'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-16 12:01:33.322872 2016-09-16 12:05:39.890662 246 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-16 12:01:33 2016-09-16 12:05:39

File Details

File name 2e965279c320e863d6be76f91e439bf47911d190.zip
File size 9718 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 66D787D8
MD5 39bf0e63c3305684b6c4f125e03bc426
SHA1 2e965279c320e863d6be76f91e439bf47911d190
SHA256 30e71e05a27aa8bd482eb900492ef70b95e601187e894d8d2a21841d206ac89e
SHA512 b7ac63eee49532d40e28ad86283dc9e7cd4d69f39590096c330c56a459b0534893286e66c90ff93427f18b95ba3eb7ae7edcc03077f80bf38e6d93982b61ca76
Ssdeep 192:vw8y1+msZ5csKX9pUyjg3p2UfACipSbo8Vh4nJ+0zrUk+mT:vALsZ6sKbxjmpLfmgknJ+0zwmT
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-09-16 11:11:54
Detection Rate: 4/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=0, Anomalies=0, PEiD=0, Yara=2, VT[1474027553]=100): Snort Events=0, AV Events=162
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~2051BF~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

september_2016_details_~2051BF~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~2051BF~.js
  • C:\Windows\System32\wscript.exe
File-Opened
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~2051BF~.js
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\wscript.exe
Registry Key-Opened
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CLASSES_ROOT\.js
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Windows\System32\wscript.exe" C:\Users\HARRYD~1\AppData\Local\Temp\september_2016_details_~2051BF~.js PID: 4672, Parent PID: 4912

Volatility

Nothing to display.