'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-08-22 12:11:24.068257 2016-08-22 12:14:28.472648 184 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-08-22 12:11:24 2016-08-22 12:14:27

File Details

File name f4c34513661c88fd9b58bae22b0a8cc85c16bfe7.zip
File size 8498 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 060075F5
MD5 21107eb44f00a7152831f007c7827c9b
SHA1 f4c34513661c88fd9b58bae22b0a8cc85c16bfe7
SHA256 a5cc41a266484ab458396b5d1020295b1ad754bd9190667b1607dd85c4cf647c
SHA512 894bd9b5b76f523771dbf390a7b706e7deb94d2b72f4d8a7fd1ebb6e04bb9cd5b8c8fa966b77fc2d156a67d78c8f0dae719436533eacbec5118820844dca0214
Ssdeep 192:M27dP6dFqTA8oZmTv8BIaWsnY34u1DguvnsJhtpk38pRz4:MiSdosNZmD/aWAYxcukJ+38pRE
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-08-22 12:08:52
Detection Rate: 4/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1471868107]=100): Snort Events=0, AV Events=182
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - export_pdf_ 5c4f92d5~.js: Sanesecurity.Malware.26301.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details
dumped_buffer details
Windows_Connection_Settings_Accessed details
Windows_Proxy_Tinkering details
network_wscript_downloader details
exploit_heapspray details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

d54b6530624cd228_chswhm5tzecxsbs

export_pdf_ 5c4f92d5~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\System32\wshom.ocx
  • C:\Users\Harry Dresden\AppData\Local\Temp\chSWHM5TZecxSbS
  • C:\Windows\System32\wscript.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ 5c4f92d5~.js
  • C:\Windows\System32\msxml3.dll
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\chSWHM5TZecxSbS
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y\6nmrv[1]
File-Opened
  • C:\Windows\System32\wshqos.dll
  • C:\Windows\System32\wshom.ocx
  • C:\Users\Harry Dresden\AppData\Local\Temp\export_pdf_ 5c4f92d5~.js
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\en-US\wshqos.dll.mui
  • C:\Windows\System32\en-US\wshtcpip.dll.mui
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\msxml3.dll
  • C:\Windows\System32\en-US\wship6.dll.mui
  • C:\Users\Harry Dresden\AppData\Local\Temp\chSWHM5TZecxSbS
  • C:\Windows\System32\wscript.exe
Network-Connects Host
  • platimunjinoz.ws
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YLC2QM2Y
Registry Key-Opened
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\http\
  • HKEY_CURRENT_USER\Software
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CLASSES_ROOT\.js
  • HKEY_LOCAL_MACHINE\Software\Policies
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
  • HKEY_LOCAL_MACHINE\Software
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Pre Platform
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_USE_IETLDLIST_FOR_DOMAIN_DETERMINATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
  • HKEY_CURRENT_USER\Software\Policies
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_URLMON_IQDA_SIZE
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform
  • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\UrlMon Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_CERT_WARNINGS_ON_POST_FROM_ISTREAM_KB2894776
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ConnectTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ReceiveTimeOut
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSXML2.XMLHTTP\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1A10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableUTF8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SendTimeOut
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WScript.Shell\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\wscript.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameMerging
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FrameTabWindow
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER\*
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0\win64\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\Environment\ComSpec
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\wscript.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Platform
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADODB.Stream\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Compatible
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\ProgID\(Default)
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\AdminTabProcs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\TabProcGrowth
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
Mutex-Accessed
  • Local\ZonesCacheCounterMutex
  • Local\ZonesLockedCacheCounterMutex

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Windows\System32\wscript.exe" "C:\Users\HARRYD~1\AppData\Local\Temp\export_pdf_ 5c4f92d5~.js" PID: 6128, Parent PID: 5284

Volatility

Nothing to display.