'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-16 12:45:19.179272 2016-09-16 12:47:59.114596 159 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2016-09-16 12:45:23 2016-09-16 12:47:57

File Details

File name b33b0f3e0e85559d2a834360f2d14c5b7a7ea46e.zip
File size 9813 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 DA5C82B9
MD5 b77720bc8f9c6a695a764b7873971e49
SHA1 b33b0f3e0e85559d2a834360f2d14c5b7a7ea46e
SHA256 5c45f6ce446e792b1d59b8419d42f2723bf1bba4b5a909b07eeb3041f79a536a
SHA512 29b767aee2f30c4af5c5f7394c948fb6bd7741030a8494b2dccab5d1cabcbbeb59c8b54b5c86fa165a4e71e947d03cad19f8a12962462a448673c09dc7a3c2e3
Ssdeep 192:rIZwoxGNeRK8nNPm65A4xWGjLzbWaPPEHsXEzaWnGolX8:0ZroQnNO650yjLnesX1WGols
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-09-16 11:18:41
Detection Rate: 4/56 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=0, Anomalies=0, PEiD=0, Yara=2, VT[1474030096]=100): Snort Events=0, AV Events=162
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~6D411C81~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

september_2016_details_~6D411C81~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~6D411C81~.js
  • C:\Windows\System32\wscript.exe
File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~6D411C81~.js
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\wscript.exe
Registry Key-Opened
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CLASSES_ROOT\.js
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Windows\System32\wscript.exe" C:\Users\HARRYD~1\AppData\Local\Temp\september_2016_details_~6D411C81~.js PID: 5956, Parent PID: 2420

Volatility

Nothing to display.