'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-05-11 14:45:03.881120 2017-05-11 14:47:29.622132 145 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-05-11 14:45:04 2017-05-11 14:47:29

File Details

File name E7ECE303-0105-43A9-BDD7-4BA9FAACE3F0.pdf
File size 21932 bytes
File type PDF document, version 1.3
CRC32 54250F3A
MD5 36953d369631c2e5608938d13b71a188
SHA1 6ee6c1f6a7409ab5eb9adfa6725715743b513fb0
SHA256 b655785468b446145a07721b5ac88fc584e099aa371e0ca3f7dbaf923b534c69
SHA512 c14819fc6cd279fb73691eb7d2ef35c745ba29d1b3413d48ac39ddc87b5e277e4c8bd16d650685d7ab57a582de7bee9fe63348b94b99671dffb199913e8f2641
Ssdeep 384:GC3ORdMdtAbmZ9Lz2gaFunJ1rbn8YRFxmCTYQUxA4JGe9KGQfo3CKBaqnc8t:33OXRgv2gaFelbxkQUHlIoSKjN
PEiD None matched
Yara None matched
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=125, Anomalies=0, PEiD=0, Yara=0, VT[1494514066]=0): Snort Events=2, AV Events=0
Total Score=125

SNORT EVENTS:
ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)

Dropped File/Buffer Yara Signatures:
0de1b2e413196ea45932ecce929ee28a8f06ee75 [BUFFER]: embedded_win_api
0de1b2e413196ea45932ecce929ee28a8f06ee75 [BUFFER]: Str_Win32_Http_API

Signatures

dumped_buffer details
memdump_urls details
injection_runpe details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Opened
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Acrobat
  • C:\Program Files (x86)\Adobe\Reader 11.0
  • C:\Users\Harry Dresden\AppData\Local\Microsoft
  • C:\Windows\System32
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Color
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Headlights
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\LocalLow\Microsoft
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\LogTransport2
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\Temporary Internet Files
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Speech
  • C:\Program Files
  • C:\Windows\System32\KBDUS.DLL
  • C:\Program Files (x86)
  • C:\Users\Harry Dresden\Documents
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData\Local\Temp\acrord32_sbx
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Linguistics
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft
  • C:\Users\Harry Dresden\AppData\Local\Temp\E7ECE303-0105-43A9-BDD7-4BA9FAACE3F0.pdf
  • C:\Windows
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe\Linguistics
Directory-Created
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\Local\Temp\acrord32_sbx
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\LogTransport2
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Linguistics
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Speech
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Color
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Headlights
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe\Linguistics
Directory-Enumerated
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe
  • C:\Users\Harry Dresden\AppData\Local\Temp
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe\Acrobat
  • C:\Users\Harry Dresden\AppData\LocalLow\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Speech
  • C:\Users\Harry Dresden\AppData\Local\Adobe
  • C:\Users\Harry Dresden\AppData\Local
  • C:\Program Files (x86)\Adobe
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Acrobat
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Acrobat
  • C:\Windows
  • C:\Users
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Color
  • C:\Users\Harry Dresden\AppData\Local\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\Roaming\Adobe\Acrobat\11.0
  • C:\Users\Harry Dresden\AppData\LocalLow
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Justsystem\ATOK\Setup\Folder
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\KnownFolderSettings
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\KnownFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OLE\Tracing
  • HKEY_LOCAL_MACHINE\Software\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockdown
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003
  • HKEY_CURRENT_USER\Software\Adobe\Adobe Synchronizer\11.0
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PropertyBag
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  • HKEY_CURRENT_USER\(Default)
  • HKEY_CURRENT_CONFIG\(Default)
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\AccessProviders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}
  • HKEY_USERS\(Default)
  • HKEY_LOCAL_MACHINE\(Default)
  • HKEY_LOCAL_MACHINE\system\CurrentControlSet\control\NetworkProvider\HwOrder
  • HKEY_LOCAL_MACHINE\Software\Adobe\Adobe Acrobat\11.0\Security
  • HKEY_CURRENT_USER\Software\Adobe\CommonFiles\Usage\Acrobat11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PropertyBag
  • HKEY_CURRENT_USER\Software\Adobe\CommonFiles\Usage\Reader 11_Acrobat11_Reader_11.0.10
  • HKEY_CURRENT_USER\Software\Adobe\CommonFiles\Usage\Reader 11
  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral
  • HKEY_CLASSES_ROOT\(Default)
  • HKEY_CURRENT_USER\Software\Adobe\Adobe Acrobat\11.0\DiskCabs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Privileged
  • HKEY_LOCAL_MACHINE\Software\Adobe\Acrobat Reader\11.0\Installer
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral\cRecentFiles\c1
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableAlternateTempDirectory
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\MaxRpcSize
  • \bEnableAlternateLaunchDesktop
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableHeapMitigations
  • \Atok24
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableEnhancedPolicyRestrictions
  • \Atok23
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • \bPreventCreatingExecutables
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000409\Layout File
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\Installer\Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\RelativePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bDisableCryptBroker
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableBinaryPlantingProtection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Security
  • \bEnableGlobalAtomRestrictions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParsingName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\{A520A1A4-1780-4FF6-BD18-167343C5AF16}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bProtectedMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableAlternateLaunchDesktop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Roamable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Category
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Category
  • \bEnableEnhancedPolicyRestrictions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\LocalRedirectOnly
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PublishExpandedPath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParsingName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Roamable
  • HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\AVGeneral\iMaxMRUCntToBeStored
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\RelativePath
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AB0000000001}\Version
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\InitFolderHandler
  • \bEnableHeapMitigations
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResource
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\FolderTypeID
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\OOBEInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Security
  • \bEnforceReadRestrictions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
  • \bEnableAlternateTempDirectory
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\AccessProviders\MartaExtension
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnforceReadRestrictions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResource
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\LocalizedName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Icon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableSameObjectCheck
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bUseWhitelistConfigFile
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3416602863-1947377224-293699093-1003\ProfileImagePath
  • HKEY_CURRENT_USER\Keyboard Layout\Preload\1
  • \bEnableBinaryPlantingProtection
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Stream
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bFilePathPreprocessingShortcutEnabled
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bPreventCreatingExecutables
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\11.0\FeatureLockDown\bEnableGlobalAtomRestrictions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Description
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\StreamResourceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Keyboard Layouts\00000409\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Adobe\Acrobat Reader\11.0\Installer\ENU_GUID
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\ComputerName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\Name
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\PreCreate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\ParentFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{5E6C858F-0E22-4760-9AFE-EA3317B67173}\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\FolderDescriptions\{A520A1A4-1780-4FF6-BD18-167343C5AF16}\InitFolderHandler
Mutex-Accessed
  • {100184D2-BDC3-477a-B8D3-65548B67914C}_1132

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 460, Parent PID: 364

"C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AcroRd32.exe" C:\Users\HARRYD~1\AppData\Local\Temp\E7ECE303-0105-43A9-BDD7-4BA9FAACE3F0.pdf PID: 5604, Parent PID: 4744

Volatility

Nothing to display.