'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-16 13:25:50.737546 2016-09-16 13:28:24.522582 153 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-09-16 13:25:52 2016-09-16 13:28:23

File Details

File name 17c371b3b714e6ed4546661606708c812b0f4993.zip
File size 9811 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 390F7FF9
MD5 d68216d7b3adc1af18d7a6940995cc3a
SHA1 17c371b3b714e6ed4546661606708c812b0f4993
SHA256 3a23e216a46440f1f0c8624a2bc6e0a27dec73fd686d694c000d6fa5bea1fac1
SHA512 afe155c5f9fb320fab7543dd62cdf016d035226ff92980d0d1af9369626d1be0ca35b0397a5d08f0f531874fa585336b4e19e0e2334d3798777756f979a7daec
Ssdeep 192:6mekAX3d947cscdl08f/4jVBNxEi6CUUUqxjbkaQnR:6mBsH44HhGDoCiqxjQ1nR
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-09-16 11:42:04
Detection Rate: 5/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=0, Anomalies=0, PEiD=0, Yara=2, VT[1474032520]=100): Snort Events=0, AV Events=162
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~DD6B1288~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

september_2016_details_~DD6B1288~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~DD6B1288~.js
  • C:\Windows\System32\wscript.exe
File-Opened
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~DD6B1288~.js
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\rsaenh.dll
  • C:\Users\Harry Dresden\
  • C:\Windows\System32\wscript.exe
Registry Key-Opened
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CLASSES_ROOT\.js
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Windows\System32\wscript.exe" C:\Users\HARRYD~1\AppData\Local\Temp\september_2016_details_~DD6B1288~.js PID: 2768, Parent PID: 5620

Volatility

Nothing to display.