'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-16 13:28:25.070272 2016-09-16 13:30:52.870828 147 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-09-16 13:28:26 2016-09-16 13:30:51

File Details

File name 31959b1a18c47e4af219352e54f0959f99c0396a.zip
File size 9607 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 94FB1BA7
MD5 bdf5f8f0fd507b3a397dd7c6c6f2d7d8
SHA1 31959b1a18c47e4af219352e54f0959f99c0396a
SHA256 74e5c8872874229ab9ae0344db048e4d5081ea4cef2a59c754239b10962aea2c
SHA512 e4a6dc54d92b78cd7c4b90c99cd4ee75d59f1d949e2abe8d80daaa6a608e1977f0066a6ec9ec719f39574fe3062e6efef17f7dade3bb97f993f182c2d8775838
Ssdeep 192:7pTubW3BNvBfE9SqxhiYpZAzkt1k+M71C7IJf7nYxeBIE58a:1rv4iSCzkt1PyC7uf7nY02E58a
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-09-16 11:41:50
Detection Rate: 5/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=0, Anomalies=0, PEiD=0, Yara=2, VT[1474032667]=100): Snort Events=0, AV Events=162
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~81F0F51~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

september_2016_details_~81F0F51~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~81F0F51~.js
  • C:\Windows\System32\wscript.exe
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~81F0F51~.js
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\wscript.exe
Registry Key-Opened
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CLASSES_ROOT\.js
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Windows\System32\wscript.exe" C:\Users\HARRYD~1\AppData\Local\Temp\september_2016_details_~81F0F51~.js PID: 4144, Parent PID: 6096

Volatility

Nothing to display.