758b71a98d86ac4a5e18106f830
CRC32 EC204F09
ssdeep 384:Z+nXql1HpOC/924uBu1Xu1Pu1ju1Zcqu1M:MXqr1/924uv
Yara
  • PEiD_00071_Anti007____NsPacK_Private_ - [Anti007 -> NsPacK Private]
  • PEiD_01086_Microsoft_Visual_C___8_0__MFC__ - [Microsoft Visual C++ 8.0 (MFC)]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • contentis_base64 - This rule finds for base64 strings
  • with_sqlite - Rule to detect the presence of SQLite data in raw image
VirusTotal Search for analysis
Name 3b1dd2e52bb35105_bookmarks-2019-01-10.json
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\bookmarkbackups\bookmarks-2019-01-10.json
Size 3.9KB
Processes 860 (firefox.exe)
Type ASCII text, with very long lines, with no line terminators
MD5 dd5fff216ee4b43bf7aa6ae478f7d0ee
SHA1 af09a0ba763a1cee7719a7e42e0e1b4b05b569c9
SHA256 3b1dd2e52bb35105c955d7cca42f1603623973cc7a7d76ca0a0e659d930dd958
CRC32 C46AA46A
ssdeep 48:YRzwtJcwkt2zb26dP/rzXu/G6XAGyNjQNzNT56JS+L+DlwkAGZ+2p2zMzP:EK8ubTdrzXb6XAGx+LOl1twwD
Yara
  • contentis_base64 - This rule finds for base64 strings
VirusTotal Search for analysis
Name d0f03060425508d6_downloads.sqlite-journal
Filepath C:\Documents and Settings\zamen\Application Data\Mozilla\Firefox\Profiles\xoq7susu.default\downloads.sqlite-journal
Size 1.0KB
Processes 860 (firefox.exe)
Type FoxPro FPT, blocks size 25559, next free block index 3654616569
MD5 f496384b1d44b1086ecc4e914e8cdd43
SHA1 2fd70bd4dedd21c810cb19a188a8cb55da0b3217
SHA256 d0f03060425508d6e886c6c2f9d196ab46f4f5fba060ddbbdc4c701badaef38c
CRC32 D7A0A0B7
ssdeep 3:7FEG2l/am//rll:7+/l/H/
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 643
Mongo ID 5c37134a11d3080d16cded53
Cuckoo release 2.0-dev