Cuckoo Sandbox

File Winzip.exe

Size	487.9KB Resubmit sample
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`3f486bafb28ecccf2e30e66be03cd67a`
SHA1	`26d551235412ea166c31b01fe39b4bd30cff2a13`
SHA256	`d37d4bfb11505ee9c23c9b8efe92dd4428f7b51d75ff911fd38f682a2259d05e`
SHA512	`19b7dac17f89f8bffdae59232fbcbb257262ab12f1f04a8be4e7ed5e812199cf41b466da2164ca4c20e3a28cb76c2ba8b00800c15a91c8f6bc978f2c01926801`
CRC32	`E332C6F8`
ssdeep	`12288:nhxp3lZnT9bDuaI3bqMaOVu5L3Lya0QuwcMV:nJlh9bDuaIrHqLNPDb`
PDB Path	D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara	IsPE32 - IsWindowsGUI - IsPacked - Entropy Check HasOverlay - Overlay Check HasDebugData - DebugData Check HasRichSignature - Rich Signature Check PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net] PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)] PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0] PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8] PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat] PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite] PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System] Contains_PE_File - Detect a PE file inside a byte sequence anti_dbg - Checks if being debugged escalate_priv - Escalade priviledges screenshot - Take screenshot win_registry - Affect system registries win_token - Affect system token win_files_operation - Affect private profile contentis_base64 - This rule finds for base64 strings VC8_Microsoft_Corporation - Microsoft_Visual_Cpp_8 - CRC32_poly_Constant - Look for CRC32 [poly] RIPEMD160_Constants - Look for RIPEMD-160 constants SHA1_Constants - Look for SHA1 constants maldoc_function_prolog_signature - maldoc_structured_exception_handling - maldoc_suspicious_strings - maldoc_find_kernel32_base_method_1 -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Analysis
Compare analysis to ... Export analysis Reboot analysis

Category	Started	Completed	Duration	Logs
FILE	Nov. 18, 2018, 6:54 a.m.	Nov. 18, 2018, 6:58 a.m.	240 seconds

Machine

Name	Label	Started On	Shutdown On
win7x64	win7x64	2018-11-18 06:54:45	2018-11-18 06:58:45

Analyzer Log

2018-11-17 22:54:44,030 [analyzer] DEBUG: Starting analyzer from: C:\tsakcqnpjc
2018-11-17 22:54:44,124 [analyzer] DEBUG: Pipe server name: \\.\PIPE\ahwgKzQzWMqaOKxiYsSnYBc
2018-11-17 22:54:44,124 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\KliMPhipzktIBhuEiPBl
2018-11-17 22:54:44,124 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-11-17 22:54:44,124 [analyzer] INFO: Automatically selected analysis package "exe"
2018-11-17 22:54:45,887 [analyzer] DEBUG: Started auxiliary module Disguise
2018-11-17 22:54:46,401 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module Human
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module Reboot
2018-11-17 22:54:46,635 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-11-17 22:54:46,651 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-11-17 22:54:46,651 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-11-17 22:54:47,088 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\zamen\\AppData\\Local\\Temp\\Winzip.exe' with arguments '' and pid 2300
2018-11-17 22:54:47,650 [analyzer] DEBUG: Loaded monitor into process with pid 2300
2018-11-17 22:54:47,711 [analyzer] DEBUG: Received request to inject pid=2300, but we are already injected there.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,522 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-17 22:54:49,631 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,631 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-17 22:54:49,631 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,631 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-17 22:54:49,631 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,631 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-17 22:54:50,052 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,052 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-17 22:54:50,052 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,052 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-17 22:54:50,052 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,052 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-17 22:54:50,832 [modules.auxiliary.human] INFO: Found button "Install", clicking it
2018-11-17 22:58:12,430 [analyzer] INFO: Added new file to list with pid 2300 and path C:\Windows\reg\registery.reg
2018-11-17 22:58:12,463 [analyzer] INFO: Added new file to list with pid 2300 and path C:\Windows\reg\Registry.exe
2018-11-17 22:58:35,253 [analyzer] INFO: Process with pid 2300 has terminated
2018-11-17 22:58:35,253 [analyzer] INFO: Process list is empty, terminating analysis.
2018-11-17 22:58:36,267 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-11-17 22:58:36,267 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-11-18 06:54:45,244 [lib.cuckoo.core.scheduler] INFO: Task #68: acquired machine win7x64 (label=win7x64)
2018-11-18 06:54:45,273 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 5033 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/68/dump.pcap)
2018-11-18 06:54:52,685 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-11-18 06:58:45,096 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-11-18 06:58:48,375 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-11-18 06:59:05,590 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e4029d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,650 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e402310>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,652 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e4020d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,652 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e402c90>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,653 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7fe64e402c90>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7fe64e402c90>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable has a PDB path (1 event)

pdb_path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

The executable has PE anomalies (could be a false positive) (1 event)

section

.gfids

Creates executable files on the filesystem (2 events)

file	C:\Windows\reg\registery.reg
file	C:\Windows\reg\Registry.exe

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.gc
CrowdStrike	malicious_confidence_60% (D)

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process Winzip.exe (2300)

Opened files
- C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- C:\Windows\Globalization\Sorting\sortdefault.nls
- C:\Users\zamen\AppData\Local\Temp\Winzip.exe
- C:\Windows\win.ini
- C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- C:\Windows\reg
- C:\Windows\System32\ntmarta.dll
- C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
Written files
- C:\Windows\reg\registery.reg
- C:\Windows\reg\Registry.exe
Files Read
- C:\Users\zamen\AppData\Local\Temp\Winzip.exe
- C:\Windows\win.ini

Process Winzip.exe (2300)

Registry keys opened
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Zoom
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
- HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\about\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
- HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_READ_ZONE_STRINGS_FROM_REGISTRY
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Adv AddrBar Spoof Detection
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts
- HKEY_LOCAL_MACHINE\Software
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IEDDE_REGISTER_URLECHO
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Settings
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DxTrans
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\Floppy Access
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
- HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\%s
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Zoom
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IPERSISTMONIKER_LOAD_REDIRECTED_URL_KB976425
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security
- HKEY_LOCAL_MACHINE\System\Setup
- HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/html
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615
- HKEY_CURRENT_USER\Software\Policies
- HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DxTrans
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Zoom
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\Adv AddrBar Spoof Detection
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\Feature_Enable_Compat_Logging
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Services
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_LEAK_CLEANUP_AT_SHUTDOWN_KB835183
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Handler\res
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Services
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
- HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Suggested Sites
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\International\Scripts
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
- HKEY_CURRENT_USER\Software\Microsoft\Ftp
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Activities
- HKEY_CURRENT_USER\Software
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IEDDE_REGISTER_PROTOCOL
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Activities
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Ftp
- HKEY_LOCAL_MACHINE\Software\Policies
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Feed Discovery
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
- HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\MediaTypeClass
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
- HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom
- HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Handler\about
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Feed Discovery
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118
Registry keys written
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
Registry keys read
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SmartDithering
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CacheRepair
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SSLUX\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Default_CodePage
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\Default_IEFontSizePrivate
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\VML
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideFolderVerbs
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\UseDropHandler
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
- HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AutoDetect
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\*
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Anchor Underline
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\RecommendedLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\Winzip.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SmoothScroll
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CacheLimit
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\IE
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Feed Discovery\Sound
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Move System Caret
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORDISPLAY
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2000
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\No3DBorder
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\RecommendedLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Print_Background
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\MinLevel
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Display Inline Videos
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Page_Transitions
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2106
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORPARSING
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SSLUX\*
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\XDomainRequest
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\MapNetDriveVerbs
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
- HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Allow Programmatic Cut_Copy_Paste
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Disable Visited Hyperlinks
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\*
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\MinLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\XDomainRequest
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MinLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Display Inline Images
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\MinLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\WindowsEdition
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom\ZoomDisabled
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about\CLSID
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\MaxRenderLine
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER\*
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Colors
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsAliasedNotifications
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color Hover
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForInfoTip
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Font Face
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IsTextPlainHonored
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInterval
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideInWebView
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInset
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSizePrivate
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\blank
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\RecommendedLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DOMStorage
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CachePath
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\Winzip.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Cleanup HTCs
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\*
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollDelay
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Q300829
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForOverlay
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Play_Animations
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SmoothScroll
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2017
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\MiscFlags
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res\CLSID
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Display Inline Videos
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Font Size
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Services\SelectionActivityButtonDisable
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HasNavigationEnum
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\Winzip.exe
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Stylesheets
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Show image placeholders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\RtfConverterFlags
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseHR
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\No3DBorder
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\DOMStorage
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\NoFileFolderJunction
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SmartDithering
- HKEY_CURRENT_USER\Software\Microsoft\FTP\Use Web Based FTP
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Expand Alt Text
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Print_Background
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Force Offscreen Composition
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideOnDesktopPerUser
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsUniversalDelegate
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.Explorer\CLSID\(Default)
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Page_Transitions
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup\Print_Background
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\NavigationDelay
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\PinToNameSpaceTree
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CacheOptions
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS\Winzip.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2700
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseThemes
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\RecommendedLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Show image placeholders
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
- HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable AutoImageResize
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
- HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
- HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\*
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseClearType
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\XMLHTTP
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500
- HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CSS_Compat
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CachePrefix
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500
- HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\Winzip.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags

Process Winzip.exe (2300)

Mutexes accessed
- Local\ZonesCacheCounterMutex
- Local\ZoneAttributeCacheCounterMutex
- Local\ZonesCounterMutex
- Local\ZonesLockedCacheCounterMutex

Process Winzip.exe (2300)

Directories created
- C:\Windows\reg
- C:\Windows
Directories enumerated
- C:\Users\zamen\AppData\Local\Temp\Winzip.exe

Process Winzip.exe (2300)

DLLs Loaded
- IEFRAME.dll
- ext-ms-win-kernel32-package-current-l1-1-0
- C:\Windows\system32\riched20.dll
- urlmon.dll
- kernel32
- mshtml.dll
- apphelp.dll
- gdi32.dll
- kernel32.dll
- UxTheme.dll
- C:\Windows\system32\rsaenh.dll
- C:\Windows\system32\ole32.dll
- C:\Windows\system32\sfc_os.dll
- dwmapi.dll
- C:\Windows\system32\DXGIDebug.dll
- <pi-ms-win-core-localization-l1-2-1
- C:\Windows\system32\Msimtf.dll
- OLEAUT32.dll
- C:\Windows\syswow64\MSCTF.dll
- WININET.dll
- <pi-ms-win-core-fibers-l1-1-1
- api-ms-win-appmodel-runtime-l1-1-1
- MLANG.dll
- comctl32
- ole32.dll
- comctl32.dll
- USER32.dll
- IMM32.dll
- C:\Windows\system32\cryptbase.dll
- C:\Windows\system32\IMM32.DLL
- C:\Windows\system32\dwmapi.dll
- C:\Windows\system32\Crypt32.dll
- C:\Windows\system32\version.dll
- SHELL32.dll
- C:\Windows\system32\SSPICLI.DLL
- COMCTL32.dll
- oleaut32.dll
- SHLWAPI.dll
- C:\Windows\system32\shell32.dll
- GDI32.dll
- <pi-ms-win-core-synch-l1-2-0
- advapi32
- C:\Windows\system32\UXTheme.dll

PE Compile Time

2016-08-14 15:15:49

PDB Path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Sections

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00001000	0x0002dfe8	0x0002e000	6.71024514176
.rdata	0x0002f000	0x000099d0	0x00009a00	5.15286519013
.data	0x00039000	0x0001f8b8	0x00000c00	3.29546719393
.gfids	0x00059000	0x000000f0	0x00000200	2.12366990435
.rsrc	0x0005a000	0x00004680	0x00004800	4.63811395267
.reloc	0x0005f000	0x00001f8c	0x00002000	6.62985537968

Imports

Library KERNEL32.dll:

• 0x42f000 GetLastError

• 0x42f004 SetLastError

• 0x42f008 GetCurrentProcess

• 0x42f00c DeviceIoControl

• 0x42f010 SetFileTime

• 0x42f014 CloseHandle

• 0x42f018 CreateDirectoryW

• 0x42f01c RemoveDirectoryW

• 0x42f020 CreateFileW

• 0x42f024 DeleteFileW

• 0x42f028 CreateHardLinkW

• 0x42f02c GetShortPathNameW

• 0x42f030 GetLongPathNameW

• 0x42f034 MoveFileW

• 0x42f038 GetFileType

• 0x42f03c GetStdHandle

• 0x42f040 WriteFile

• 0x42f044 ReadFile

• 0x42f048 FlushFileBuffers

• 0x42f04c SetEndOfFile

• 0x42f050 SetFilePointer

• 0x42f054 SetFileAttributesW

• 0x42f058 GetFileAttributesW

• 0x42f05c FindClose

• 0x42f060 FindFirstFileW

• 0x42f064 FindNextFileW

• 0x42f068 GetVersionExW

• 0x42f06c GetCurrentDirectoryW

• 0x42f070 GetFullPathNameW

• 0x42f074 FoldStringW

• 0x42f078 GetModuleFileNameW

• 0x42f07c GetModuleHandleW

• 0x42f080 FindResourceW

• 0x42f084 FreeLibrary

• 0x42f088 GetProcAddress

• 0x42f08c GetCurrentProcessId

• 0x42f090 ExitProcess

• 0x42f094 SetThreadExecutionState

• 0x42f098 Sleep

• 0x42f09c LoadLibraryW

• 0x42f0a0 GetSystemDirectoryW

• 0x42f0a4 CompareStringW

• 0x42f0a8 AllocConsole

• 0x42f0ac FreeConsole

• 0x42f0b0 AttachConsole

• 0x42f0b4 WriteConsoleW

• 0x42f0b8 GetProcessAffinityMask

• 0x42f0bc CreateThread

• 0x42f0c0 SetThreadPriority

• 0x42f0c4 InitializeCriticalSection

• 0x42f0c8 EnterCriticalSection

• 0x42f0cc LeaveCriticalSection

• 0x42f0d0 DeleteCriticalSection

• 0x42f0d4 SetEvent

• 0x42f0d8 ResetEvent

• 0x42f0dc ReleaseSemaphore

• 0x42f0e0 WaitForSingleObject

• 0x42f0e4 CreateEventW

• 0x42f0e8 CreateSemaphoreW

• 0x42f0ec GetSystemTime

• 0x42f0f0 SystemTimeToTzSpecificLocalTime

• 0x42f0f4 TzSpecificLocalTimeToSystemTime

• 0x42f0f8 SystemTimeToFileTime

• 0x42f0fc FileTimeToLocalFileTime

• 0x42f100 LocalFileTimeToFileTime

• 0x42f104 FileTimeToSystemTime

• 0x42f108 GetCPInfo

• 0x42f10c IsDBCSLeadByte

• 0x42f110 MultiByteToWideChar

• 0x42f114 WideCharToMultiByte

• 0x42f118 GlobalAlloc

• 0x42f11c GetTickCount

• 0x42f120 SetCurrentDirectoryW

• 0x42f124 GetExitCodeProcess

• 0x42f128 GetLocalTime

• 0x42f12c MapViewOfFile

• 0x42f130 UnmapViewOfFile

• 0x42f134 CreateFileMappingW

• 0x42f138 OpenFileMappingW

• 0x42f13c GetCommandLineW

• 0x42f140 SetEnvironmentVariableW

• 0x42f144 ExpandEnvironmentStringsW

• 0x42f148 GetTempPathW

• 0x42f14c MoveFileExW

• 0x42f150 GetLocaleInfoW

• 0x42f154 GetTimeFormatW

• 0x42f158 GetDateFormatW

• 0x42f15c GetNumberFormatW

• 0x42f160 RaiseException

• 0x42f164 GetSystemInfo

• 0x42f168 VirtualProtect

• 0x42f16c VirtualQuery

• 0x42f170 LoadLibraryExA

• 0x42f174 IsProcessorFeaturePresent

• 0x42f178 IsDebuggerPresent

• 0x42f17c UnhandledExceptionFilter

• 0x42f180 SetUnhandledExceptionFilter

• 0x42f184 GetStartupInfoW

• 0x42f188 QueryPerformanceCounter

• 0x42f18c GetCurrentThreadId

• 0x42f190 GetSystemTimeAsFileTime

• 0x42f194 InitializeSListHead

• 0x42f198 TerminateProcess

• 0x42f19c RtlUnwind

• 0x42f1a0 EncodePointer

• 0x42f1a4 InitializeCriticalSectionAndSpinCount

• 0x42f1a8 TlsAlloc

• 0x42f1ac TlsGetValue

• 0x42f1b0 TlsSetValue

• 0x42f1b4 TlsFree

• 0x42f1b8 LoadLibraryExW

• 0x42f1bc QueryPerformanceFrequency

• 0x42f1c0 GetModuleHandleExW

• 0x42f1c4 GetModuleFileNameA

• 0x42f1c8 GetACP

• 0x42f1cc HeapFree

• 0x42f1d0 HeapAlloc

• 0x42f1d4 HeapReAlloc

• 0x42f1d8 GetStringTypeW

• 0x42f1dc LCMapStringW

• 0x42f1e0 FindFirstFileExA

• 0x42f1e4 FindNextFileA

• 0x42f1e8 IsValidCodePage

• 0x42f1ec GetOEMCP

• 0x42f1f0 GetCommandLineA

• 0x42f1f4 GetEnvironmentStringsW

• 0x42f1f8 FreeEnvironmentStringsW

• 0x42f1fc GetProcessHeap

• 0x42f200 SetStdHandle

• 0x42f204 HeapSize

• 0x42f208 GetConsoleCP

• 0x42f20c GetConsoleMode

• 0x42f210 SetFilePointerEx

• 0x42f214 DecodePointer

!This program cannot be run in DOS mode.
?rRich
`.rdata
@.data
.gfids
@.rsrc
@.reloc
D$(^VQP
tCSj\Yj_[f9
E8QQQQP
E@_^[d
E _^[d
t,j.Xj\f
D$$EUj
@u;j'Yj
UUj _W
ulWj@X;
L$(9|$ 
u]f9>u!
f9.tDj.
t:j_[f9^
u*8O_t
jPXf9E
_^][YY
t)WPUS
f9u)f9_
j.[]f9
WVj\^f97uMf9w
v9Uj.]
Cj\Xf9
t=j ]f;
f9.t[S
u/j0]f
YY_^][
D$$uz
D$(;D$0
D$<+L$4Q
QQSUVW
_^][YY
YY_^][
SVWj\_W
L$<+L$4
|$@A+|$8
D$dVPW
jd^+L$<
|$4Pjd
E(3D$h
],3\$p
D$@3E$3u
3T$T3t$X3\$\3D$`
?vWUj@[+
t$ PQV
tPWj@_+
\$|AUV3
r=R]Wf
Ft;Fpt
A@9G0s.
QQSUVW
_^][YY
D$ SUV
!Np+Fp#
s2;Vpt-
D$0;D$
9\$ v9
;Fx~_2
;Ex~]2
@v-9C0s
Gt_^][
t$09KH
D$(PtW
t$0;sH
kt;sHs
L$09KHvG
s?9Ntt:
Fp9|$ sP
Fp9|$ sP
T$$;l$
j Y+L$
s2;Opt-
j Y+L$
Gp9t$ sP
D$$PjD
ZuDf9V
,__f9~
v&j Yf;
tSf;L$
D$ j Zf
D$,+D$$PV
QD9] t
D$XXVVf
$SUVWj
f9(t>SVj\[
j"Zj,2
t$,SWV
f98t=V
D$$PUV
.u&f9w
YYj"XP
YYj"[f9
tfj"]f9+u
f9(tSVWS
\SUVWjh
UWj<_W
<Ff9<F
 f9<Fu
QRPh4sC
QRPhTsC
QRPhtsC
QQSVWd
URPQQh0
;t$,v-
UQPXY]Y[
Tt1jhZ;
t0jXXf
~$+~8+
F2jgYf;
u0jAXf;
u0jAXf;
Wj0XPV
PPPPPWS
PP9E u:PPVWP
TVhX'C
WWWPWS
u-PWWS
SSVWh 
f9:t!V
QQSWj0j@
PPPPPPPP
*messages***
CryptProtectMemory
CryptUnprotectMemory
xlistpos
SetDllDirectoryW
SetDefaultDllDirectories
Unknown exception
bad allocation
COMCTL32.dll
SHLWAPI.dll
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
bad array new length
Main Invoked.
Main Returned.
bad exception
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
 delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
 new[]
 delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator "" 
 Type Descriptor'
 Base Class Descriptor at (
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`h````
xpxxxx
(null)
CorExitProcess
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetCurrentPackageId
LCMapStringEx
LocaleNameToLCID
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
?5Wg4p
%S#[k=
"B <1=
_hypot
_nextafter
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.didat$5
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
InitCommonControlsEx
SHAutoComplete
ShowWindow
GetDlgItem
EnableWindow
SetWindowPos
GetSystemMetrics
SetWindowTextW
GetWindowTextW
GetClientRect
GetWindowRect
GetWindowLongW
SetWindowLongW
SetProcessDefaultLayout
GetWindow
LoadStringW
OemToCharBuffA
CharUpperW
GetMessageW
TranslateMessage
DispatchMessageW
PeekMessageW
DefWindowProcW
RegisterClassExW
CreateWindowExW
IsWindow
DestroyWindow
UpdateWindow
MapWindowPoints
CopyRect
GetParent
LoadCursorW
ReleaseDC
MessageBoxW
FindWindowExW
GetClassNameW
wvsprintfW
SendMessageW
PostMessageW
WaitForInputIdle
IsWindowVisible
DialogBoxParamW
EndDialog
SetDlgItemTextW
GetDlgItemTextW
SendDlgItemMessageW
SetFocus
SetForegroundWindow
GetSysColor
LoadBitmapW
LoadIconW
DestroyIcon
IsDialogMessageW
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDeviceCaps
SelectObject
StretchBlt
CreateDIBSection
GetObjectW
GetOpenFileNameW
GetSaveFileNameW
CommDlgExtendedError
OpenProcessToken
AdjustTokenPrivileges
SetFileSecurityW
LookupPrivilegeValueW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SHGetMalloc
SHGetPathFromIDListW
SHBrowseForFolderW
SHFileOperationW
ShellExecuteExW
SHGetFileInfoW
SHGetFolderLocation
SHChangeNotify
CreateStreamOnHGlobal
CoCreateInstance
CLSIDFromString
OleInitialize
OleUninitialize
SystemFunction036
sfxrar.exe
GetLastError
SetLastError
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
CreateDirectoryW
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
GetVersionExW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
GetCurrentProcessId
ExitProcess
SetThreadExecutionState
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
GetTickCount
SetCurrentDirectoryW
GetExitCodeProcess
GetLocalTime
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
KERNEL32.dll
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
RtlUnwind
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
HeapReAlloc
GetStringTypeW
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
SetStdHandle
HeapSize
GetConsoleCP
GetConsoleMode
SetFilePointerEx
DecodePointer
 (08@P`p
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
                          
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AW4RAR_EXIT@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
/'[,\\0]^_\\\Q
RSTU0VWXYZH
IJKL=MNOPQ
'A,4;BC
:(,4;<=>;?@
3,45657879
 !"#$%&
{{{{{{{{{
wwwwwwww
8888888888{x7
8888888888887
ddddddd
dddddddd
rrrrrrr
rrrrrrr
rrrrrrr
~vrrrrr
rrrrrrr
~vrrrrs
rrrrrrr
~vrrrrs
rrrrrmm
mmrrrrs
rrrrrr
rrrrrrr
yrrrps
rrrrrrrr
yrrrpps
rrrrrrrrrrrrrppps
kkkkkkkkkkkjhjjjo
tqmxzz
aaaaaaaaaaaaaaaaaaaaf~leQmux
JJJJJJJJJJJJJJJJJJJaieQRamu
''''''''''''''''''DaJKHPam
"(GLOa
\\`Ve}b
YVXc~c
WwS7'u
gwS37%w`
WwR"'P
Wwgu"'P
g33WwQ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
  version="1.0.0.0"
  processorArchitecture="*"
  name="WinRAR SFX"
  type="win32"/>
<description>WinRAR SFX module</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
  <security>
    <requestedPrivileges>
      <requestedExecutionLevel level="asInvoker"            
      uiAccess="false"/>
    </requestedPrivileges>
  </security>
</trustInfo>
<dependency>
  <dependentAssembly>
    <assemblyIdentity
      type="win32"
      name="Microsoft.Windows.Common-Controls"
      version="6.0.0.0"
      processorArchitecture="*"
      publicKeyToken="6595b64144ccf1df"
      language="*"/>
  </dependentAssembly>
</dependency>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
  <application>
    <!--The ID below indicates application support for Windows Vista -->
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
    <!--The ID below indicates application support for Windows 7 -->
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
    <!--The ID below indicates application support for Windows 8 -->
      <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
    <!--The ID below indicates application support for Windows 8.1 -->
      <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
    <!--The ID below indicates application support for Windows 10 -->
      <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
  </application>
</compatibility>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
    <dpiAware>true</dpiAware>
  </asmv3:windowsSettings>
</asmv3:application>
</assembly>
1`2j2t2~2
<='>a>
1K1x1Z2
=`=n=s=
=*>W>i>
;P<s<%=5=B=F>n>|>
01p1a2
5$5.5=5
=%>_>q>
2!393>3D3K3Q3
0l1%343v9J;R;l;
50575>5
:$:,:;:
=!=/=8=U=[=k=q=
=N>U>\>c>j>q>x>
?J?o?v?}?
0$0+02090@0_0f0m0t0|0
0a2h2t2
3"343>3
4%4,4=4J4_4f4t4
505B5Q5a5v5
5I7T7[7i7=8L8[8j8y8
;);X;];};
:#:(:C:K:s:|:
;$;,;4;<;D;L;T;_;j;u;
<%<0<;<F<Q<\<g<r<}<
?4?>?E?k?r?}?
00/0F0K0
272B2G2t2
3(3E3_3f3
4>4S4Z4
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
(60656H6P6U6p6
B:X;==r=
/464n5u5
2O2c2j2q2x2
526=6H6k6
829I9h9
9I:[:s:|:
=8=U=\=
>*>F>O>]>n>
J0R0X0l0
081D1S1[1a1g1{1
3(4.4W4
5;5K5\5p5
8(8;8X8e8m8s8w8
9J:g:w:
:!;E;{;
>'>1>;>Y>
??'?.?9?J?Z?p?
;0F0M0U0e0p0}0
1$1-191F1T1Z1e1v1
1$2k2y2
3$3/3B3}3
4,4b4v4
575J5X5g5v5~5
6#6)6o6x6~6
7%717<7H7_7r7x7
8&838V8g8u8
9959v9
C0^0u0
151X1i1
1L2W2w2
2B3g3w3
4%4+464<4a4f4q4}4
5*505d5x5\6c6j6y6
7(7<7G9W9
:f:j:n:r:v:z:~:
:*;0;6;E;M;[;k;v;
=3=J=]=
?5?D?V?i?p?z?
0$0-0C0K0f0k0w0|0
121B1V1`1p1
1%2+2t2
3 3%3*353;3@3F3W3^3
4(434>4W4
5"5D5I5Y5g5y5
696U6^6i6o6u6}6
7"7-757A7G7N7[7g7t7~7
8"8,868@8J8T8^8h8r8|8
9&909:9D9N9X9b9l9v9
:':1:;:E:O:Y:c:m:w:
;,;6;@;J;T;^;h;r;
<'<-<3<<<C<i<~<
<8=>=L=[=a=h=q=
>,>=>J>c>x>
>6?`?k?
0(0.0C0
5&525B5S5y5
6%6L6T6m6
;*;G;\;a;~;
<'=0===H=Q=d=
=C>b>l>}>
?M?b?}?
0'0M0V0\0d0i0
1%1,131:1A1H1P1X1`1l1u1z1
33465G5
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
4"5S6$777U7c7
9H9O9T9X9\9`9
? ?C?S?k?
020T0b0
1,1@1\1f1p1~1
1=1K1R1X1w1
242C2O2]2
3L3Q3V3
474C4H4M4t4
5*5/5L5
556O6X6
7D<M<U<U=g=
>,?0?4?8?<?@?D?H?
4!4%4)4-4145494=4A4E4I4
;%;.;4;>;C;H;M;
?/?K?o?
2+202<2A2R2
3 323M3
7.8F8s8
=#=/=H=[=
>)>7>>>F>_>q>}>
>#?W?~?
2-333I374A4N4
;J;[;v;
<><O<d<n<
7$707<7J7Z7o7
8"8*858K8
;y<s=F>h>
?,?4?p?
0*0<0G0L0Q0l0v0
1"1>1I1N1S1q1{1
3#3(3-3O3]3l3
6:7a7j8
939Q9[9l9q9
=3=8=C=W=b=y=
11282B2Q2u2
3&434@4M4d4+5
7[7j7x7
9+9=9O9a9s9
:$:6:H:
>)?b?x?
)313h3o3
>$>+>2>}>
262G2w2,3
:-;G;T;
>E>l>w>
>5?T?j?t?
 0I0r0
171`1|1
797N7_7
9":,:G:
>Y?a?i?q?y?
0!0-090Y0
8.8S8_8k8~8
8%919=9I9\9
5d6j6o6z6
;5<?<T<o<
=5=G=\=n=
?*?G?\?q?
2$2(2,2024282<2@2D2H2L2X2\2`2d2h2l2x2|2
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
9(9,9P9t9x9|9
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
4 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
3 3(30383@3H3P3X3`3h3p3x3
4 4(40484@4H4P4X4`4h4p4x4
5 5(50585@5H5P5X5`5h5p5x5
6 6(60686@6H6P6X6`6h6p6x6
7 7(70787@7H7P7X7`7h7p7x7
8 8(80888@8H8P8X8`8h8p8x8
9 9(90989@9H9P9X9`9h9p9x9
>$>,>4><>D>L>T>\>d>l>t>|> ?$?4?8?@?X?h?l?|?
0$0<0L0P0`0d0h0p0
7(707<7\7h7
8D8L8T8p8x8
90989D9d9l9x9
:$:0:P:X:d:
;0;<;\;h;
<$<,<4<<<D<L<T<\<d<l<p<x<
=,=4=<=L=\=d=x=
>(>D>H>d>h>
?,?0?L?P?`?
0 0<0@0`0h0l0
1(1H1h1
2(2H2h2t2
0L1\1h1l1p1t1x1|1
3(383H3X3p3|3
9 9$9(9,9`9x9
: :$:(:,:0:4:<:D:H:L:T:X:\:`:d:h:l:p:t:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;|;
1gJ~^k^
ht"iPA9V%
registery.reg
Registry.exe
!vKaMS @"z
Go\#LB
X++o&
*I<k5\U
zxtscO
Z&1*ql\
`h@tkU?
@j9n&:
*!#u/"
3z/70e 
TnU[Hjg
~dzKdk
BeI:3"
)tpN9a
S:d3?_Fd
>[uxgI
Tc8||J
`q}33I
r.dDu:?
9ctSas
Q]am+s
nO$$[dE
ya]?$3
m7xB3P.
JjcT0Ex
Zh[s50
3_b=o6;
jknn/7
I3,&A;
j]}{i,
`=i+'E~s
NG&O=^&
o wx_7,..
g6hWIq+Gm
"%S<iKh
^^r]tp]s1[
<LOzWE
OkF "pO2
Ymzoz|
=F\glD
6G{((f
T2>,io
R-7aWh,-
zWKy+24
^w#.c{D
3vMS'4$oir-
v:WY1Q
^'SoU/p
'}cbG?
mq=Bi!
HFkye.bt
PxNPrN
s|d0ff
OWW^>?f
hT|Cd
hS_Vu:;
WAJhFk
h/6sZK
9HxMe%
x{/2"bs.dU
^U`]m*
r*(ANuB
:t\ q&
~_4a\Y
#J$ISO
6k!;Z#2
<7n[Sh
0'(RtI
,i$N.d
u|D4Zu
7afbJo4
T$Xw mN\
Zmr@&f
Ne[OaL
'm)(UG
P&/Ex~d 
K}}ye>
/SC$5Z
@z]PM4n)5
qxG4Dr I
@ zv{m
vV#6BI
aH<bXK
`Ic-|Y
Q Vn?7
P,BGqW
XK[-~
keAAt6
@|d#YD
<d5|i
NcD~S$
[?RJyb
D}eeM|
(@;I"y
Z^n.y*
BIm=Ib
MfPbeX
5,Bw(mLL!
c6[B%/
h.%qJa
p&yldy
e,,m{i+>3
!s/,0O
7$[Bs`
V%aape)~
2P2\Mph*
|6mJrN
7_ ?vf!wau
5[nV%<2
6MV|n`
h"Khbt
$v&v/+
a:l%j8=
8*4qs+
KemfPS?93
\T~e{:
_Vkw ;
ckJZH|)
5IIy:6
s%!?IF(
U8S"}L
F1([6e
/D<{~ 
ky{>eR
X+o9Re
Ut/W)
"~%;qq
+m?ooj
Y3("|f
7yVaTl
G43m|#s
e>-7te8%9q
.k;%^.Ndh
bld7b_T;{
Xlia%s
LZ/Dx~D
&Xx8c/
2xBGk2
XTJ4mZ'
j9<W{T
}`[/J'
k*qW|Q.
f<=TcY
jlSX&>
G+ tNv
USuoQ1
1NQ1,#
W:G_%!%-
sL?||y+
,E`;{2
%f.Hq"
B".(*-
3YU!BY-
Z#[29x
5]e'l&k
<hZ*nJ
uR9Fp\u)
~z+j4c
:?yJQr8
8oWZ1>
m&_cEp
I*_d{
$Unx:n.
{{6s1J
xg/2')a_
,9GneA
IBc'CV
S_RI/s
xE?Rvb
f[3Z#r
}A1 I[
.`gr#F^rC
qT:APA1
'fd@Y:
).7^g/
1W+;Tf"1qG
-T(1v 
|311{o:
;H`Y?(D
8GiVRa
HIR_9P
Er'Ui8
:Q: ]U
G9&B_V%
sh6"5_S
Ea$+[^-
(M5:;Y`
m;BF%o
$DIkz*
ig!smom
IxAtqp
8OUtU"c
^X)Q,mK
4X]}pT
v`GnwBp
:estG=
QoG)ZA
DX*'P$A
xqvC3
>n!t\i
3rUUiS
p2}53]
r6l\Bt
T6B70JB
FuhT[$
hS38fA
L8%}L4)
^ lEXj
tP*wTh 
Be3~Vu
~Bs5<A/6t
=2h b=
RUWO)|H
{saEnV#
aIG<g
iX(M'(
dU_<-2
qAZFZ.
C$Mub=T
@:U*QWny
Tc'Cey
#K:kOR
n>ZZVDE
K]HI$t
A\k,hvP
u^?TTS
;#^gg!/90Wl\DQ
o=54*:(x
2W $63
|&vu9H
"-E>S 
BP}.iW
!#u*/|
j4TdLz
DaHH]*
yms}q3
D#@0L
h_!`>
zx!|{a
@ea$"0,B
+}ur[7lI
Dn,RP\
v&1I.}
|iD(t 
!'_9TW
#5Q1R!
B_jIA*
XG#l:H
Rw-e4ix
A8{:|$
*[T<q2
rYDl*(
vkW1>E
KoeST'(RF
]4$P5'
q|xbw3MH
)p]`kG
AkBMrg
Rz\d,%
$.VS~X)
sAu{,x
NC%>Ds:@
R^\]#7
.vE"M&
)=#d"p!0
:F{Ay<
D%8xC*
+W; M_
0n/cJ?30t1
&o9A$u
%paF/3
:&@3&|!
_pPXIj
vz#/@/
r<*L7
qGCK,
EG|N-a{
* kTLT
4F=9ph
GsV"a=
HX`^1_l>`.
$8QZ$cK:
=l*3H7
z%?Q}iT
~j!tBH
HR17Oo
 53 )v
:s#7C1
VqYR>I
O9e1.K
@c7FD&
j|,Z'E
nS(OdX
sZ4:Nj
/%/JK[
-A>*Bn
r!43'
Qs4e7+
,AnW>{h
!V+=d#
1nGFb9|
Y,EgQs
$?~Rl<
6hd%m|
T1>4>9
<k86uu
6inB{uV
SgdHrOu
>p6%*Gn7
H&AK/Z
\^<OgS
B("V:`?
aK,*>n
.qZ7U:
\0|C[A,
[qd%R%
vadv#a
'L]x=f
XO*qW{
y[$jq<#!
&Rvhb[x
s,-g9<
G}.JOUP
bpsj*@
T5T*-<
MlW0]q
qA*CLO
AtV">pOP
T;mGO!
Dr5y<dzI
`L4:9q
$=BTCW
3O5ziU
WuP*L
?{)cUq1vtf`
-A>NgR
^(+v4+
z7#yM):
NVfhn 1
]v"!3A
|/A'Sy7
S~'d]z
{&rL,,
~"4Yc.
af%@"]Y
XmIA=w]Rim 'ru
~`lbJG
IK(AbF
_%Q.`2eT,
|Yj!<t
>cUM2#
xu+xl#
mi7wzu8
-wD'oU
}Nz`.
nUDRd;=
0THRj<Zk
\~F\[nx
+WW(`@
O6}Qd$
){6\^<Jq
s9B!m8
LD2| j
Q6|H7z
N5NP<U
|[/G&D
t@=n%z
LrpP0'
+)9:T+
LV.C/1
@nJafv
QNtnkY
8-pC#x
9>Ef\7
HT_WGQ
aHD:P6DI
qwPVzI
kf}*9/
}`h-lTa
[<h<-$
kqn$"w
PJxt~f
%N8cu:|
o0M+CO
,,v:/c
ZbWx=
\X*?)@
.%00)zK#zy^
l0%\OJU
nR*:e{
5qk)C~e
MhNNEh1
J={-aA
%v)Y~y
ae*HNS
%ddtd
nu^5eJ
k4bl$J
z">GN[
AYuvks
sIxc-?h
n]8Ov2O
#m`d=_9
dATy8 
$ago/_A9
3#~9,w,
yMlRZl+
O@m7)-
b:GlOBu
~"Ux6'
Ri|Gi=
&J~vr>
hC[:ib
8E'd'V
Lv3F8#
]m/6T6wm
jSxQ8h
|mp;~'
nka`~`
@Maximum allowed array size (%u) is exceeded
SeSecurityPrivilege
SeRestorePrivilege
SeCreateSymbolicLinkPrivilege
rtmp%d
__rar_
?*<>|"
*messages***
Crypt32.dll
CryptProtectMemory failed
CryptUnprotectMemory failed
kernel32
version.dll
DXGIDebug.dll
sfc_os.dll
SSPICLI.DLL
rsaenh.dll
UXTheme.dll
dwmapi.dll
cryptbase.dll
lpk.dll
usp10.dll
clbcatq.dll
comres.dll
ws2_32.dll
ws2help.dll
psapi.dll
ieframe.dll
ntshrui.dll
atl.dll
setupapi.dll
apphelp.dll
userenv.dll
netapi32.dll
shdocvw.dll
crypt32.dll
msasn1.dll
cryptui.dll
wintrust.dll
shell32.dll
secur32.dll
cabinet.dll
oleaccrc.dll
ntmarta.dll
profapi.dll
WindowsCodecs.dll
srvcli.dll
cscapi.dll
slc.dll
imageres.dll
dnsapi.DLL
iphlpapi.DLL
WINNSI.DLL
netutils.dll
mpr.dll
devrtl.dll
propsys.dll
mlang.dll
samcli.dll
samlib.dll
wkscli.dll
dfscli.dll
browcli.dll
rasadhlp.dll
dhcpcsvc6.dll
dhcpcsvc.dll
XmlLite.dll
linkinfo.dll
cryptsp.dll
RpcRtRemote.dll
aclui.dll
dsrole.dll
peerdist.dll
uxtheme.dll
Please remove %s from %s folder. It is unsecure to run %s until it is done.
CreateThread failed
WaitForMultipleObjects error %d, GetLastError %d
Thread pool initialization failed.
ARarHtmlClassName
Shell.Explorer
about:blank
<html>
<head><meta http-equiv="content-type" content="text/html; charset=
utf-8"></head>
</html>
<style>
</style>
<style>body{font-family:"Arial";font-size:12;}</style>
&nbsp;
riched20.dll
RarSFX
REPLACEFILEDLG
RENAMEDLG
%s %s %s
GETPASSWORD1
ASKNEXTVOL
winrarsfxmappingfile.tmp
sfxname
%4d-%02d-%02d-%02d-%02d-%02d-%03d
sfxstime
STARTDLG
sfxcmd
sfxpar
LICENSEDLG
__tmp_rar_sfx_access_check_%u
-el -s2 "-d%s" "-p%s" "-sp%s"
Delete
Silent
Overwrite
TempMode
License
Presetup
Shortcut
SavePath
Update
SetupCode
%s.%d.tmp
Software\Microsoft\Windows\CurrentVersion
ProgramFilesDir
%s%s%d
Install
Software\WinRAR SFX
STATIC
KERNEL32.DLL
Badvapi32
<pi-ms-win-core-fibers-l1-1-1
<pi-ms-win-core-synch-l1-2-0
(null)
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
         (((((                  H
      (                          
         (((((                  H
Capi-ms-win-appmodel-runtime-l1-1-1
<pi-ms-win-core-datetime-l1-1-1
<pi-ms-win-core-file-l2-1-1
<pi-ms-win-core-localization-l1-2-1
<pi-ms-win-core-localization-obsolete-l1-2-0
<pi-ms-win-core-processthreads-l1-1-2
<pi-ms-win-core-string-l1-1-0
<pi-ms-win-core-sysinfo-l1-2-1
<pi-ms-win-core-winrt-l1-1-0
<pi-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
Cja-JP
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
STARTDLG
REPLACEFILEDLG
RENAMEDLG
GETPASSWORD1
LICENSEDLG
ASKNEXTVOL
WinRAR self-extracting archive
MS Shell Dlg 2
&Destination folder
Bro&wse...
hRichEdit20W
Installation progress
jmsctls_progress32
Install
Cancel
Confirm file replace
MS Shell Dlg 2
The following file already exists
Would you like to replace the existing file
with this one?
Yes to &All
&Rename
No to A&ll
&Cancel
Rename
MS Shell Dlg 2
Cancel
Rename file
Enter password
MS Shell Dlg 2
&Enter password for the encrypted file:
Cancel
License
MS Shell Dlg 2
Accept
Decline
Next volume is required
MS Shell Dlg 2
You need to have the following volume to continue extraction:
&Browse...
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Cancel
Select destination folder
Extracting %s
Skipping %s
Unexpected end of archiveThe file "%s" header is corrupt
Corrupt header is found
Main archive header is corrupt
%The archive comment header is corrupt
The archive comment is corrupt
Not enough memory
Unknown method in %s
Cannot open %s
Cannot create %s
Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password.
Checksum error in %s Packed data checksum error in %s
5Write error in the file %s. Probably the disk is full
Read error in the file %s
File close error
The required volume is absent
2The archive is either in unknown format or damaged
Extracting from %s
Next volume
The archive header is corrupt
ErroraErrors encountered while performing the operation
Look at the information window for more details
modified on
folder is not accessible
lSome files could not be created.
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation
All files
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
manually.</li><br><br>8<li>If the destination folder does not exist, it will be
2created automatically before extraction.</li></ul>
The archive is corrupt
Extracting files to %s folder$Extracting files to temporary folder
Extract
Extraction progress
=Total path and file name length must not exceed %d characters
Unknown encryption method in %s$The specified password is incorrect.
Cannot copy %s to %s.
Cannot create symbolic link %s
Cannot create hard link %s
AYou may need to run this self-extracting archive as administrator
Continue
Security warningKPlease remove %s from folder %s. It is unsecure to run %s until it is done.

Antivirus	Signature
Bkav	Clean
MicroWorld-eScan	Clean
CMC	Clean
CAT-QuickHeal	Clean
McAfee	Clean
Cylance	Clean
TheHacker	Clean
BitDefender	Clean
K7GW	Clean
K7AntiVirus	Clean
TrendMicro	Clean
Baidu	Clean
Babable	Clean
Cyren	Clean
Symantec	Clean
ESET-NOD32	Clean
TrendMicro-HouseCall	Clean
Paloalto	Clean
ClamAV	Clean
Kaspersky	Clean
Alibaba	Clean
NANO-Antivirus	Clean
ViRobot	Clean
SUPERAntiSpyware	Clean
Tencent	Clean
Ad-Aware	Clean
Trustlook	Clean
Sophos	Clean
F-Secure	Clean
DrWeb	Clean
Zillya	Clean
Invincea	heuristic
McAfee-GW-Edition	BehavesLike.Win32.Backdoor.gc
Emsisoft	Clean
Ikarus	Clean
F-Prot	Clean
Jiangmin	Clean
Webroot	Clean
Avira	Clean
Fortinet	Clean
Antiy-AVL	Clean
Kingsoft	Clean
Endgame	Clean
Arcabit	Clean
AegisLab	Clean
ZoneAlarm	Clean
Avast-Mobile	Clean
Microsoft	Clean
TACHYON	Clean
AhnLab-V3	Clean
VBA32	Clean
ALYac	Clean
MAX	Clean
Malwarebytes	Clean
Panda	Clean
Zoner	Clean
Rising	Clean
Yandex	Clean
SentinelOne	Clean
eGambit	Clean
GData	Clean
AVG	Clean
Cybereason	Clean
Avast	Clean
CrowdStrike	malicious_confidence_60% (D)
Qihoo-360	Clean

Process Tree

Winzip.exe (2300) "C:\Users\zamen\AppData\Local\Temp\Winzip.exe"

Search
Winzip.exe (2300)

Winzip.exe, PID: 2300, Parent PID: 2276

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source	Source Port	Destination	Destination Port
192.168.128.109	138	192.168.128.255	138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name	e3b0c44298fc1c14___tmp_rar_sfx_access_check_25265894
Size	0.0B
Type	empty
MD5	`d41d8cd98f00b204e9800998ecf8427e`
SHA1	`da39a3ee5e6b4b0d3255bfef95601890afd80709`
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
CRC32	`00000000`
ssdeep	`3::`
Yara	None matched
VirusTotal	Search for analysis

Name	8c468122a647e4d6_Registry.exe Download Submit file
Filepath	C:\Windows\reg\Registry.exe
Size	360.5KB
Processes	2300 (Winzip.exe)
Type	data
MD5	`b66874c9d84e3bd10ba753f1cdc18bd3`
SHA1	`2a9e9dc8b0a4c96b278dd500d9a67bde05512f38`
SHA256	`8c468122a647e4d6c39d23847565957705d56fc08aa7363652dcd43a178016f8`
CRC32	`61BBF941`
ssdeep	`3:F4IAKTWs4iv9lJF0s7Eq70G/l:XvTkilHj7GG/`
Yara	None matched
VirusTotal	Search for analysis

Name	4332b157d5081340_registery.reg Download Submit file
Filepath	C:\Windows\reg\registery.reg
Size	388.0B
Processes	2300 (Winzip.exe)
Type	8086 relocatable (Microsoft)
MD5	`576f5aa6715baaad6c2a8846ec1a5fae`
SHA1	`7d3b8b95602668cde3960ded1c4157204ab47f4e`
SHA256	`4332b157d5081340fc526469e40729826109a6213612a72159bc5b2f45204dcb`
CRC32	`C15DE1C9`
ssdeep	`6:vrToLE4MhZ/+wv3iWDGi4DBOF72dm7deBe/3dWpuLwCFf0Xl:vrTowZvS95dy0IdlNBFfsl`
Yara	None matched
VirusTotal	Search for analysis

Sorry! No dropped buffers.


Task ID	68
Mongo ID	5bf1540b11d3080b6a1c5c70
Cuckoo release	2.0-dev

File Winzip.exe

Score

Information on Execution

Analysis Compare analysis to ... Export analysis Reboot analysis

Machine

Analyzer Log

Cuckoo Log

Signatures

Screenshots

Network

DNS

Hosts

Summary

Process Winzip.exe (2300)

Process Winzip.exe (2300)

Process Winzip.exe (2300)

Process Winzip.exe (2300)

Process Winzip.exe (2300)

PE Compile Time

PDB Path

Sections

Imports

Process Tree

Hosts

DNS

TCP

UDP

HTTP & HTTPS Requests

ICMP traffic

IRC traffic

Suricata Alerts

Suricata TLS

Snort Alerts

Analysis
Compare analysis to ... Export analysis Reboot analysis