'
metaflows logo
Category Started On Completed On Duration Cuckoo Version
FILE 2018-05-25 22:13:17.484604 2018-05-25 22:15:17.542800 120 seconds 2.0-dev
Machine Label Manager Started On Shutdown On
win7cuckoo win7 Clone 1 VirtualBox 2018-05-25 22:13:19 2018-05-25 22:15:17

File Details

File name 1a51fceb8a624ef6f67dd75ea9cbb2098ab47669.msi
File size 31652864 bytes
File type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {F5E3E3F5-12D0-4D37-987A-BCBAD05BFF6D}, Title: PHI, Author: Nicholas F. Chilton, Number of Words: 2, Last Saved Time/Date: Fri Sep 8 17:21:56 2017, Last Printed: Fri Sep 8 17:21:56 2017
CRC32 884FBAEE
MD5 380227296205612dc92c8376a3761082
SHA1 1a51fceb8a624ef6f67dd75ea9cbb2098ab47669
SHA256 011e28a95d304cd71f0433b02faeae789074c9ea68540457c43d512fde542996
SHA512 12a03bfbb66a8377a3cc05216fd116df7f44509eabb2a351fc71a532ca0864f777c8d2910871b9994ab9a69a4cd9c6a82375a4e5cff0a7b960d55eb44f8e1aa4
Ssdeep None
PEiD None matched
Yara
  • shellcode (Matched shellcode byte patterns)
VirusTotal File not found on VirusTotal

MetaFlows Scores

Metaflows Analysis Results (Signatures=75, Anomalies=0, PEiD=0, Yara=0, VT[1527300930]=0): Snort Events=0, AV Events=0
Total Score=75

Signatures

antivm_queries_computername details
recon_fingerprint details
antivm_memory_available details
openprocess_nonchild details
allocates_rwx details
antivm_disk_size details
creates_shortcut details
privilege_luid_check details
nolookup_communication details

Screenshots

No screenshots available.

Static Analysis

Nothing to display.

Dropped Files

Nothing to display.

Network Analysis

Hosts Involved

DNS Requests

HTTP Requests

Behavior Summary

File-Read
  • C:\Windows\winsxs\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms
  • C:\Windows\win.ini
  • C:\Windows\Fonts\staticcache.dat
File-Opened
  • C:\Windows\winsxs\FileMaps\$$_syswow64_21ffbdd2a2dd92e0.cdf-ms
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\fusion.dll
  • C:\
  • C:\Users\Harry Dresden\AppData\Local\
  • C:\Windows\System32\msimsg.dll
  • C:\Windows\SysWOW64\msvcr100.dll
  • C:\Windows\System32\en-US\MsiMsg.dll.mui
  • C:\Users\
  • C:\Users\Harry Dresden\
  • C:\Users\Harry Dresden\AppData\
  • C:\Windows\Microsoft.NET\Framework64\
  • C:\Windows\SysWOW64\msvcp100.dll
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
  • C:\Windows\AppPatch\msimain.sdb
  • C:\Windows\win.ini
  • C:\Windows\System32\sxs.dll
  • C:\Users\Harry Dresden\AppData\Local\Temp\1a51fceb8a624ef6f67dd75ea9cbb2098ab47669.msi
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
  • C:\Windows\AppPatch\AppPatch64\sysmain.sdb
  • C:\Windows\Fonts\staticcache.dat
  • C:\Windows\System32\en-US\sxs.DLL.mui
  • C:\Windows\Globalization\Sorting\sortdefault.nls
  • C:\Windows\System32\
  • C:\Users\Harry Dresden\AppData\Local\Temp\
  • C:\Windows\System32\rsaenh.dll
Directory-Created
  • C:\MSI7b9fb.tmp
Directory-Removed
  • C:\MSI7b9fb.tmp
Registry Key-Opened
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\F60730A4A66673047777F5728467D401
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink\SystemLink
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\91915B2EA702BE34EA8737F3C976792C
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\KnownClasses
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InprocServer32
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\3B9BDCD28D6EBA44FA8D0640ABB297E0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Relative Files
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Registry Keys
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\9040580900063D11C8EF10054038389C
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\68AB67CA408033019195008142126436
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109C80000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\AppPatch
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\96F071321C0420729002000010000000
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00002159F30090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\96F071321C0420729002000010000000
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\4EA42A62D9304AC4784BF230120776FF
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109F80000000100000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\4EA42A62D9304AC4784BF230120776FF
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\Policy\
  • HKEY_CURRENT_USER\Interface\{000C101C-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\339F228ED07C4FC39AD227368BCAFC03
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\6414876250E69FF3395387C6C7F05BEB
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00002159F30090400000000000F01FEC
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\9040580900063D11C8EF10054038389C
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\UpgradeCodes\347B0EAD0597A4F43A1181395D7D7CB5
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\68AB67CA408033019195008142126436
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\68AB67CA7DA73301B744BA0000000010
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\9040580900063D11C8EF10054038389C
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109C80090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101D-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\F60730A4A66673047777F5728467D401
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\91915B2EA702BE34EA8737F3C976792C
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00004159FA0090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\96F071321C0420729002000010000000
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\139C3899EB73E6C3DA23B8E687B98618
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\68AB67CA7DA73301B744BA0000000010
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109C80000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00004159FA0090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109C80090400000000000F01FEC
  • HKEY_CURRENT_USER\Interface\{000C101D-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109C80090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\3B9BDCD28D6EBA44FA8D0640ABB297E0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00004159FA0090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\TreatAs
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00006109C80000000000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA7DA73301B744BA0000000010
  • HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\6414876250E69FF3395387C6C7F05BEB
  • HKEY_CURRENT_USER\Software\Microsoft\.NETFramework
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\InProgress
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\v4.0
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\00006109F80000000100000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Cryptography
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\UpgradeCodes\347B0EAD0597A4F43A1181395D7D7CB5
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\4EA42A62D9304AC4784BF230120776FF
  • HKEY_CURRENT_USER\Software\Microsoft\Installer\Products\00006109F80000000100000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Offload
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\91915B2EA702BE34EA8737F3C976792C
  • HKEY_CURRENT_USER\CLSID\{000C103E-0000-0000-C000-000000000046}
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\3B9BDCD28D6EBA44FA8D0640ABB297E0\InstallProperties
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\F60730A4A66673047777F5728467D401
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\3B9BDCD28D6EBA44FA8D0640ABB297E0
  • HKEY_CURRENT_USER\Control Panel\Desktop
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Sans Serif
  • HKEY_CLASSES_ROOT\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\Compatibility\msiexec.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\139C3899EB73E6C3DA23B8E687B98618
  • HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\PnpLockdownFiles
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLEAUT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\UpgradeCodes\347B0EAD0597A4F43A1181395D7D7CB5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\68AB67CA408033019195008142126436
  • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
  • HKEY_LOCAL_MACHINE\Software\Classes\Installer\Products\00002159F30090400000000000F01FEC
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\6414876250E69FF3395387C6C7F05BEB
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3416602863-1947377224-293699093-1003\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\339F228ED07C4FC39AD227368BCAFC03
Registry Key-Read
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wbem
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\91915B2EA702BE34EA8737F3C976792C\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\com
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF230120776FF\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\FxsTmp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\DataFilePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\LogFiles
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Macromed
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142126436\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\..
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wdi
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\UseLegacyV2RuntimeActivationPolicyDefaultValue
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\6414876250E69FF3395387C6C7F05BEB\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\.
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Dism
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Wat
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\139C3899EB73E6C3DA23B8E687B98618\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\339F228ED07C4FC39AD227368BCAFC03\1D5E3C0FEDA1E123187686FED06E995A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPSampledIn
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\EnableAnchorContext
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane10
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane11
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane12
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane13
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane14
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane15
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane16
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80090400000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00004159FA0090400000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\winevt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fusion\NoClientChecks
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\DriverStore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch\v4.0.30319.00000\msi.dll\{462EF42B-ABA4-4eac-9843-9EED260F54D0}\Target Version
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\restore
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\OnlyUseLatestCLR
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WinBioDatabase
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\4EA42A62D9304AC4784BF230120776FF\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Tasks
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80000000000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\91915B2EA702BE34EA8737F3C976792C\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\SPReview
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\migwiz
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Msdtc
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\inetsrv
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GroupPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420729002000010000000\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sppui
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\PendingFileRenameOperations
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\catroot2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\DefaultLevel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\slmgr
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA408033019195008142126436\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00002159F30090400000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744BA0000000010\InstanceType
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Microsoft
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\CommonFilesDir
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Speech
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80090400000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109C80000000000000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SESSION MANAGER\SafeProcessSearchMode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\96F071321C0420729002000010000000\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\ThreadingModel
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\MRT
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Setup
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040580900063D11C8EF10054038389C\InstanceType
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\CommonFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemPath%\SysWOW64\msvcr100.dll
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\migration
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\9040580900063D11C8EF10054038389C\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\NetworkList
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\AdvancedInstallers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GWX
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOrganization
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\WMR\Disable
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\spool
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\winrm
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00002159F30090400000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\oem
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\CLRLoadLogDir
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109F80000000100000000F01FEC\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ias
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\spp
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\appraiser
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RegisteredOwner
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\config
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\GroupPolicyUsers
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\IME
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C101D-0000-0000-C000-000000000046}\DllVersion\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\icsxml
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\oobe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\InstallRoot
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\SMI
  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Printing_Admin_Scripts
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\manifeststore
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Recovery
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\CodeIntegrity
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Srp\GP\RuleCount
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\catroot
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WindowsPowerShell
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\NDF
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\Levels
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WinBioPlugIns
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\F60730A4A66673047777F5728467D401\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\Boot
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\WCN
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\D7314F9862C648A4DB8BE2A5B47BE100\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\CompatTel
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\LogFileName
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101D-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{000C103E-0000-0000-C000-000000000046}\InProcServer32\InprocServer32
  • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ProgramFilesDir (x86)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\MUI
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\DataStore_V1.0\Disable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\0409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\68AB67CA7DA73301B744BA0000000010\PackageCode
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{000C101C-0000-0000-C000-000000000046}\ProxyStubClsid32\(Default)
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\EventProviders
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\wfp
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane8
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane9
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane6
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane7
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane4
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane5
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane2
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane3
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\Plane1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\99E80CA9B0328e74791254777B1F42AE\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\ras
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00006109F80000000100000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\drivers
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\6414876250E69FF3395387C6C7F05BEB\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\PolicyScope
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Image Path
  • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\safer\codeidentifiers\SaferFlags
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\00004159FA0090400000000000F01FEC\PackageCode
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemPath%\SysWOW64\msvcp100.dll
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\InstanceType
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\sysprep
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
  • HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecure
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Strong Cryptographic Provider\Type
Mutex-Accessed
  • Global\_MSIExecute

Processes

registry filesystem process services network synchronization

C:\Windows\system32\lsass.exe PID: 480, Parent PID: 384

"C:\Windows\System32\msiexec.exe" /I C:\Users\HARRYD~1\AppData\Local\Temp\1a51fceb8a624ef6f67dd75ea9cbb2098ab47669.msi PID: 2248, Parent PID: 2592

Volatility

Nothing to display.