'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-08-22 14:20:08.364564 2016-08-22 14:22:44.896964 156 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-08-22 14:20:08 2016-08-22 14:22:43

File Details

File name b69988f6f9e792d8bdcc61e1637f01461e643fc5.zip
File size 8538 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 4CD4D121
MD5 687ed759fb47e21625cf816feaf02db4
SHA1 b69988f6f9e792d8bdcc61e1637f01461e643fc5
SHA256 b6ea3cea559324bfa4aa8de21252f38b9a98aa5193a4dd08463c48d256e1e3f5
SHA512 17b2b2b91867928c3f8d1a06020f3736295e59092ad661ee95c61cf224b1c0066950067307f557e12f0304c380510341adb3f4ed0502af326df86fadce3cd8ac
Ssdeep 192:hzD6FE2Oac3f6hwxVLrC99Ac3PBaBELxZE1Hk6aJKC6S2:kLO1uwK9Aiy1HkNVb2
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-08-22 14:19:31
Detection Rate: 6/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1471875792]=100): Snort Events=1, AV Events=182
Total Score=100

SNORT EVENTS:
ET DROP Spamhaus DROP Listed Traffic Inbound group 5

CLAMAV DETECTED:
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ da883ba1~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details
dumped_buffer details
Windows_Connection_Settings_Accessed details
Windows_Proxy_Tinkering details
network_wscript_downloader details
exploit_heapspray details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

d54b6530624cd228_cyb3aovmtx81wn

export_pdf_ da883ba1~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\System32\wshom.ocx
  • C:\Windows\System32\wscript.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\cyb3aOvmtx81wN
  • C:\Windows\System32\msxml3.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ da883ba1~.js
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\cyb3aOvmtx81wN
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y\6nmrv[1]
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\Windows\System32\wshom.ocx
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ da883ba1~.js
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\cyb3aOvmtx81wN
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Windows\System32\wscript.exe
Network-Connects Host
  • platimunjinoz.ws
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y
Registry Key-Opened
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http\
  • HKEY_CURRENT_USER\Software
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CLASSES_ROOT\.js
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSXML2.XMLHTTP\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\ComSpec
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADODB.Stream\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
Mutex-Accessed
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Windows\System32\wscript.exe" "C:\Users\HARRYD~1\AppData\Local\Temp\export_pdf_ da883ba1~.js" PID: 3760, Parent PID: 4564

Volatility

Nothing to display.