'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-07-23 09:48:57.350504 2018-07-23 09:50:50.764457 113 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-07-23 09:48:58 2018-07-23 09:50:50

File Details

File name b099958f228958c19d93cfc904309fc3d09a3cbe.EXE
File size 2888552 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 2BF61EC0
MD5 60900237c80db8b9c67fd8d7626e0e3c
SHA1 b099958f228958c19d93cfc904309fc3d09a3cbe
SHA256 b319d6445a63a9528e9df02ea0a31487c673fb65dc102c40f1c219e5823f2727
SHA512 7ae76c88f68b34d0cfd091753a7f593915f0c13d7bf18e020463a7192f81f3c91c3e0d7ba5fbc234490dd117b2cd85d0f0df82796a8b36507296eca46ee579dc
Ssdeep None
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1532353870]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
2d84f8b1f481e03be5ca35960cfa6a1afeb6e22e [BUFFER]: shellcode

Signatures

has_pdb details
locates_browser details
antivm_memory_available details
dumped_buffer details
openprocess_nonchild details
Roaming_Profile_Modified details
network_bind details
allocates_rwx details
infostealer_browser details
antivm_network_adapters details
packer_entropy details
injection_duplicate_handle details
Windows_Proxy_Tinkering details
Startup_Added_to_Registry details
nolookup_communication details
persistence_autorun details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

2bd9cc8294944345_ZMG6A9.tmp

9d837012accb25f8_ZMG6BA.tmp

4529802a89196396_ZMG6CA.tmp

c14f63d68f1637a3_ZMG6DB.tmp

ac7e24f926ea8fdd_sessionstore.bak

a84e9b942c0cd976_urlclassifier3.sqlite-journal

05b9d55fa713061f_5f29dd01

2cc8878b0a6be70a_cookies.sqlite

68b3969e29ab3ddd_cert8.db

b0d5f264eafe92ad_zmg698.tmp

627f3c197b786fd9_ef41dd01

5e2bd85924a70229_e1d04d01

0c4ba617a34f31ed__cache_001_

2a3cd168b7938df6_places.sqlite

be5ee153db6b78f8_cookies.sqlite-wal

e44cbfc73da262b7__cache_003_

5784efe8f871db46_d006ad01

30f16492dabd4c1d_b86aad01

4edb78d661fe9cb1_defaultpack.log

29722e78798dc10f_sessionstore.js

c39082ff681b7212_urlclassifier3.sqlite

c62f94dad2c44e2c_urlclassifierkey3.txt

0c011f02b7fe8572_places.sqlite-wal

dde3a51d28acdde6_prefs.js

6c6a8617ec104c7a__cache_002_

a4faf31cbef0a001_85bdfd01

3ba628ceff8ed54d_browserconfig.xml

a3bb17937d47a05e__cache_map_

4850993e5bc68ca8_urlclassifier.pset

0a7cc3584b4e528e_defaultsetup.log

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\search.json
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifierkey3.txt
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\places.sqlite-wal
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\content-prefs.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\downloads.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\compatibility.ini
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_001_
  • C:\Program Files (x86)\Mozilla Firefox\components\binary.manifest
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier3.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\extensions.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\permissions.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
  • C:\Program Files (x86)\Mozilla Firefox\chrome.manifest
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\places.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cookies.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20120420145725
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_003_
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\pluginreg.dat
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_002_
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_MAP_
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cookies.sqlite-wal
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\Program Files (x86)\Mozilla Firefox\dependentlibs.list
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\localstore.rdf
  • C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier.pset
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore.js
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Logo.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\InstallerConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6BA.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6DB.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6A9.tmp
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG698.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6CA.tmp
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BrowserConfig.xml
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\twitter.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Program Files (x86)\Mozilla Firefox\omni.ja
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\search.sqlite
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\DefaultSetup\BrowserConfig.xml
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_002_
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\places.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cookies.sqlite-wal
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_003_
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\C\6C\5F29Dd01
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\E\70\85BDFd01
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier3.sqlite-journal
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\5\23\D006Ad01
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier3.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore-1.js
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_MAP_
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifierkey3.txt
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\places.sqlite-wal
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\7\BA\B86AAd01
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cookies.sqlite
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\E\E0\EF41Dd01
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\6\70\E1D04d01
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_001_
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier.pset
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Logo.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\InstallerConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Logo_zh-cn.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BingSvc.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXE
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Pack.ico
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6BA.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6DB.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6A9.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6CA.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BrowserConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG698.tmp
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\DefaultPack\DefaultPack.log
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\DefaultSetup\DefaultSetup.log
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\DefaultSetup\BrowserConfig.xml
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier3.sqlite-journal
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore.bak
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6A9.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6CA.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6BA.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6DB.tmp
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\search.json
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\startupCache\startupCache.4.little
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\places.sqlite-wal
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\content-prefs.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\downloads.sqlite
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\E\E0\EF41Dd01
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_001_
  • C:\Program Files (x86)\Mozilla Firefox\components\binary.manifest
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier3.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\compatibility.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\extensions.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\permissions.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\channel-prefs.js
  • C:\Program Files (x86)\Mozilla Firefox\chrome.manifest
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\places.sqlite
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cookies.sqlite
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Crash Reports\InstallTime20120420145725
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\pluginreg.dat
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_003_
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Windows\System32\wship6.dll
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_002_
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\_CACHE_MAP_
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cookies.sqlite-wal
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\signons.sqlite
  • C:\Program Files (x86)\Mozilla Firefox\dependentlibs.list
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\localstore.rdf
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifierkey3.txt
  • C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\urlclassifier.pset
  • C:\Program Files (x86)\Mozilla Firefox\omni.ja
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore.js
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Logo.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\zlib1.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Logo_zh-cn.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BingSvc.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXE
  • C:\Windows
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\sqlite3.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BrowserConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Pack.ico
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\InstallerConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Logo.png
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\InstallerConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6BA.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6DB.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6A9.tmp
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\bing.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG698.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\ZMG6CA.tmp
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\wikipedia.xml
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\eBay.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\google.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BrowserConfig.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\search.sqlite
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\yahoo.xml
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\twitter.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Program Files (x86)\Mozilla Firefox\omni.ja
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\Pack.ico
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\amazondotcom.xml
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\profiles.ini
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\prefs.js
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\DefaultSetup\BrowserConfig.xml
File-Copied
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore.js -> C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore.bak
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BrowserConfig.xml -> C:\Users\Harry Dresden\AppData\Local\Microsoft\DefaultSetup\BrowserConfig.xml
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\BingSvc.exe -> C:\Users\Harry Dresden\AppData\Local\Microsoft\BingSvc\BingSvc.exe
File-Moved
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore-1.js -> C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\sessionstore.js
Network-Connects IP
  • 172.217.14.110
  • 13.65.107.32
  • 204.79.197.219
  • 40.90.218.0
  • 23.57.49.252
  • 72.21.81.200
  • 66.235.134.196
  • 104.18.25.243
  • 72.21.91.29
  • 104.75.157.33
  • 127.0.0.1
Network-Fetches URL
  • http://g.ceipmsn.com/8SE/44?MI=3FAE3EE00CC34B5982E1592C83A6CE17&LV=1.7.63.0&OS=6.1.7601.1&TE=22&TV=isU143%7cpkInProductUNIWIN%7crt2%7ctmen-us%7cdbMF12.0%20(en-US)%7chdMF12.0%20(en-US)%2c1%7csdMF12.0%20(en-US)%2c2%7cpo4%7cse%7cbu0%7cfc1%7chpMF12.0%20(en-US)%2c1%7cpf%7cdfDHP%2cMF12.0%20(en-US)%2c1%7clc%7cld%7clt%7ccd2018-07-23%7cct15:49:21:461%7cabMF%7csbIE%2cMF%2cGC%2cAS%7cio%7cir%7cui1%7crc0%7cbs1
  • http://g.ceipmsn.com/8SE/44?MI=3FAE3EE00CC34B5982E1592C83A6CE17&LV=1.7.63.0&OS=6.1.7601.1&TE=23&TV=isU143%7cpkInProductUNIWIN%7crt1%7ctmen-us%7chdMF12.0%20(en-US)%2c1%7csdMF12.0%20(en-US)%2c0%7cse%7chpMF12.0%20(en-US)%2c1%7ccd2018-07-23%7cct15:49:21:461
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\C\6C
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\7\BA
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\5\23
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox
  • C:\Users\Harry Dresden\AppData\Local\Mozilla
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\E
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\5
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\7
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\6
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\C
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\6\70
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\startupCache
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\Cache\E\70
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\BingSvc
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\DefaultPack
  • C:\Users\Harry Dresden\AppData\Local\Microsoft
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\DefaultSetup
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\DefaultSetup
Directory-Removed
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\
Directory-Enumerated
  • C:\Program Files (x86)\Mozilla Firefox\extensions\*
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\*
  • C:\Program Files (x86)\Mozilla Firefox\defaults\pref\*
  • C:\Program Files (x86)\Adobe\Reader 11.0\Reader\Browser\*
  • C:\Windows\System32\Wat\*
  • c:\Program Files (x86)\Microsoft Silverlight\5.1.30214.0\*
  • C:\Program Files (x86)\Java\jre7\bin\plugin2\*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\cert8.db
  • C:\Program Files (x86)\Java\jre7\bin\dtplugin\*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\secmod.db
  • C:\Users\Harry Dresden\AppData\Local\Mozilla\Firefox\Profiles\451jog5r.default\*
  • C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}\*
  • C:\Program Files (x86)\Mozilla Firefox\firefox.exe
  • C:\Program Files (x86)\Windows Media Player\*
  • C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\*
  • C:\Windows\SysWOW64\Macromed\Flash\*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\key3.db
  • C:\Program Files (x86)\Microsoft Office\root\Office16\*
  • C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\IXP000.TMP\*
  • C:\Users\Harry Dresden\AppData\Roaming\Mozilla\Firefox\Profiles\451jog5r.default\searchplugins\*.xml
  • C:\Program Files (x86)\Mozilla Firefox\searchplugins\*.xml
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\BingSvc\*.*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\Software\JavaSoft\Java Runtime Environment
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
  • HKEY_CURRENT_USER\Software\Synaptics\SynTPEnh\UltraNavPS2
  • HKEY_CURRENT_USER\Software\Lenovo\TrackPoint
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\FileAssociations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BFE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}\Properties
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\msasn1
  • HKEY_CURRENT_USER\Software\Elantech\MainOption
  • HKEY_CLASSES_ROOT\HTTP\shell\open\command
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\TaskBarIDs
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DnsCache\Parameters
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.67.2
  • HKEY_CURRENT_USER\Interface\{00000134-0000-0000-C000-000000000046}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\Software\mozilla.org\Mozilla
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\(Default)
  • HKEY_LOCAL_MACHINE\Software\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities
  • HKEY_CURRENT_USER\Software\Synaptics\SynTPEnh\UltraNavUSB
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer
  • HKEY_CLASSES_ROOT\FirefoxURL\shell\open\command
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c6d7411d-2953-4ff2-8cfc-84d585d466dc}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml
  • HKEY_CURRENT_USER\Software\Lenovo\UltraNav
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\firefox.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\(Default)
  • HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\System\DNSClient
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\(Default)
  • HKEY_LOCAL_MACHINE\Software\MozillaPlugins
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp
  • HKEY_CURRENT_USER\SOFTWARE\Clients\StartMenuInternet
  • HKEY_CURRENT_USER\Software\Alps\Apoint\TrackPoint
  • HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\App Paths\QuickTimePlayer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\Adobe Reader
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\URLAssociations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm
  • HKEY_CLASSES_ROOT\HTTPS\DefaultIcon
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications
  • HKEY_CLASSES_ROOT\FirefoxHTML\shell\open\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
  • HKEY_CURRENT_USER\Software\MozillaPlugins
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.67.2
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\StartMenu
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles
  • HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\crypt32
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FontCache\Parameters
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CLASSES_ROOT\HTTPS\shell\open\command
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ClusSvc
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
  • HKEY_LOCAL_MACHINE\Software\Cisco Systems\VPN Client
  • HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\Capabilities\MIMEAssociations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\InstallPath
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM
  • HKEY_LOCAL_MACHINE\software\Adobe\Acrobat Reader
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice
  • HKEY_CURRENT_USER\Software\Elantech
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7.0_67
  • HKEY_CLASSES_ROOT\HTTP\DefaultIcon
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Advanced INF Setup
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
  • HKEY_CURRENT_USER\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
  • HKEY_CURRENT_USER\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\DefaultPack.EXE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_CURRENT_USER\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance\Disabled
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox\12.0 (en-US)\Main
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc
  • HKEY_CLASSES_ROOT\CLSID\{FAE3D380-FEA4-4623-8C75-C6B61110B681}\Instance
  • HKEY_CURRENT_USER\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\DefaultPack.EXE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_CURRENT_USER\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
  • HKEY_CURRENT_USER\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Firefox
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
  • HKEY_CURRENT_USER\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
  • HKEY_CURRENT_USER\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
  • HKEY_CURRENT_USER\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_CURRENT_USER\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_CURRENT_USER\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
  • HKEY_CURRENT_USER\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc
Registry Key-Deleted
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\!DefaultSetup
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\FontCache\Parameters\ClientCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf\Path
  • HKEY_CURRENT_USER\HTTPS\DefaultIcon\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}\Protocol
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\Adobe Reader\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\RegisteredApplications\Firefox
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles\camp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Firefox\TaskBarIDs\C:\Program Files (x86)\Mozilla Firefox
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}\Properties\{5a9125b7-f367-4924-ace2-0803a4a3a471},0
  • HKEY_CURRENT_USER\FirefoxURL\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/GENUINE\Path
  • HKEY_CURRENT_USER\HTTP\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\ftp\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/DTPlugin,version=10.67.2\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c6d7411d-2953-4ff2-8cfc-84d585d466dc}\Protocol
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\1.7.0_67\JavaHome
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001\ProfileEnumMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles\ri
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Domain
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\InstallPath\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}\Role:1
  • HKEY_CURRENT_USER\FirefoxHTML\shell\open\command\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\JavaSoft\Java Runtime Environment\BrowserJavaVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice\Progid
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles\sRGB
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice\Progid
  • HKEY_CURRENT_USER\HTTPS\shell\open\command\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}\Properties\{f3e80bef-1723-4ff2-bcc4-7f83dc5e46d4},3
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_CURRENT_USER\Software\Clients\StartMenuInternet\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{8b7dc9e0-308d-4c61-9892-407cb546a9c7}\DeviceState
  • HKEY_CURRENT_USER\HTTP\DefaultIcon\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Hostname
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wmplayer.exe\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@adobe.com/FlashPlayer\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\RegisteredProfiles\rip
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\MediaPlayer\Installation Directory
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@java.com/JavaPlugin,version=10.67.2\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\MMDevices\Audio\Render\{c6d7411d-2953-4ff2-8cfc-84d585d466dc}\DeviceState
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@microsoft.com/SharePoint,version=14.0\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\mozilla.org\Mozilla\CurrentVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDate
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E96E-E325-11CE-BFC1-08002BE10318}\0001\ICMProfile
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\70F6B3D
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Advanced INF Setup\AdvpackLogFile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\PartnerCode
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\MachineID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Control Panel\International\Geo\Nation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\InstallDate
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\InstallTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Main\Install Directory
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BingSvc
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\ExtensionType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\CurrentVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\12.0 (en-US)\Main\PathToExe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\!DefaultSetup
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\MBCSAPIforCrack
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\DefaultSetup.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\WaitTime
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\BingSvcVersion
Registry Key-Written
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BingSvc
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\ExtensionType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\!DefaultSetup
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\InstallTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\MachineID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\InstallDate
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\InstallDate
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\InstallTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\PartnerCode
  • HKEY_CURRENT_USER\Software\Microsoft\DefaultPack\MachineID
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\PartnerCode
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\BingSvc\BingSvcVersion
Mutex-Accessed
  • Local\FirefoxStartupMutex
  • Global\{5549DE9B-1BA9-4FAB-B319-440CD62BFAE1}
  • Global\{EE7F7170-78C7-403D-BAF9-D8DAB184BA5E}_shardrealm_harry dresden

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Users\Harry Dresden\AppData\Local\Temp\b099958f228958c19d93cfc904309fc3d09a3cbe.EXE" PID: 2212, Parent PID: 1324

C:\Users\HARRYD~1\AppData\Local\Temp\IXP000.TMP\DefaultPack.EXE PID: 3016, Parent PID: 2212

"C:\Users\Harry Dresden\AppData\Local\Microsoft\DefaultSetup\DefaultSetup.exe" PID: 2928, Parent PID: 3016

"C:\Users\Harry Dresden\AppData\Local\Microsoft\BingSvc\BingSvc.exe" PID: 3300, Parent PID: 3016

"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" https://g.msn.com/1ewenusDefaultPack/U143_WPage PID: 1568, Parent PID: 3016

Volatility

Nothing to display.