'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2017-11-02 13:27:31.866223 2017-11-02 13:30:31.247395 179 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo2 win7 Clone 2 VirtualBox 2017-11-02 13:27:32 2017-11-02 13:30:31

File Details

File name 56bb860123a68d99f3fad678753e20b15e04a0f8.exe
File size 354912 bytes
File type PE32 executable (GUI) Intel 80386, for MS Windows
CRC32 74CC38FE
MD5 aede69300b257e5751f9ce10f020885f
SHA1 56bb860123a68d99f3fad678753e20b15e04a0f8
SHA256 98d5ba5906d28b5cb3de853622bd67efa010add07e91ef9de5483afbc00be9dd
SHA512 3f9f16c16495176dc95f509d9fbf70c600b611d1d077ca4deab20132bf332755fdb2501d304944170c803bb1738a9b2b2ea4b957bae594347b239d66982fab2b
Ssdeep None
PEiD None matched
Yara
  • Str_Win32_Http_API (Match Windows Http API call)
VirusTotal Permalink
VirusTotal Scan Date: 2017-11-01 09:38:20
Detection Rate: 3/66 (Expand)

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=2, VT[1509643850]=0): Snort Events=0, AV Events=0
Total Score=75

Dropped File/Buffer Yara Signatures:
e85d4fb859a2964d_360ini.dll: Str_Win32_Http_API

Signatures

has_pdb details
locates_browser details
raises_exception details
av_detect_china_key details
allocates_rwx details
antisandbox_foregroundwindows details
antisandbox_sleep details
origin_langid details
antivm_network_adapters details
process_needed details
Windows_Proxy_Tinkering details
antiav_detectreg details
antidbg_devices details
antivm_generic_disk details
process_interest details
antivm_vmware_in_instruction details

Screenshots

No screenshots available.

Static Analysis

Version Infos

Sections

Resources

Imports

Strings

Dropped Files

203f884dd467d4a0_360ini.cab

8e3d9c8026486d8e_{4be205d5-ae0f-431f-9557-0e6cb5c6ee93}.tmp

b4471425dc00b236_pvkemylnelmwbnpk.tmp

b27f0541bab10170_rqfuiyfwyblxgckp.tmp

60d1e579b934fdb1_tekjashimgbmlxfl.tmp

fecbea96d3f53ee9_jbtwgnuvykkjajhq.tmp

10d2a68a489acb8b_{ffe4501c-e081-46e4-b624-685cb64dcfdc}.tmp

69ff2c6b4a2a98fb_{1c4386d5-23a5-4600-8552-5418712ed778}.tmp

f1b14490dde8edf3_dtjvdnaniyjzcocd.tmp

2dd8b594ea1a841e_bledevfvyzstskvs.tmp

a9fd4040d141fb55_{12dfb829-dd0b-4df8-a1be-4cd2087047ed}.tmp

c689332fd2e3e9d8_zdrdhabmlkwhpcvw.tmp

0a1cbff413afc3e5_vgqgqtqfhfsbiusg.tmp

8003d7b12cd06cf4_jmnxzyaomkeqtxvt.tmp

e0136c136f5706b2_wsurwhnkuxpkcrzn.tmp

53182f7e2f8c399d_{f42fc322-d860-4606-b849-42c0b8b4bbab}.tmp

aaee3b6f1c9f875f_csfqtojrepwqdsfj.tmp

78fd44a652d25a6b_{b182a0f0-aa10-4cda-ba12-58705404e9d7}.tmp

8bf01719d9478ddb_{f5fe212d-38fa-4c29-bd0b-3c68181767ec}.tmp

05205791a6961aac_{eac0143b-688f-45a8-9aed-e11ccc35b573}.tmp

072fbde48756bceb_{b8eef124-c813-453c-b9c2-5ff9cac9127b}.tmp

281305097039f9fc_koexyitddbzbisie.tmp

6df3ff01c25106c9_xhexvvblhfxspqjc.tmp

9b8b9f9e8e1a9310_{99ef6628-f84a-4016-b79a-822dcd3f2fa0}.tmp

3ba7990dbf851a72_{9a1eb937-b356-4758-a75f-19375b40e44d}.tmp

6bdf4267eb1a760c_{713a9b6f-9e42-4f18-9c90-fa451d7c2dd0}.tmp

62f7a283d1766829_{43da4395-2915-46e5-82f4-c8452a34c5d0}.tmp

e85d4fb859a2964d_360ini.dll

2b6b2174e8fec8f0_{4531f05d-edd6-4fca-a168-0c1bf3ffc52d}.tmp

e636ca14cbb2b032_jkddxspo.tmp

c3a4b0ecb04985b5_{50de2198-81e5-488e-a051-4459b3e13191}.tmp

cbd285153959a783_pjaennzemydnawwh.tmp

9a7513db6868ebf3_{34fb1c40-1bc4-427d-ac21-fd14467c1377}.tmp

4cc97712bc70de77_{3fdc2eb3-dfc7-4155-86b1-cbf70d7fdccb}.tmp

ac794acc8769602b_sufqkpfcgayropct.tmp

d6d21ec5104328a3_ukuzwvdggocsezyx.tmp

6c1dbc72d29f5417_lfdbaiwwstcbpxzy.tmp

9dff05da19a883c3_zuijtuayebacxqno.tmp

6ba362bacb44e0e0_{731da233-99d3-4faa-ac50-8c561110ba7c}.tmp

b28f68277160494d_lmprsmxinkzmjzwb.tmp

594dbbca8f93007c_{f9bad113-ebba-4517-9323-fae1eb24b553}.tmp

0bba1fe46848bae7_gmxltpfpteqhltiz.tmp

ef3e457d933b5c90_{b0905d8d-ab89-48ed-8b2a-d9ff55cb4cff}.tmp

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\jKdDxSpO.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\dKnHePuHkYnNbRnU\360ini.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\360ini.cab
File-Written
  • C:\Users\Harry Dresden\AppData\Local\Temp\{4BE205D5-AE0F-431f-9557-0E6CB5C6EE93}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E2F17043-A58B-4cbc-AB90-07A9C753A37A}\pVkEmYlNeLmWbNpK.tmp
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\kOiIcZyAiNsUxFxQ\{B8EEF124-C813-453c-B9C2-5FF9CAC9127B}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\jBtWgNuVyKkJaJhQ.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{5B7319F3-C3FC-4462-A5B5-ED5E436AC77D}\lFdBaIwWsTcBpXzY.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\zDrDhAbMlKwHpCvW.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{EAC0143B-688F-45a8-9AED-E11CCC35B573}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\vGqGqTqFhFsBiUsG.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{50DE2198-81E5-488e-A051-4459B3E13191}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{65C9E22C-6EE5-4636-936F-8498F0B320F9}
  • C:\Users\Harry Dresden\AppData\Local\Temp\pJaEnNzEmYdNaWwH.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{34FB1C40-1BC4-427d-AC21-FD14467C1377}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\qOeKmAaQrTsJjGsY\{3FDC2EB3-DFC7-4155-86B1-CBF70D7FDCCB}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\dYmGsLoDmLkIoZsU\{FFE4501C-E081-46e4-B624-685CB64DCFDC}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{1C4386D5-23A5-4600-8552-5418712ED778}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\uKuZwVdGgOcSeZyX.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{12DFB829-DD0B-4df8-A1BE-4CD2087047ED}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{5C97ED74-4A21-4f2f-9395-AF095F15A685}\tEkJaShImGbMlXfL.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\uRbVlEoJtDoGqLwJ\{F5FE212D-38FA-4c29-BD0B-3C68181767EC}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{85097F89-F26E-46ea-9753-4D9AEB46EE37}\wSuRwHnKuXpKcRzN.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\gMxLtPfPtEqHlTiZ.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\360ini.cab
  • C:\Users\Harry Dresden\AppData\Local\Temp\wCmAmIuMoGfHeMeL\{B182A0F0-AA10-4cda-BA12-58705404E9D7}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\jApIgVvWcXuYkKxN\{713A9B6F-9E42-4f18-9C90-FA451D7C2DD0}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\rQfUiYfWyBlXgCkP.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{D2BB15EC-E3C9-4798-AF14-E868EE47C4C3}\xHeXvVbLhFxSpQjC.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\nZbAmJfAtPpZjTbH\{43DA4395-2915-46e5-82F4-C8452A34C5D0}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\dKnHePuHkYnNbRnU\360ini.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\{731DA233-99D3-4faa-AC50-8C561110BA7C}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{63D3898B-5CDA-47db-B68E-F9CC4AEA2784}\lMpRsMxInKzMjZwB.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{9A1EB937-B356-4758-A75F-19375B40E44D}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{F42FC322-D860-4606-B849-42C0B8B4BBAB}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{534B7234-E198-463e-8A4B-EB5612E259DD}\kOeXyItDdBzBiSiE.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\rVcGrGnIkDpEuElI\{B0905D8D-AB89-48ed-8B2A-D9FF55CB4CFF}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\cSfQtOjRePwQdSfJ.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\sUfQkPfCgAyRoPcT.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{995DA387-B301-4810-AFF9-71DC96FA0FEE}\dTjVdNaNiYjZcOcD.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{C5C826E3-CBF5-44a6-9BDA-F3780B80E9FE}\jMnXzYaOmKeQtXvT.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\zUiJtUaYeBaCxQnO.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{21C8249A-1829-45eb-AB70-0800B29625CF}\bLeDeVfVyZsTsKvS.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{4531F05D-EDD6-4fca-A168-0C1BF3FFC52D}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\{99EF6628-F84A-4016-B79A-822DCD3F2FA0}.tmp
  • C:\Users\Harry Dresden\AppData\Local\Temp\yYpOoSrAmWqAdHwP\{F9BAD113-EBBA-4517-9323-FAE1EB24B553}.tmp
File-Deleted
  • C:\Users\Harry Dresden\AppData\Local\Temp\360ini.cab
File-Opened
  • C:\
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • \\?\PIPE\wkssvc
  • C:\Users\Harry Dresden\AppData\Local\Temp\dKnHePuHkYnNbRnU\360ini.dll
  • C:\Windows\System32\winrnr.dll
  • C:\Windows\System32\pnrpnsp.dll
  • \??\PhysicalDrive0
  • C:\Windows\SysNative\ntoskrnl.exe
  • C:\Users\Harry Dresden\AppData\Local\Temp\jKdDxSpO.tmp
  • C:\Windows\System32\NapiNSP.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\360ini.cab
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Themes\slideshow.ini
File-Moved
  • C:\Users\Harry Dresden\AppData\Local\Temp\{65C9E22C-6EE5-4636-936F-8498F0B320F9} -> C:\Users\Harry Dresden\AppData\Local\Temp\jKdDxSpO.tmp
Network-Connects IP
  • 180.163.251.231
Network-Connects Host
  • dl.360safe.com
  • 104.192.108.18
Directory-Created
  • C:\Users\Harry Dresden\AppData\Local\Temp\{B8CD889F-FC82-40ff-AE7C-91C6351E3118}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{959867F3-C866-4b8c-B21B-D167C5F7252A}
  • C:\Users\Harry Dresden\AppData\Local\Temp\dYmGsLoDmLkIoZsU
  • C:\Users\Harry Dresden\AppData\Local\Temp\nZbAmJfAtPpZjTbH
  • C:\Users\Harry Dresden\AppData\Local\Temp\{21C8249A-1829-45eb-AB70-0800B29625CF}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{5C97ED74-4A21-4f2f-9395-AF095F15A685}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{85097F89-F26E-46ea-9753-4D9AEB46EE37}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{C5C826E3-CBF5-44a6-9BDA-F3780B80E9FE}
  • C:\Users\Harry Dresden\AppData\Local\Temp\uRbVlEoJtDoGqLwJ
  • C:\Users\Harry Dresden\AppData\Local\Temp\{FCA41FDB-6593-41c0-BACF-23A49D42F030}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{7BB6E6E0-E628-4f10-A52A-4D1DB4A8DAB3}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{534B7234-E198-463e-8A4B-EB5612E259DD}
  • C:\Users\Harry Dresden\AppData\Local\Temp\jQlJfYmYwScOuRwO
  • C:\Users\Harry Dresden\AppData\Local\Temp\{638DAD76-47FE-4132-9E7B-020C4DC7AC88}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{5B7319F3-C3FC-4462-A5B5-ED5E436AC77D}
  • C:\Users\Harry Dresden\AppData\Local\Temp\wCmAmIuMoGfHeMeL
  • C:\Users\Harry Dresden\AppData\Local\Temp\rVcGrGnIkDpEuElI
  • C:\Users\Harry Dresden\AppData\Local\Temp\kOiIcZyAiNsUxFxQ
  • C:\Users\Harry Dresden\AppData\Local\Temp\yYpOoSrAmWqAdHwP
  • C:\Users\Harry Dresden\AppData\Local\Temp\nQhFgKvCqXwNvGyR
  • C:\Users\Harry Dresden\AppData\Local\Temp\qOeKmAaQrTsJjGsY
  • C:\Users\Harry Dresden\AppData\Local\Temp\{D2BB15EC-E3C9-4798-AF14-E868EE47C4C3}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{995DA387-B301-4810-AFF9-71DC96FA0FEE}
  • C:\Users\Harry Dresden\AppData\Local\Temp\dKnHePuHkYnNbRnU
  • C:\Users\Harry Dresden\AppData\Local\Temp\jApIgVvWcXuYkKxN
  • C:\Users\Harry Dresden\AppData\Local\Temp\{E2F17043-A58B-4cbc-AB90-07A9C753A37A}
  • C:\Users\Harry Dresden\AppData\Local\Temp\{63D3898B-5CDA-47db-B68E-F9CC4AEA2784}
  • C:\Users\Harry Dresden
  • C:\Users\Harry Dresden\AppData\Local\Microsoft\Windows\WER\ERC
  • C:\Users\Harry Dresden\AppData\Roaming
  • C:\Users\Harry Dresden\AppData\Roaming\Microsoft\Windows\Themes\
Directory-Enumerated
  • C:\Program Files (x86)\tencent\QQPCMgr\*
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\0a-00-27-00-00-00
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GreenBrowser_is1
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduAn
  • HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\Liveup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_CURRENT_USER\SOFTWARE\
  • HKEY_LOCAL_MACHINE\Software\360Safe\Liveup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
  • HKEY_LOCAL_MACHINE\SOFTWARE\rising\RSE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\56bb860123a68d99f3fad678753e20b15e04a0f8.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\TheWorld Chrome
  • HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\MSC
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\NDI\Interfaces
  • HKEY_LOCAL_MACHINE\SOFTWARE\kingsoft\Antivirus
  • HKEY_CURRENT_USER\Software\Chrome
  • HKEY_CLASSES_ROOT\CLSID\{63332668-8CE1-445D-A5EE-25929176714E}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360sd.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\360krnlsvc\softmgrs
  • HKEY_LOCAL_MACHINE\SOFTWARE\JiangMin
  • HKEY_LOCAL_MACHINE\SOFTWARE\UCBrowser\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Norton\SecurityStatusSDK
  • HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduSd
  • HKEY_LOCAL_MACHINE\SOFTWARE\Huorong\Sysdiag
  • HKEY_LOCAL_MACHINE\SOFTWARE\rising\RAV
  • HKEY_CURRENT_USER\Software\JuziBrowser
  • HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\menuext\LiveUpdate360
  • HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Avg\Framework\Common
  • HKEY_LOCAL_MACHINE\System\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\KeepAlive\360PayInsure
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ADSafe
  • HKEY_CLASSES_ROOT\CLSID\{4DA01382-D7BB-450E-ACE4-FB3E21206402}\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\56bb860123a68d99f3fad678753e20b15e04a0f8.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\BitDefender
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\agb.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\¥후○¦ᆵ￀￀ᅥ￷
  • HKEY_LOCAL_MACHINE\SOFTWARE\MyDrivers\DriverGenius
  • HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\SetupFolders
  • HKEY_CURRENT_USER\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\
  • HKEY_LOCAL_MACHINE\Software\Tencent\QQPCMgr
  • HKEY_CURRENT_USER\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\TreatAs
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
  • HKEY_CURRENT_USER\Software\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Avira\Launcher
  • HKEY_CURRENT_USER\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\56bb860123a68d99f3fad678753e20b15e04a0f8.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32
  • HKEY_CURRENT_USER\Software\SogouExplorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2C8D77CD-8E98-4EFE-A693-76C864FB7096}_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\360safe.exe
  • HKEY_CURRENT_USER\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\56bb860123a68d99f3fad678753e20b15e04a0f8.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\Progid
  • HKEY_LOCAL_MACHINE\SOFTWARE\360Safe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\2345PCSafe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
  • HKEY_LOCAL_MACHINE\SOFTWARE\ESET\ESET Security\CurrentVersion\Info
  • HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduBrowser
  • HKEY_LOCAL_MACHINE\SOFTWARE\KSafe
  • HKEY_LOCAL_MACHINE\SOFTWARE\KnSD
  • HKEY_LOCAL_MACHINE\SOFTWARE\AhnLab\V3IS80
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder
  • HKEY_LOCAL_MACHINE\SOFTWARE\Baidu\BaiduProtect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HiveSoft_is1
  • HKEY_CURRENT_USER\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\OleAut
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum
  • HKEY_LOCAL_MACHINE\SOFTWARE\2345Explorer
  • HKEY_LOCAL_MACHINE\SOFTWARE\liebao
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00
  • HKEY_LOCAL_MACHINE\SOFTWARE\Tencent\QQBrowser
  • HKEY_LOCAL_MACHINE\Software\Tencent\CleanNet
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Windows Error Reporting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting
  • HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\ERC
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Windows Error Reporting
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Windows Error Reporting
Registry Key-Deleted
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\QIBegin
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForOverlay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\winrnr.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\Attributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsUniversalDelegate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\MapNetDriveVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\QueryForInfoTip
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\ThreadingModel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\napinsp.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002\NetCfgInstanceId
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005\NetCfgInstanceId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\8\ServiceName
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDns
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\360safeuninst
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\DriverDesc
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006\NetCfgInstanceId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55272A00-42CB-11CE-8135-00AA004BB851}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
  • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\Liveup\m2
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000\NetCfgInstanceId
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\Ndi\Interfaces\LowerRange
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsAliasedNotifications
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\NoFileFolderJunction
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogLevel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HasNavigationEnum
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideInWebView
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\Liveup\mid
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001\NetCfgInstanceId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\RestrictedAttributes
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideOnDesktopPerUser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\PinToNameSpaceTree
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\ProxyStubClsid32\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMaxFileSize
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsParseDisplayName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\BusType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\CallForAttributes
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadExpirationDays
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003\NetCfgInstanceId
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}\DriveMask
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\HideFolderVerbs
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions\pnrpnsp.dll
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007\NetCfgInstanceId
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORPARSING
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\LogMask
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CLASS\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004\NetCfgInstanceId
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDetectedUrl
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\WantsFORDISPLAY
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SystemStartOptions
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\ShellFolder\UseDropHandler
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\(Default)
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDhcp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\AnimationDuration
  • HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Interval
  • HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Flags
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\QueuePesterInterval
  • HKEY_CURRENT_USER\Control Panel\Personalization\Desktop Slideshow\Shuffle
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Windows Error Reporting\LastQueuePesterTime
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Disabled
Registry Key-Written
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadNetworkName
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\QIBegin
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecision
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\Liveup\m2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\360Safe\Liveup\mid
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDetectedUrl
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecision
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F058833-0652-4B15-B7EA-02DD7798ACE8}\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionReason
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-00-27-00-00-00\WpadDecisionTime
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.101\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{01979c6a-42fa-414c-b8aa-eee2c8202018}.check.100\CheckSetting
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{852FB1F8-5CC6-4567-9C0E-7C330F8807C2}.check.100\CheckSetting
Mutex-Accessed
  • Global\360InstallForChannel
  • {A2CE3D3C-15E7-4985-B2C5-58F681DD07A5}
  • {EF05DB74-1623-48f2-B923-8738727916C1}
  • 1830B7BD-F7A3-4c4d-989B-C004DE465EDE 5076

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 484, Parent PID: 388

"C:\Users\Harry Dresden\AppData\Local\Temp\56bb860123a68d99f3fad678753e20b15e04a0f8.exe" PID: 5076, Parent PID: 5052

C:\Windows\Explorer.EXE PID: 2436, Parent PID: 1852

Volatility

Nothing to display.