'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-09-16 15:38:40.892973 2016-09-16 15:41:20.860672 159 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-09-16 15:38:41 2016-09-16 15:41:20

File Details

File name c70c13fb3d16303571fe005036a8332a776f72f2.zip
File size 9893 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 C63A37B0
MD5 025cec6533b0355aca1eea07d502799e
SHA1 c70c13fb3d16303571fe005036a8332a776f72f2
SHA256 78892957116ddeb67b033855c62bafc9810b86ed2ca48f251305f1a0b4a77496
SHA512 fbe644e351be05959ec840d8093834314c18cc512eb41b1a8af588e97af2ff81e549e6c182c4520ca41c92d3346354f2dcecb4e5bd50647c8649fa9681e44c27
Ssdeep 192:rzL+91uHiAhH+uL30hNo0aZtGOZx3SjOPN4GFxChmtAuT6y5aP1kGlxHhbkb:re4+uDuOZxmKRF04KOx5i1J3K
PEiD None matched
Yara
  • PM_Zip_with_js ()
VirusTotal Permalink
VirusTotal Scan Date: 2016-09-16 09:25:35
Detection Rate: 4/55 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=0, Anomalies=0, PEiD=0, Yara=2, VT[1474040489]=100): Snort Events=0, AV Events=162
Total Score=100

CLAMAV DETECTED:
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND
DROPPED FILE - september_2016_details_~4AD908~.js: Sanesecurity.Malware.26331.JsHeur.UNOFFICIAL FOUND

Signatures

recon_fingerprint details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

september_2016_details_~4AD908~.js

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\System32\wscript.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~4AD908~.js
File-Opened
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\rsaenh.dll
  • C:\Windows\System32\wscript.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\september_2016_details_~4AD908~.js
Registry Key-Opened
  • HKEY_CLASSES_ROOT\JSFile\ScriptEngine
  • HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
  • HKEY_CLASSES_ROOT\.js
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Extensions\RemoteRpcDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
  • HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagMatchAnyMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DiagLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JScript\CLSID\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\MachineThrottling
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\UseWINSAFER
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledSessions\GlobalSession
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\Timeout
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Type
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\COM+Enabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\JSFile\ScriptEngine\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script Host\Settings\TrustPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Safety Warning Level
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\DisabledProcesses\DA0C75D6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.js\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Windows\System32\wscript.exe" C:\Users\HARRYD~1\AppData\Local\Temp\september_2016_details_~4AD908~.js PID: 2944, Parent PID: 3424

Volatility

Nothing to display.