'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2016-12-04 03:15:04.856827 2016-12-04 03:17:13.729536 128 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2016-12-04 03:15:06 2016-12-04 03:17:13

File Details

File name 59fe63cc938dddfe9b5ec0774201b42496ca45bb.zip
File size 6821240 bytes
File type Zip archive data, at least v2.0 to extract
CRC32 76140760
MD5 f5690402d531544de5f363bcdca7035d
SHA1 59fe63cc938dddfe9b5ec0774201b42496ca45bb
SHA256 838edc426a1b433efbe60706563c7d586901d8fb7ca5cdba89d25ea36f145bc6
SHA512 fdacc15889d4e126cf484434341ee836a68fa3eeba81848b997a5ddb96778e488e7faec10148a5cb247507401ae2ec6499a6f2c1eda4095e075955f13c5f9766
Ssdeep 196608:pOuyTE21lfKNaqRyecvo6mT63/g6hkQwi:pOuv2fs7R2vvmTmIq
PEiD None matched
Yara None matched
VirusTotal Permalink
VirusTotal Scan Date: 2016-01-13 17:41:50
Detection Rate: 2/53 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=50, Anomalies=0, PEiD=0, Yara=0, VT[1480821455]=0): Snort Events=0, AV Events=0
Total Score=50

Zipped File Yara Signatures:
bugreport.exe: Str_Win32_Http_API
ConnectUI.dll: Str_Win32_Http_API
AdbCmdServer.dll: Str_Win32_Http_API
AndroidServer.exe: Str_Win32_Http_API
AndroidServerUp.exe: Str_Win32_Http_API
ConnectManager.dll: Str_Win32_Http_API
Daemon.dll: Str_Win32_Http_API
Common.dll: Str_Win32_Http_API

Signatures

antivm_memory_available details
Roaming_Profile_Modified details
antivm_network_adapters details
memdump_urls details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

aa0cf8e5c4b29225_crashinfo.ini

d8492508e57cde18_tadbfull__226910664c5b058f1d5fa0b3e12161c2_188d5bc.dmp

472bab278817f937_tadb_226910664c5b058f1d5fa0b3e12161c2_188d5bc.dmp

89e56ff4d38b9f63_bugreport.log

ec2ff05fc6d5b46b_tadb_934691e8878bb7bf906acf4d125065a2_188d5bc.txt

tadb.exe

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\System32\apphelp.dll
  • C:\Windows\SysWOW64\CRYPTBASE.dll
  • C:\Windows\SysWOW64\user32.dll
  • C:\Windows\SysWOW64\imm32.dll
  • C:\Windows\SysWOW64\advapi32.dll
  • C:\Windows\SysWOW64\msctf.dll
  • C:\Windows\SysWOW64\setupapi.dll
  • C:\Windows\SysWOW64\sspicli.dll
  • C:\Windows\SysWOW64\kernel32.dll
  • C:\Windows\SysWOW64\msvcrt.dll
  • C:\Windows\SysWOW64\shlwapi.dll
  • C:\Windows\SysWOW64\cfgmgr32.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcp100.dll
  • C:\Windows\SysWOW64\ole32.dll
  • C:\Windows\SysWOW64\nsi.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadb_934691E8878BB7BF906ACF4D125065A2_188d5bc.txt
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Windows\SysWOW64\lpk.dll
  • C:\Windows\System32\version.dll
  • C:\Windows\SysWOW64\devobj.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\tadb.exe
  • C:\Users\Harry Dresden\AppData\Roaming\Tencent\AndroidServer\crashinfo.ini
  • C:\Windows\SysWOW64\ntdll.dll
  • C:\Windows\SysWOW64\usp10.dll
  • C:\Windows\SysWOW64\ws2_32.dll
  • C:\Windows\SysWOW64\sechost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AdbWinApi.DLL
  • C:\Windows\SysWOW64\gdi32.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AdbWinUsbApi.dll
  • C:\Windows\SysWOW64\rpcrt4.dll
  • C:\Windows\SysWOW64\KERNELBASE.dll
  • C:\Windows\SysWOW64\oleaut32.dll
  • C:\Windows\System32\winusb.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcr100.dll
File-Written
  • C:\Users\Harry Dresden\AppData\Roaming\Tencent\AndroidServer\crashinfo.ini
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadb_226910664C5B058F1D5FA0B3E12161C2_188d5bc.dmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadb_934691E8878BB7BF906ACF4D125065A2_188d5bc.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadbFULL__226910664C5B058F1D5FA0B3E12161C2_188d5bc.dmp
  • C:\Users\Harry Dresden\AppData\Roaming\Tencent\AndroidServer\Bugreport.log
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadb_934691E8878BB7BF906ACF4D125065A2_188d5bc.txt
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadbFULL__226910664C5B058F1D5FA0B3E12161C2_188d5bc.dmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadb_226910664C5B058F1D5FA0B3E12161C2_188d5bc.dmp
File-Opened
  • C:\Windows\System32\apphelp.dll
  • C:\Windows\SysWOW64\CRYPTBASE.dll
  • C:\Windows\SysWOW64\user32.dll
  • C:\Windows\SysWOW64\imm32.dll
  • C:\Windows\SysWOW64\advapi32.dll
  • C:\Windows\SysWOW64\msctf.dll
  • C:\Windows\SysWOW64\setupapi.dll
  • C:\Windows\SysWOW64\sspicli.dll
  • C:\Windows\SysWOW64\kernel32.dll
  • C:\Windows\SysWOW64\msvcrt.dll
  • C:\Windows\SysWOW64\shlwapi.dll
  • C:\Windows\SysWOW64\cfgmgr32.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcp100.dll
  • C:\
  • C:\Windows\SysWOW64\ole32.dll
  • C:\Windows\SysWOW64\nsi.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\tadb_934691E8878BB7BF906ACF4D125065A2_188d5bc.txt
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Windows\SysWOW64\lpk.dll
  • C:\Windows\System32\version.dll
  • C:\Windows\SysWOW64\devobj.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\tadb.exe
  • C:\Windows\SysWOW64\ntdll.dll
  • C:\Windows\SysWOW64\usp10.dll
  • C:\Windows\SysWOW64\ws2_32.dll
  • C:\Windows\SysWOW64\sechost.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AdbWinApi.DLL
  • C:\Windows\SysWOW64\gdi32.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\AdbWinUsbApi.dll
  • C:\Windows\SysWOW64\rpcrt4.dll
  • C:\Windows\SysWOW64\KERNELBASE.dll
  • C:\Windows\SysWOW64\oleaut32.dll
  • C:\Windows\System32\winusb.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcr100.dll
  • C:\Windows\Globalization\Sorting\sortdefault.nls
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Users\Harry Dresden\AppData\Roaming\Tencent
  • C:\Users\Harry Dresden\AppData\Roaming\Tencent\AndroidServer
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\
Directory-Enumerated
  • C:\Windows\System32\apphelp.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\wntdll.pdb\*
  • C:\Users\Harry Dresden\AppData\Local\Temp\Tencent\*.*
  • C:\Windows\SysWOW64
  • C:\Windows\SysWOW64\user32.dll
  • C:\Windows\SysWOW64\imm32.dll
  • C:\Windows\SysWOW64\advapi32.dll
  • C:\Windows\SysWOW64\msctf.dll
  • C:\Windows\SysWOW64\setupapi.dll
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Windows\SysWOW64\sspicli.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\tadb.pdb\*
  • C:\Windows\SysWOW64\kernel32.dll
  • C:\Windows\SysWOW64\msvcrt.dll
  • C:\Windows\SysWOW64\shlwapi.dll
  • C:\Windows\SysWOW64\cfgmgr32.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcp100.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\Local\Temp\wkernel32.pdb\*
  • C:\Windows\SysWOW64\ole32.dll
  • C:\Windows\SysWOW64\nsi.dll
  • C:\Windows\SysWOW64\shell32.dll
  • C:\Windows\SysWOW64\lpk.dll
  • C:\Windows\System32\version.dll
  • C:\Users
  • C:\Windows\System32
  • C:\Windows\SysWOW64\devobj.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\tadb.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcr100.i386.pdb\*
  • C:\Windows\SysWOW64\ntdll.dll
  • C:\Windows\SysWOW64\usp10.dll
  • C:\Windows\SysWOW64\ws2_32.dll
  • C:\Windows\SysWOW64\sechost.dll
  • C:\Windows\SysWOW64\gdi32.dll
  • C:\Windows\SysWOW64\rpcrt4.dll
  • C:\Windows
  • C:\Windows\SysWOW64\oleaut32.dll
  • C:\Windows\System32\winusb.dll
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\AppData\Local\Temp\msvcr100.dll
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LsaExtensionConfig\SspiCli
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\PeerDist\Service
  • HKEY_CURRENT_USER\Software\Tencent\QQPhonemanager
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp
  • HKEY_CURRENT_USER\Software\Tencent\QQPhoneManager
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip6
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Setup Migration\Providers
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SaslProfiles
  • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\PeerDist\Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_CURRENT_USER
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\Winsock
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\SspiCache
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\ProductName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\TokenSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\UseDelayedAcceptance
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\CurrentType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\SysWOW64\ntdll.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\SHLWAPI.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\USER32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\DEVOBJ.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MaxSockaddrLength
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\UseDelayedAcceptance
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureRoutine
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\CRYPTBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\USP10.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SecurityProviders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\kernel32.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadOverride
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip\WinSock 2.0 Provider ID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\LPK.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\IMM32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\Tracing\Enabled
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc2740-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\LsaExtensionConfig\SspiCli\CheckSignatureDll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\Mapping
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\CFGMGR32.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\MinSockaddrLength
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Comment
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\system32\WINUSB.DLL
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\system32\VERSION.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\KERNELBASE.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\ole32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\SHELL32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\SspiCli.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Name
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\RPCRT4.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Users\Harry Dresden\AppData\Local\Temp\AdbWinUsbApi.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\ADVAPI32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Users\Harry Dresden\AppData\Local\Temp\AdbWinApi.DLL
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\RpcId
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\MaxSockaddrLength
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\system32\apphelp.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Generation
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\SysWOW64\sechost.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Capabilities
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\SETUPAPI.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ShareCredsWithWinHttp
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\HelperDllName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DisableBranchCache
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Setup Migration\Providers\Tcpip6\WinSock 2.0 Provider ID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\OLEAUT32.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\HelperDllName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\credssp.dll\Type
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ProxySettingsPerUser
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters\Winsock\MinSockaddrLength
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273d-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\NSI.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\WS2_32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Users\Harry Dresden\AppData\Local\Temp\tadb.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Winsock\Parameters\Transports
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{b9fc273c-d442-11e0-8ee6-806e6f6e6963}\Data
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\GDI32.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\MSCTF.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Users\Harry Dresden\AppData\Local\Temp\MSVCR100.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters\Winsock\Mapping
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Users\Harry Dresden\AppData\Local\Temp\MSVCP100.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\WINDOWS NT\CURRENTVERSION\MiniDumpAuxiliaryDlls\C:\Windows\syswow64\msvcrt.dll

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 456, Parent PID: 352

"C:\Users\Harry Dresden\AppData\Local\Temp\tadb.exe" PID: 2084, Parent PID: 4392

bugreport /buginfo:000000D0:000000D4:0063FA80:2084 /NoUI /ProcessPath:C:\Users\Harry Dresden\AppData\Local\Temp\tadb.exe /PostAll PID: 3352, Parent PID: 2084

Volatility

Nothing to display.