'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-08-22 12:20:48.094808 2016-08-22 12:23:56.763219 188 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-08-22 12:20:48 2016-08-22 12:23:56

File Details

File name a07b3900795ebdc21983e1052bc6f641d33413d3.zip
File size 8515 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 835B0E6F
MD5 1354e44193987dc0e5f8530712e0b489
SHA1 a07b3900795ebdc21983e1052bc6f641d33413d3
SHA256 5ccb9603b1966a37c584b0c217bd08131f396f36d7f3611f68ed7d05ddb6d442
SHA512 08b8058ab5cf29c8751c33f67d41e6058d01db76bb0cb34282ccd8d5892c03f3d770906917bdcc7082c771e7232ac1185c96ce8d4f9441d5c8cb5d4d50dfb96f
Ssdeep 192:Fkd2lBllHfpfpZjzJ2ktmFvuxM7VR3STc/W96/rVpHfn:Kd2LHZrJ2kQVwcCTc/W9UnH/
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-08-22 12:16:26
Detection Rate: 5/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1471868671]=100): Snort Events=0, AV Events=182
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 2e8cae14~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details
dumped_buffer details
Windows_Connection_Settings_Accessed details
Windows_Proxy_Tinkering details
network_wscript_downloader details
exploit_heapspray details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

44a4baa923ad138d_tzpwhw9s[1].txt

export_pdf_ 2e8cae14~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\System32\wshom.ocx
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ 2e8cae14~.js
  • C:\Windows\System32\wscript.exe
  • C:\Windows\System32\msxml3.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\pYLwMimMh9
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y\tzpwhw9s[1].txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\pYLwMimMh9
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\Windows\System32\wshom.ocx
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ 2e8cae14~.js
  • C:\Windows\System32\wscript.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\pYLwMimMh9
Network-Connects Host
  • hdjung.homepage.t-online.de
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y
Registry Key-Opened
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http\
  • HKEY_CURRENT_USER\Software
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CLASSES_ROOT\.js
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSXML2.XMLHTTP\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\ComSpec
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADODB.Stream\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
Mutex-Accessed
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Windows\System32\wscript.exe" "C:\Users\HARRYD~1\AppData\Local\Temp\export_pdf_ 2e8cae14~.js" PID: 3432, Parent PID: 4624

Volatility

Nothing to display.