'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-08-22 15:05:12.682260 2016-08-22 15:08:22.912882 190 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-08-22 15:05:13 2016-08-22 15:08:22

File Details

File name 000dc75d296db0a9ee1b5d872a0a58ee0250beb3.zip
File size 8636 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 CA0D8DD3
MD5 c68c367f54467dca199d6c20b6758b32
SHA1 000dc75d296db0a9ee1b5d872a0a58ee0250beb3
SHA256 e1b4810b316b2e325a3c8a8c334f2a787e891aa708f1ed217c1c3dbe1d7adc36
SHA512 3c3312ba31cb7ab46ae9d0732d103dbca230c241db4d9cd1fa633e88f16fe36798cd58a91887115bc59dae5c53bee1b4c9f17851e56d35b932732b9cc2adda6e
Ssdeep 192:W0PEqZ57QekFL15o1jOkcfPcslHpQOt2A2Alc:TEqZ+e0vo1Sk9EHpRa
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-08-22 15:00:39
Detection Rate: 10/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1471878534]=100): Snort Events=0, AV Events=184
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 6560cc5a~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details
dumped_buffer details
Windows_Connection_Settings_Accessed details
Windows_Proxy_Tinkering details
network_wscript_downloader details
exploit_heapspray details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

60bc9554a64ac7ba_3zpzbnffjiyi5m7

export_pdf_ 6560cc5a~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\3ZpZbNffjiYi5m7
  • C:\Windows\System32\wshom.ocx
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ 6560cc5a~.js
  • C:\Windows\System32\wscript.exe
  • C:\Windows\System32\msxml3.dll
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\3ZpZbNffjiYi5m7
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y\f6sg7[1]
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\3ZpZbNffjiYi5m7
  • C:\Windows\System32\wshom.ocx
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ 6560cc5a~.js
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Windows\System32\wscript.exe
Network-Connects Host
  • technobuz.com
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y
Registry Key-Opened
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http\
  • HKEY_CURRENT_USER\Software
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CLASSES_ROOT\.js
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSXML2.XMLHTTP\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\ComSpec
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADODB.Stream\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
Mutex-Accessed
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Windows\System32\wscript.exe" "C:\Users\HARRYD~1\AppData\Local\Temp\export_pdf_ 6560cc5a~.js" PID: 6036, Parent PID: 5272

Volatility

Nothing to display.