File Winzip.exe

Size 487.9KB Resubmit sample
Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 3f486bafb28ecccf2e30e66be03cd67a
SHA1 26d551235412ea166c31b01fe39b4bd30cff2a13
SHA256 d37d4bfb11505ee9c23c9b8efe92dd4428f7b51d75ff911fd38f682a2259d05e
SHA512
19b7dac17f89f8bffdae59232fbcbb257262ab12f1f04a8be4e7ed5e812199cf41b466da2164ca4c20e3a28cb76c2ba8b00800c15a91c8f6bc978f2c01926801
CRC32 E332C6F8
ssdeep 12288:nhxp3lZnT9bDuaI3bqMaOVu5L3Lya0QuwcMV:nJlh9bDuaIrHqLNPDb
PDB Path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
Yara
  • IsPE32 -
  • IsWindowsGUI -
  • IsPacked - Entropy Check
  • HasOverlay - Overlay Check
  • HasDebugData - DebugData Check
  • HasRichSignature - Rich Signature Check
  • PEiD_00497_dUP_v2_x_Patcher_____www_diablo2oo2_cjb_net_ - [dUP v2.x Patcher --> www.diablo2oo2.cjb.net]
  • PEiD_00810_FSG_v1_10__Eng_____dulek_xt_____Microsoft_Visual_C___6_0___7_0__ - [FSG v1.10 (Eng) -> dulek/xt -> (Microsoft Visual C++ 6.0 / 7.0)]
  • PEiD_01070_Microsoft_Visual_C___6_0___8_0_ - [Microsoft Visual C++ 6.0 - 8.0]
  • PEiD_01091_Microsoft_Visual_C___8_ - [Microsoft Visual C++ 8]
  • PEiD_01628_PEQuake_V0_06____forgat_ - [PEQuake V0.06 -> forgat]
  • PEiD_01686_Petite_v2_2____www_un4seen_com_petite_ - [Petite v2.2 -> www.un4seen.com/petite]
  • PEiD_02152_StarForce_V3_X_DLL____StarForce_Copy_Protection_System_ - [StarForce V3.X DLL -> StarForce Copy Protection System]
  • Contains_PE_File - Detect a PE file inside a byte sequence
  • anti_dbg - Checks if being debugged
  • escalate_priv - Escalade priviledges
  • screenshot - Take screenshot
  • win_registry - Affect system registries
  • win_token - Affect system token
  • win_files_operation - Affect private profile
  • contentis_base64 - This rule finds for base64 strings
  • VC8_Microsoft_Corporation -
  • Microsoft_Visual_Cpp_8 -
  • CRC32_poly_Constant - Look for CRC32 [poly]
  • RIPEMD160_Constants - Look for RIPEMD-160 constants
  • SHA1_Constants - Look for SHA1 constants
  • maldoc_function_prolog_signature -
  • maldoc_structured_exception_handling -
  • maldoc_suspicious_strings -
  • maldoc_find_kernel32_base_method_1 -

Score

This file shows some signs of potential malicious behavior.

The score of this file is 1.2 out of 10.

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Information on Execution

Category Started Completed Duration Logs
FILE Nov. 18, 2018, 6:54 a.m. Nov. 18, 2018, 6:58 a.m. 240 seconds

Machine

Name Label Started On Shutdown On
win7x64 win7x64 2018-11-18 06:54:45 2018-11-18 06:58:45

Analyzer Log

2018-11-17 22:54:44,030 [analyzer] DEBUG: Starting analyzer from: C:\tsakcqnpjc
2018-11-17 22:54:44,124 [analyzer] DEBUG: Pipe server name: \\.\PIPE\ahwgKzQzWMqaOKxiYsSnYBc
2018-11-17 22:54:44,124 [analyzer] DEBUG: Log pipe server name: \\.\PIPE\KliMPhipzktIBhuEiPBl
2018-11-17 22:54:44,124 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2018-11-17 22:54:44,124 [analyzer] INFO: Automatically selected analysis package "exe"
2018-11-17 22:54:45,887 [analyzer] DEBUG: Started auxiliary module Disguise
2018-11-17 22:54:46,401 [analyzer] DEBUG: Loaded monitor into process with pid 508
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module Human
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2018-11-17 22:54:46,448 [analyzer] DEBUG: Started auxiliary module Reboot
2018-11-17 22:54:46,635 [analyzer] DEBUG: Started auxiliary module RecentFiles
2018-11-17 22:54:46,651 [modules.auxiliary.screenshots] WARNING: Python Image Library is not installed, screenshots are disabled
2018-11-17 22:54:46,651 [analyzer] DEBUG: Started auxiliary module Screenshots
2018-11-17 22:54:47,088 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\zamen\\AppData\\Local\\Temp\\Winzip.exe' with arguments '' and pid 2300
2018-11-17 22:54:47,650 [analyzer] DEBUG: Loaded monitor into process with pid 2300
2018-11-17 22:54:47,711 [analyzer] DEBUG: Received request to inject pid=2300, but we are already injected there.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,506 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-17 22:54:49,506 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,522 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-17 22:54:49,631 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,631 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-17 22:54:49,631 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,631 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-17 22:54:49,631 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,631 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-17 22:54:49,647 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:49,647 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CDocument_write through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CElement_put_innerHTML through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CHyperlink_SetUrlComponent through our custom callback.
2018-11-17 22:54:50,036 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,036 [analyzer] DEBUG: Error resolving function mshtml!CIFrameElement_CreateElement through our custom callback.
2018-11-17 22:54:50,052 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,052 [analyzer] DEBUG: Error resolving function mshtml!CImgElement_put_src through our custom callback.
2018-11-17 22:54:50,052 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,052 [analyzer] DEBUG: Error resolving function mshtml!CScriptElement_put_src through our custom callback.
2018-11-17 22:54:50,052 [analyzer] WARNING: Unable to find the correct offsets for functions of: 32-bit mshtml.dll (with timestamp 0x4ce7b8f3)
2018-11-17 22:54:50,052 [analyzer] DEBUG: Error resolving function mshtml!CWindow_AddTimeoutCode through our custom callback.
2018-11-17 22:54:50,832 [modules.auxiliary.human] INFO: Found button "Install", clicking it
2018-11-17 22:58:12,430 [analyzer] INFO: Added new file to list with pid 2300 and path C:\Windows\reg\registery.reg
2018-11-17 22:58:12,463 [analyzer] INFO: Added new file to list with pid 2300 and path C:\Windows\reg\Registry.exe
2018-11-17 22:58:35,253 [analyzer] INFO: Process with pid 2300 has terminated
2018-11-17 22:58:35,253 [analyzer] INFO: Process list is empty, terminating analysis.
2018-11-17 22:58:36,267 [analyzer] INFO: Terminating remaining processes before shutdown.
2018-11-17 22:58:36,267 [analyzer] INFO: Analysis completed.

Cuckoo Log

2018-11-18 06:54:45,244 [lib.cuckoo.core.scheduler] INFO: Task #68: acquired machine win7x64 (label=win7x64)
2018-11-18 06:54:45,273 [modules.auxiliary.sniffer] INFO: Started sniffer with PID 5033 (interface=eth2, host=192.168.128.109, pcap=/opt/cuckoo/storage/analyses/68/dump.pcap)
2018-11-18 06:54:52,685 [lib.cuckoo.core.guest] INFO: Starting analysis on guest (id=win7x64, ip=192.168.128.109)
2018-11-18 06:58:45,096 [lib.cuckoo.core.guest] INFO: win7x64: analysis completed successfully
2018-11-18 06:58:48,375 [lib.cuckoo.core.plugins] WARNING: The processing module "Suricata" returned the following error: Unable to locate Suricata binary
2018-11-18 06:59:05,590 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e4029d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,650 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.001s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e402310>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,652 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e4020d0>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,652 [elasticsearch] WARNING: HEAD http://127.0.0.1:9200/_template/cuckoo_template [status:N/A request:0.000s]
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 94, in perform_request
    response = self.pool.urlopen(method, url, body, retries=False, headers=self.headers, **kw)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 643, in urlopen
    _stacktrace=sys.exc_info()[2])
  File "/usr/local/lib/python2.7/dist-packages/urllib3/util/retry.py", line 251, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connectionpool.py", line 361, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/lib/python2.7/httplib.py", line 1017, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib/python2.7/httplib.py", line 1051, in _send_request
    self.endheaders(body)
  File "/usr/lib/python2.7/httplib.py", line 1013, in endheaders
    self._send_output(message_body)
  File "/usr/lib/python2.7/httplib.py", line 864, in _send_output
    self.send(msg)
  File "/usr/lib/python2.7/httplib.py", line 826, in send
    self.connect()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 163, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python2.7/dist-packages/urllib3/connection.py", line 147, in _new_conn
    self, "Failed to establish a new connection: %s" % e)
NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fe64e402c90>: Failed to establish a new connection: [Errno 111] Connection refused
2018-11-18 06:59:05,653 [lib.cuckoo.core.plugins] ERROR: Failed to run the reporting module "ElasticSearch":
Traceback (most recent call last):
  File "/opt/cuckoo/lib/cuckoo/core/plugins.py", line 533, in process
    current.run(self.results)
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 196, in run
    self.connect()
  File "/opt/cuckoo/modules/reporting/elasticsearch.py", line 79, in connect
    if not self.es.indices.exists_template("cuckoo_template"):
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 69, in _wrapped
    return func(*args, params=params, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/indices.py", line 491, in exists_template
    name), params=params)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 327, in perform_request
    status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
  File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_urllib3.py", line 105, in perform_request
    raise ConnectionError('N/A', str(e), e)
ConnectionError: ConnectionError(<urllib3.connection.HTTPConnection object at 0x7fe64e402c90>: Failed to establish a new connection: [Errno 111] Connection refused) caused by: NewConnectionError(<urllib3.connection.HTTPConnection object at 0x7fe64e402c90>: Failed to establish a new connection: [Errno 111] Connection refused)

Signatures

This executable has a PDB path (1 event)
pdb_path D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
The executable has PE anomalies (could be a false positive) (1 event)
section .gfids
Creates executable files on the filesystem (2 events)
file C:\Windows\reg\registery.reg
file C:\Windows\reg\Registry.exe
File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Backdoor.gc
CrowdStrike malicious_confidence_60% (D)

Screenshots

No screenshots available.

Network

DNS

No domains contacted.

Hosts

No hosts contacted.

Summary

Process Winzip.exe (2300)

  • Opened files

    • C:\Users\zamen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
    • C:\Windows\Globalization\Sorting\sortdefault.nls
    • C:\Users\zamen\AppData\Local\Temp\Winzip.exe
    • C:\Windows\win.ini
    • C:\Users\zamen\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
    • C:\Windows\reg
    • C:\Windows\System32\ntmarta.dll
    • C:\Users\zamen\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
  • Written files

    • C:\Windows\reg\registery.reg
    • C:\Windows\reg\Registry.exe
  • Files Read

    • C:\Users\zamen\AppData\Local\Temp\Winzip.exe
    • C:\Windows\win.ini

Process Winzip.exe (2300)

  • Registry keys opened

    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Zoom
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING
    • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\about\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
    • HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Internet Settings\Zones
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_READ_ZONE_STRINGS_FROM_REGISTRY
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\Adv AddrBar Spoof Detection
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts
    • HKEY_LOCAL_MACHINE\Software
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IEDDE_REGISTER_URLECHO
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\DxTrans
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SSLUX
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\Floppy Access
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback\MS Shell Dlg 2
    • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\%s
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Zoom
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IPERSISTMONIKER_LOAD_REDIRECTED_URL_KB976425
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security
    • HKEY_LOCAL_MACHINE\System\Setup
    • HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/html
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615
    • HKEY_CURRENT_USER\Software\Policies
    • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\res\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DxTrans
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Zoom
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\Adv AddrBar Spoof Detection
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\Feature_Enable_Compat_Logging
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Services
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SKIP_LEAK_CLEANUP_AT_SHUTDOWN_KB835183
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Handler\res
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Services
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
    • HKEY_CLASSES_ROOT\PROTOCOLS\Name-Space Handler\*\
    • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CodePage
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Suggested Sites
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SAFE_BINDTOOBJECT
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\International\Scripts
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Accepted Documents
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Suggested Sites
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache
    • HKEY_CURRENT_USER\Software\Microsoft\Ftp
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Activities
    • HKEY_CURRENT_USER\Software
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IEDDE_REGISTER_PROTOCOL
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Activities
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\TravelLog
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack\SurrogateFallback
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Ftp
    • HKEY_LOCAL_MACHINE\Software\Policies
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Feed Discovery
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions
    • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\MediaTypeClass
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_FEEDS
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION
    • HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom
    • HKEY_CURRENT_USER\SOFTWARE\Classes\PROTOCOLS\Handler\about
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Feed Discovery
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Ratings
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DOCUMENT_COMPATIBLE_MODE
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118
  • Registry keys written

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet
  • Registry keys read

    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Language Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SmartDithering
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CacheRepair
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Always Use Tab
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewAlphaSelect
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Hotkey
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SSLUX\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\TIP\{0000897b-83df-4b96-be07-0fb58b01c4a4}\LanguageProfile\0x00000000\{0001bea3-ed56-483d-a2e2-aeae25577436}\Enable
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Default_CodePage
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\Default_IEFontSizePrivate
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AcceptLanguage
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseHostnameAsAlias
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\VML
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideFolderVerbs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\TurnOffSPIAnimations
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\UseDropHandler
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheRepair
    • HKEY_LOCAL_MACHINE\SYSTEM\Setup\SystemSetupInProgress
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollDelay
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameTabWindow
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\AutoDetect
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Anchor Underline
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\RecommendedLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\Winzip.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CTF\EnableAnchorContext
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SmoothScroll
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\UseOldHostResolutionOrder
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CacheLimit
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups\1
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\DisableImprovedZoneCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CacheLimit
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\IE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Feed Discovery\Sound
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Move System Caret
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\AccListViewV6
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORDISPLAY
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2000
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\No3DBorder
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\RecommendedLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\AdminTabProcs
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Print_Background
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\MinLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SessionMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\MinLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\RecommendedLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Display Inline Videos
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Url History\DaysToKeep
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsParseDisplayName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Page_Transitions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2106
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color Visited
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Icon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsFORPARSING
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SSLUX\*
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\XDomainRequest
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\MapNetDriveVerbs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\crypt32\DebugHeapFlags
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Segoe UI
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInset
    • HKEY_CURRENT_USER\Keyboard Layout\Toggle\Layout Hotkey
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Allow Programmatic Cut_Copy_Paste
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameTabWindow
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Disable Visited Hyperlinks
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\MinLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\XDomainRequest
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\PerUserItem
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\MinLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Display Inline Images
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\MinLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Version Vector\WindowsEdition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\FirstEntry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\SessionStartTimeDefaultDeltaSecs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_HANDLING\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\*
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Zoom\ZoomDisabled
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\about\CLSID
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePath
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\AutoSuggest
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\MaxRenderLine
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XSSFILTER\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FrameMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\LDAP\LdapClientIntegrity
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Security\DisableSecuritySettingsCheck
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Colors
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsAliasedNotifications
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\FrameMerging
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Anchor Color Hover
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForInfoTip
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Font Face
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IsTextPlainHonored
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheRepair
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInterval
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{871C5380-42A0-1069-A2EA-08002B30309D}
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\Attributes
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Signature
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideInWebView
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollInset
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\00000409
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CacheOptions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Icon
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFontSizePrivate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs\blank
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\RecommendedLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\DOMStorage
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheOptions
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePrefix
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ABOUT_PROTOCOL_IE7\Winzip.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Cleanup HTCs
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragScrollDelay
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Q300829
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ZONE_ELEVATION\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\QueryForOverlay
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ScrollInterval
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\PerUserItem
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CacheLimit
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Play_Animations
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\TabProcGrowth
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SmoothScroll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2017
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\MiscFlags
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ProtectedModeOffForAllZones
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\*
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\res\CLSID
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Display Inline Videos
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings\Always Use My Font Size
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Services\SelectionActivityButtonDisable
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld\CachePrefix
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CacheLimit
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HasNavigationEnum
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesRecycleBin
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_UNC_SAVEDFILECHECK\Winzip.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Use Stylesheets
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\ExtendedLocale\en-US
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Show image placeholders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPropertiesMyComputer
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\LastEntry
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorSystemHeapIsPrivate
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\RtfConverterFlags
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseHR
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\PerUserItem
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CodePage\950
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\No3DBorder
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\DOMStorage
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\NoFileFolderJunction
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SmartDithering
    • HKEY_CURRENT_USER\Software\Microsoft\FTP\Use Web Based FTP
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\AutoComplete\Client\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\UseDoubleClickTimer
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\SessionMerging
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\EnableBalloonTips
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32\LoadWithoutCOM
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragDelay
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\feedplat\CachePath
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Expand Alt Text
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\AdminTabProcs
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Print_Background
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CreateUriCacheSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SQMClient\Windows\CEIPEnable
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Force Offscreen Composition
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\HideOnDesktopPerUser
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\PageAllocatorUseSystemHeap
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\WantsUniversalDelegate
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Shell.Explorer\CLSID\(Default)
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Page_Transitions
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UrlEncoding
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\PageSetup\Print_Background
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\DisableCachingOfSSLPages
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\NavigationDelay
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32\(Default)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\CustomLocale\en-US
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEFixedFontName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\PinToNameSpaceTree
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CacheOptions
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize\DisableMetaFiles
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Icon
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MSHTML_AUTOLOAD_IEFRAME\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_FEEDS\Winzip.exe
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2700
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseThemes
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\RecommendedLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Show image placeholders
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{871C5380-42A0-1069-A2EA-08002B30309D} {000214E6-0000-0000-C000-000000000046} 0xFFFF
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SAFE_BINDTOOBJECT\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\CallForAttributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
    • HKEY_CURRENT_USER\Control Panel\Desktop\SmoothScroll
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Enable AutoImageResize
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ListviewShadow
    • HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnablePunycode
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled
    • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\DragMinDist
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder\RestrictedAttributes
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OLE\MaximumAllowedAllocationSize
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MIME_SNIFFING\*
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CacheLimit
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\UseClearType
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\XMLHTTP
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CSS_Compat
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileMenu
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012018111720181118\CachePrefix
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500
    • HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD\Winzip.exe
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Pacific Standard Time\Dynamic DST\2007
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags

Process Winzip.exe (2300)

  • Mutexes accessed

    • Local\ZonesCacheCounterMutex
    • Local\ZoneAttributeCacheCounterMutex
    • Local\ZonesCounterMutex
    • Local\ZonesLockedCacheCounterMutex

Process Winzip.exe (2300)

  • Directories created

    • C:\Windows\reg
    • C:\Windows
  • Directories enumerated

    • C:\Users\zamen\AppData\Local\Temp\Winzip.exe

Process Winzip.exe (2300)

  • DLLs Loaded

    • IEFRAME.dll
    • ext-ms-win-kernel32-package-current-l1-1-0
    • C:\Windows\system32\riched20.dll
    • urlmon.dll
    • kernel32
    • mshtml.dll
    • apphelp.dll
    • gdi32.dll
    • kernel32.dll
    • UxTheme.dll
    • C:\Windows\system32\rsaenh.dll
    • C:\Windows\system32\ole32.dll
    • C:\Windows\system32\sfc_os.dll
    • dwmapi.dll
    • C:\Windows\system32\DXGIDebug.dll
    • <pi-ms-win-core-localization-l1-2-1
    • C:\Windows\system32\Msimtf.dll
    • OLEAUT32.dll
    • C:\Windows\syswow64\MSCTF.dll
    • WININET.dll
    • <pi-ms-win-core-fibers-l1-1-1
    • api-ms-win-appmodel-runtime-l1-1-1
    • MLANG.dll
    • comctl32
    • ole32.dll
    • comctl32.dll
    • USER32.dll
    • IMM32.dll
    • C:\Windows\system32\cryptbase.dll
    • C:\Windows\system32\IMM32.DLL
    • C:\Windows\system32\dwmapi.dll
    • C:\Windows\system32\Crypt32.dll
    • C:\Windows\system32\version.dll
    • SHELL32.dll
    • C:\Windows\system32\SSPICLI.DLL
    • COMCTL32.dll
    • oleaut32.dll
    • SHLWAPI.dll
    • C:\Windows\system32\shell32.dll
    • GDI32.dll
    • <pi-ms-win-core-synch-l1-2-0
    • advapi32
    • C:\Windows\system32\UXTheme.dll

PE Compile Time

2016-08-14 15:15:49

PDB Path

D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x00001000 0x0002dfe8 0x0002e000 6.71024514176
.rdata 0x0002f000 0x000099d0 0x00009a00 5.15286519013
.data 0x00039000 0x0001f8b8 0x00000c00 3.29546719393
.gfids 0x00059000 0x000000f0 0x00000200 2.12366990435
.rsrc 0x0005a000 0x00004680 0x00004800 4.63811395267
.reloc 0x0005f000 0x00001f8c 0x00002000 6.62985537968

Imports

Library KERNEL32.dll:
0x42f000 GetLastError
0x42f004 SetLastError
0x42f008 GetCurrentProcess
0x42f00c DeviceIoControl
0x42f010 SetFileTime
0x42f014 CloseHandle
0x42f018 CreateDirectoryW
0x42f01c RemoveDirectoryW
0x42f020 CreateFileW
0x42f024 DeleteFileW
0x42f028 CreateHardLinkW
0x42f02c GetShortPathNameW
0x42f030 GetLongPathNameW
0x42f034 MoveFileW
0x42f038 GetFileType
0x42f03c GetStdHandle
0x42f040 WriteFile
0x42f044 ReadFile
0x42f048 FlushFileBuffers
0x42f04c SetEndOfFile
0x42f050 SetFilePointer
0x42f054 SetFileAttributesW
0x42f058 GetFileAttributesW
0x42f05c FindClose
0x42f060 FindFirstFileW
0x42f064 FindNextFileW
0x42f068 GetVersionExW
0x42f070 GetFullPathNameW
0x42f074 FoldStringW
0x42f078 GetModuleFileNameW
0x42f07c GetModuleHandleW
0x42f080 FindResourceW
0x42f084 FreeLibrary
0x42f088 GetProcAddress
0x42f08c GetCurrentProcessId
0x42f090 ExitProcess
0x42f098 Sleep
0x42f09c LoadLibraryW
0x42f0a0 GetSystemDirectoryW
0x42f0a4 CompareStringW
0x42f0a8 AllocConsole
0x42f0ac FreeConsole
0x42f0b0 AttachConsole
0x42f0b4 WriteConsoleW
0x42f0bc CreateThread
0x42f0c0 SetThreadPriority
0x42f0d4 SetEvent
0x42f0d8 ResetEvent
0x42f0dc ReleaseSemaphore
0x42f0e0 WaitForSingleObject
0x42f0e4 CreateEventW
0x42f0e8 CreateSemaphoreW
0x42f0ec GetSystemTime
0x42f108 GetCPInfo
0x42f10c IsDBCSLeadByte
0x42f110 MultiByteToWideChar
0x42f114 WideCharToMultiByte
0x42f118 GlobalAlloc
0x42f11c GetTickCount
0x42f124 GetExitCodeProcess
0x42f128 GetLocalTime
0x42f12c MapViewOfFile
0x42f130 UnmapViewOfFile
0x42f134 CreateFileMappingW
0x42f138 OpenFileMappingW
0x42f13c GetCommandLineW
0x42f148 GetTempPathW
0x42f14c MoveFileExW
0x42f150 GetLocaleInfoW
0x42f154 GetTimeFormatW
0x42f158 GetDateFormatW
0x42f15c GetNumberFormatW
0x42f160 RaiseException
0x42f164 GetSystemInfo
0x42f168 VirtualProtect
0x42f16c VirtualQuery
0x42f170 LoadLibraryExA
0x42f178 IsDebuggerPresent
0x42f184 GetStartupInfoW
0x42f18c GetCurrentThreadId
0x42f194 InitializeSListHead
0x42f198 TerminateProcess
0x42f19c RtlUnwind
0x42f1a0 EncodePointer
0x42f1a8 TlsAlloc
0x42f1ac TlsGetValue
0x42f1b0 TlsSetValue
0x42f1b4 TlsFree
0x42f1b8 LoadLibraryExW
0x42f1c0 GetModuleHandleExW
0x42f1c4 GetModuleFileNameA
0x42f1c8 GetACP
0x42f1cc HeapFree
0x42f1d0 HeapAlloc
0x42f1d4 HeapReAlloc
0x42f1d8 GetStringTypeW
0x42f1dc LCMapStringW
0x42f1e0 FindFirstFileExA
0x42f1e4 FindNextFileA
0x42f1e8 IsValidCodePage
0x42f1ec GetOEMCP
0x42f1f0 GetCommandLineA
0x42f1fc GetProcessHeap
0x42f200 SetStdHandle
0x42f204 HeapSize
0x42f208 GetConsoleCP
0x42f20c GetConsoleMode
0x42f210 SetFilePointerEx
0x42f214 DecodePointer

!This program cannot be run in DOS mode.
?rRich
`.rdata
@.data
.gfids
@.rsrc
@.reloc
D$(^VQP
tCSj\Yj_[f9
E8QQQQP
E@_^[d
E _^[d
t,j.Xj\f
D$$EUj
@u;j'Yj
UUj _W
ulWj@X;
L$(9|$
u]f9>u!
f9.tDj.
t:j_[f9^
u*8O_t
jPXf9E
_^][YY
t)WPUS
f9u)f9_
j.[]f9
WVj\^f97uMf9w
v9Uj.]
Cj\Xf9
t=j ]f;
f9.t[S
u/j0]f
YY_^][
D$$uz
D$(;D$0
D$<+L$4Q
QQSUVW
_^][YY
YY_^][
SVWj\_W
L$<+L$4
|$@A+|$8
D$dVPW
jd^+L$<
|$4Pjd
E(3D$h
],3\$p
D$@3E$3u
3T$T3t$X3\$\3D$`
?vWUj@[+
t$ PQV
tPWj@_+
\$|AUV3
r=R]Wf
Ft;Fpt
A@9G0s.
QQSUVW
_^][YY
D$ SUV
!Np+Fp#
s2;Vpt-
D$0;D$
9\$ v9
;Fx~_2
;Ex~]2
@v-9C0s
Gt_^][
t$09KH
D$(PtW
t$0;sH
kt;sHs
L$09KHvG
s?9Ntt:
Fp9|$ sP
Fp9|$ sP
T$$;l$
j Y+L$
s2;Opt-
j Y+L$
Gp9t$ sP
D$$PjD
ZuDf9V
,__f9~
v&j Yf;
tSf;L$
D$ j Zf
D$,+D$$PV
QD9] t
D$XXVVf
$SUVWj
f9(t>SVj\[
j"Zj,2
t$,SWV
f98t=V
D$$PUV
.u&f9w
YYj"XP
YYj"[f9
tfj"]f9+u
f9(tSVWS
\SUVWjh
UWj<_W
<Ff9<F
f9<Fu
QRPh4sC
QRPhTsC
QRPhtsC
QQSVWd
URPQQh0
;t$,v-
UQPXY]Y[
Tt1jhZ;
t0jXXf
~$+~8+
F2jgYf;
u0jAXf;
u0jAXf;
Wj0XPV
PPPPPWS
PP9E u:PPVWP
TVhX'C
WWWPWS
u-PWWS
SSVWh
f9:t!V
QQSWj0j@
PPPPPPPP
*messages***
CryptProtectMemory
CryptUnprotectMemory
xlistpos
SetDllDirectoryW
SetDefaultDllDirectories
Unknown exception
bad allocation
COMCTL32.dll
SHLWAPI.dll
USER32.dll
GDI32.dll
COMDLG32.dll
ADVAPI32.dll
SHELL32.dll
ole32.dll
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
bad array new length
Main Invoked.
Main Returned.
bad exception
EventRegister
EventSetInformation
EventUnregister
EventWriteTransfer
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
`h````
xpxxxx
(null)
CorExitProcess
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
GetCurrentPackageId
LCMapStringEx
LocaleNameToLCID
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
?5Wg4p
%S#[k=
"B <1=
_hypot
_nextafter
InvokeMainViaCRT
"Main Invoked."
FileName
ExitMainViaCRT
"Main Returned."
FileName
Microsoft.CRTProvider
D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.didat$5
.gfids$x
.gfids$y
.rsrc$01
.rsrc$02
InitCommonControlsEx
SHAutoComplete
ShowWindow
GetDlgItem
EnableWindow
SetWindowPos
GetSystemMetrics
SetWindowTextW
GetWindowTextW
GetClientRect
GetWindowRect
GetWindowLongW
SetWindowLongW
SetProcessDefaultLayout
GetWindow
LoadStringW
OemToCharBuffA
CharUpperW
GetMessageW
TranslateMessage
DispatchMessageW
PeekMessageW
DefWindowProcW
RegisterClassExW
CreateWindowExW
IsWindow
DestroyWindow
UpdateWindow
MapWindowPoints
CopyRect
GetParent
LoadCursorW
ReleaseDC
MessageBoxW
FindWindowExW
GetClassNameW
wvsprintfW
SendMessageW
PostMessageW
WaitForInputIdle
IsWindowVisible
DialogBoxParamW
EndDialog
SetDlgItemTextW
GetDlgItemTextW
SendDlgItemMessageW
SetFocus
SetForegroundWindow
GetSysColor
LoadBitmapW
LoadIconW
DestroyIcon
IsDialogMessageW
CreateCompatibleBitmap
CreateCompatibleDC
DeleteDC
DeleteObject
GetDeviceCaps
SelectObject
StretchBlt
CreateDIBSection
GetObjectW
GetOpenFileNameW
GetSaveFileNameW
CommDlgExtendedError
OpenProcessToken
AdjustTokenPrivileges
SetFileSecurityW
LookupPrivilegeValueW
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
SHGetMalloc
SHGetPathFromIDListW
SHBrowseForFolderW
SHFileOperationW
ShellExecuteExW
SHGetFileInfoW
SHGetFolderLocation
SHChangeNotify
CreateStreamOnHGlobal
CoCreateInstance
CLSIDFromString
OleInitialize
OleUninitialize
SystemFunction036
sfxrar.exe
GetLastError
SetLastError
GetCurrentProcess
DeviceIoControl
SetFileTime
CloseHandle
CreateDirectoryW
RemoveDirectoryW
CreateFileW
DeleteFileW
CreateHardLinkW
GetShortPathNameW
GetLongPathNameW
MoveFileW
GetFileType
GetStdHandle
WriteFile
ReadFile
FlushFileBuffers
SetEndOfFile
SetFilePointer
SetFileAttributesW
GetFileAttributesW
FindClose
FindFirstFileW
FindNextFileW
GetVersionExW
GetCurrentDirectoryW
GetFullPathNameW
FoldStringW
GetModuleFileNameW
GetModuleHandleW
FindResourceW
FreeLibrary
GetProcAddress
GetCurrentProcessId
ExitProcess
SetThreadExecutionState
LoadLibraryW
GetSystemDirectoryW
CompareStringW
AllocConsole
FreeConsole
AttachConsole
WriteConsoleW
GetProcessAffinityMask
CreateThread
SetThreadPriority
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
SetEvent
ResetEvent
ReleaseSemaphore
WaitForSingleObject
CreateEventW
CreateSemaphoreW
GetSystemTime
SystemTimeToTzSpecificLocalTime
TzSpecificLocalTimeToSystemTime
SystemTimeToFileTime
FileTimeToLocalFileTime
LocalFileTimeToFileTime
FileTimeToSystemTime
GetCPInfo
IsDBCSLeadByte
MultiByteToWideChar
WideCharToMultiByte
GlobalAlloc
GetTickCount
SetCurrentDirectoryW
GetExitCodeProcess
GetLocalTime
MapViewOfFile
UnmapViewOfFile
CreateFileMappingW
OpenFileMappingW
GetCommandLineW
SetEnvironmentVariableW
ExpandEnvironmentStringsW
GetTempPathW
MoveFileExW
GetLocaleInfoW
GetTimeFormatW
GetDateFormatW
GetNumberFormatW
KERNEL32.dll
RaiseException
GetSystemInfo
VirtualProtect
VirtualQuery
LoadLibraryExA
IsProcessorFeaturePresent
IsDebuggerPresent
UnhandledExceptionFilter
SetUnhandledExceptionFilter
GetStartupInfoW
QueryPerformanceCounter
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
TerminateProcess
RtlUnwind
EncodePointer
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
QueryPerformanceFrequency
GetModuleHandleExW
GetModuleFileNameA
GetACP
HeapFree
HeapAlloc
HeapReAlloc
GetStringTypeW
LCMapStringW
FindFirstFileExA
FindNextFileA
IsValidCodePage
GetOEMCP
GetCommandLineA
GetEnvironmentStringsW
FreeEnvironmentStringsW
GetProcessHeap
SetStdHandle
HeapSize
GetConsoleCP
GetConsoleMode
SetFilePointerEx
DecodePointer
(08@P`p
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AW4RAR_EXIT@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
/'[,\\0]^_\\\Q
RSTU0VWXYZH
IJKL=MNOPQ
'A,4;BC
:(,4;<=>;?@
3,45657879
 !"#$%&
{{{{{{{{{
wwwwwwww
8888888888{x7
8888888888887
ddddddd
dddddddd
rrrrrrr
rrrrrrr
rrrrrrr
~vrrrrr
rrrrrrr
~vrrrrs
rrrrrrr
~vrrrrs
rrrrrmm
mmrrrrs
rrrrrr
rrrrrrr
yrrrps
rrrrrrrr
yrrrpps
rrrrrrrrrrrrrppps
kkkkkkkkkkkjhjjjo
tqmxzz
aaaaaaaaaaaaaaaaaaaaf~leQmux
JJJJJJJJJJJJJJJJJJJaieQRamu
''''''''''''''''''DaJKHPam
"(GLOa
\\`Ve}b
YVXc~c
WwS7'u
gwS37%w`
WwR"'P
Wwgu"'P
g33WwQ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="1.0.0.0"
processorArchitecture="*"
name="WinRAR SFX"
type="win32"/>
<description>WinRAR SFX module</description>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
<security>
<requestedPrivileges>
<requestedExecutionLevel level="asInvoker"
uiAccess="false"/>
</requestedPrivileges>
</security>
</trustInfo>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="*"
publicKeyToken="6595b64144ccf1df"
language="*"/>
</dependentAssembly>
</dependency>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<application>
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates application support for Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates application support for Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
</application>
</compatibility>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
<asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
<dpiAware>true</dpiAware>
</asmv3:windowsSettings>
</asmv3:application>
</assembly>
1`2j2t2~2
<='>a>
1K1x1Z2
=`=n=s=
=*>W>i>
;P<s<%=5=B=F>n>|>
01p1a2
5$5.5=5
=%>_>q>
2!393>3D3K3Q3
0l1%343v9J;R;l;
50575>5
:$:,:;:
=!=/=8=U=[=k=q=
=N>U>\>c>j>q>x>
?J?o?v?}?
0$0+02090@0_0f0m0t0|0
0a2h2t2
3"343>3
4%4,4=4J4_4f4t4
505B5Q5a5v5
5I7T7[7i7=8L8[8j8y8
;);X;];};
:#:(:C:K:s:|:
;$;,;4;<;D;L;T;_;j;u;
<%<0<;<F<Q<\<g<r<}<
?4?>?E?k?r?}?
00/0F0K0
272B2G2t2
3(3E3_3f3
4>4S4Z4
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
(60656H6P6U6p6
B:X;==r=
/464n5u5
2O2c2j2q2x2
526=6H6k6
829I9h9
9I:[:s:|:
=8=U=\=
>*>F>O>]>n>
J0R0X0l0
081D1S1[1a1g1{1
3(4.4W4
5;5K5\5p5
8(8;8X8e8m8s8w8
9J:g:w:
:!;E;{;
>'>1>;>Y>
??'?.?9?J?Z?p?
;0F0M0U0e0p0}0
1$1-191F1T1Z1e1v1
1$2k2y2
3$3/3B3}3
4,4b4v4
575J5X5g5v5~5
6#6)6o6x6~6
7%717<7H7_7r7x7
8&838V8g8u8
9959v9
C0^0u0
151X1i1
1L2W2w2
2B3g3w3
4%4+464<4a4f4q4}4
5*505d5x5\6c6j6y6
7(7<7G9W9
:f:j:n:r:v:z:~:
:*;0;6;E;M;[;k;v;
=3=J=]=
?5?D?V?i?p?z?
0$0-0C0K0f0k0w0|0
121B1V1`1p1
1%2+2t2
3 3%3*353;3@3F3W3^3
4(434>4W4
5"5D5I5Y5g5y5
696U6^6i6o6u6}6
7"7-757A7G7N7[7g7t7~7
8"8,868@8J8T8^8h8r8|8
9&909:9D9N9X9b9l9v9
:':1:;:E:O:Y:c:m:w:
;,;6;@;J;T;^;h;r;
<'<-<3<<<C<i<~<
<8=>=L=[=a=h=q=
>,>=>J>c>x>
>6?`?k?
0(0.0C0
5&525B5S5y5
6%6L6T6m6
;*;G;\;a;~;
<'=0===H=Q=d=
=C>b>l>}>
?M?b?}?
0'0M0V0\0d0i0
1%1,131:1A1H1P1X1`1l1u1z1
33465G5
> >$>(>,>0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
4"5S6$777U7c7
9H9O9T9X9\9`9
? ?C?S?k?
020T0b0
1,1@1\1f1p1~1
1=1K1R1X1w1
242C2O2]2
3L3Q3V3
474C4H4M4t4
5*5/5L5
556O6X6
7D<M<U<U=g=
>,?0?4?8?<?@?D?H?
4!4%4)4-4145494=4A4E4I4
;%;.;4;>;C;H;M;
?/?K?o?
2+202<2A2R2
3 323M3
7.8F8s8
=#=/=H=[=
>)>7>>>F>_>q>}>
>#?W?~?
2-333I374A4N4
;J;[;v;
<><O<d<n<
7$707<7J7Z7o7
8"8*858K8
;y<s=F>h>
?,?4?p?
0*0<0G0L0Q0l0v0
1"1>1I1N1S1q1{1
3#3(3-3O3]3l3
6:7a7j8
939Q9[9l9q9
=3=8=C=W=b=y=
11282B2Q2u2
3&434@4M4d4+5
7[7j7x7
9+9=9O9a9s9
:$:6:H:
>)?b?x?
)313h3o3
>$>+>2>}>
262G2w2,3
:-;G;T;
>E>l>w>
>5?T?j?t?
0I0r0
171`1|1
797N7_7
9":,:G:
>Y?a?i?q?y?
0!0-090Y0
8.8S8_8k8~8
8%919=9I9\9
5d6j6o6z6
;5<?<T<o<
=5=G=\=n=
?*?G?\?q?
2$2(2,2024282<2@2D2H2L2X2\2`2d2h2l2x2|2
0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0h0l0p0t0x0|0
9(9,9P9t9x9|9
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;x;|;
< <$<(<,<0<4<8<<<@<D<H<L<P<T<X<\<`<d<h<l<p<t<x<|<
4 9$9(9,9094989<9@9D9H9L9P9T9X9\9`9d9h9l9p9t9x9|9
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
2$2,242<2D2L2T2\2d2l2t2|2
3$3,343<3D3L3T3\3d3l3t3|3
4$4,444<4D4L4T4\4d4l4t4|4
5$5,545<5D5L5T5\5d5l5t5|5
6$6,646<6D6L6T6\6d6l6t6|6
7$7,747<7D7L7T7\7d7l7t7|7
8$8,848<8D8L8T8\8d8l8t8|8
3 3(30383@3H3P3X3`3h3p3x3
4 4(40484@4H4P4X4`4h4p4x4
5 5(50585@5H5P5X5`5h5p5x5
6 6(60686@6H6P6X6`6h6p6x6
7 7(70787@7H7P7X7`7h7p7x7
8 8(80888@8H8P8X8`8h8p8x8
9 9(90989@9H9P9X9`9h9p9x9
>$>,>4><>D>L>T>\>d>l>t>|> ?$?4?8?@?X?h?l?|?
0$0<0L0P0`0d0h0p0
7(707<7\7h7
8D8L8T8p8x8
90989D9d9l9x9
:$:0:P:X:d:
;0;<;\;h;
<$<,<4<<<D<L<T<\<d<l<p<x<
=,=4=<=L=\=d=x=
>(>D>H>d>h>
?,?0?L?P?`?
0 0<0@0`0h0l0
1(1H1h1
2(2H2h2t2
0L1\1h1l1p1t1x1|1
3(383H3X3p3|3
9 9$9(9,9`9x9
: :$:(:,:0:4:<:D:H:L:T:X:\:`:d:h:l:p:t:|:
; ;$;(;,;0;4;8;<;@;D;H;L;P;T;X;\;`;d;h;l;p;t;|;
1gJ~^k^
ht"iPA9V%
registery.reg
Registry.exe
!vKaMS @"z
Go\#LB
X++o&
*I<k5\U
zxtscO
Z&1*ql\
`h@tkU?
@j9n&:
*!#u/"
3z/70e
TnU[Hjg
~dzKdk
BeI:3"
)tpN9a
S:d3?_Fd
>[uxgI
Tc8||J
`q}33I
r.dDu:?
9ctSas
Q]am+s
nO$$[dE
ya]?$3
m7xB3P.
JjcT0Ex
Zh[s50
3_b=o6;
jknn/7
I3,&A;
j]}{i,
`=i+'E~s
NG&O=^&
o wx_7,..
g6hWIq+Gm
"%S<iKh
^^r]tp]s1[
<LOzWE
OkF "pO2
Ymzoz|
=F\glD
6G{((f
T2>,io
R-7aWh,-
zWKy+24
^w#.c{D
3vMS'4$oir-
v:WY1Q
^'SoU/p
'}cbG?
mq=Bi!
HFkye.bt
PxNPrN
s|d0ff
OWW^>?f
hT|Cd
hS_Vu:;
WAJhFk
h/6sZK
9HxMe%
x{/2"bs.dU
^U`]m*
r*(ANuB
:t\ q&
~_4a\Y
#J$ISO
6k!;Z#2
<7n[Sh
0'(RtI
,i$N.d
u|D4Zu
7afbJo4
T$Xw mN\
Zmr@&f
Ne[OaL
'm)(UG
P&/Ex~d
K}}ye>
/SC$5Z
@z]PM4n)5
qxG4Dr I
@ zv{m
vV#6BI
aH<bXK
`Ic-|Y
Q Vn?7
P,BGqW
XK[-~
keAAt6
@|d#YD
<d5|i
NcD~S$
[?RJyb
D}eeM|
(@;I"y
Z^n.y*
BIm=Ib
MfPbeX
5,Bw(mLL!
c6[B%/
h.%qJa
p&yldy
e,,m{i+>3
!s/,0O
7$[Bs`
V%aape)~
2P2\Mph*
|6mJrN
7_ ?vf!wau
5[nV%<2
6MV|n`
h"Khbt
$v&v/+
a:l%j8=
8*4qs+
KemfPS?93
\T~e{:
_Vkw ;
ckJZH|)
5IIy:6
s%!?IF(
U8S"}L
F1([6e
/D<{~
ky{>eR
X+o9Re
Ut/W)
"~%;qq
+m?ooj
Y3("|f
7yVaTl
G43m|#s
e>-7te8%9q
.k;%^.Ndh
bld7b_T;{
Xlia%s
LZ/Dx~D
&Xx8c/
2xBGk2
XTJ4mZ'
j9<W{T
}`[/J'
k*qW|Q.
f<=TcY
jlSX&>
G+ tNv
USuoQ1
1NQ1,#
W:G_%!%-
sL?||y+
,E`;{2
%f.Hq"
B".(*-
3YU!BY-
Z#[29x
5]e'l&k
<hZ*nJ
uR9Fp\u)
~z+j4c
:?yJQr8
8oWZ1>
m&_cEp
I*_d{
$Unx:n.
{{6s1J
xg/2')a_
,9GneA
IBc'CV
S_RI/s
xE?Rvb
f[3Z#r
}A1 I[
.`gr#F^rC
qT:APA1
'fd@Y:
).7^g/
1W+;Tf"1qG
-T(1v
|311{o:
;H`Y?(D
8GiVRa
HIR_9P
Er'Ui8
:Q: ]U
G9&B_V%
sh6"5_S
Ea$+[^-
(M5:;Y`
m;BF%o
$DIkz*
ig!smom
IxAtqp
8OUtU"c
^X)Q,mK
4X]}pT
v`GnwBp
:estG=
QoG)ZA
DX*'P$A
xqvC3
>n!t\i
3rUUiS
p2}53]
r6l\Bt
T6B70JB
FuhT[$
hS38fA
L8%}L4)
^ lEXj
tP*wTh
Be3~Vu
~Bs5<A/6t
=2h b=
RUWO)|H
{saEnV#
aIG<g
iX(M'(
dU_<-2
qAZFZ.
C$Mub=T
@:U*QWny
Tc'Cey
#K:kOR
n>ZZVDE
K]HI$t
A\k,hvP
u^?TTS
;#^gg!/90Wl\DQ
o=54*:(x
2W $63
|&vu9H
"-E>S
BP}.iW
!#u*/|
j4TdLz
DaHH]*
yms}q3
D#@0L
h_!`>
zx!|{a
@ea$"0,B
+}ur[7lI
Dn,RP\
v&1I.}
|iD(t
!'_9TW
#5Q1R!
B_jIA*
XG#l:H
Rw-e4ix
A8{:|$
*[T<q2
rYDl*(
vkW1>E
KoeST'(RF
]4$P5'
q|xbw3MH
)p]`kG
AkBMrg
Rz\d,%
$.VS~X)
sAu{,x
NC%>Ds:@
R^\]#7
.vE"M&
)=#d"p!0
:F{Ay<
D%8xC*
+W; M_
0n/cJ?30t1
&o9A$u
%paF/3
:&@3&|!
_pPXIj
vz#/@/
r<*L7
qGCK,
EG|N-a{
* kTLT
4F=9ph
GsV"a=
HX`^1_l>`.
$8QZ$cK:
=l*3H7
z%?Q}iT
~j!tBH
HR17Oo
53 )v
:s#7C1
VqYR>I
O9e1.K
@c7FD&
j|,Z'E
nS(OdX
sZ4:Nj
/%/JK[
-A>*Bn
r!43'
Qs4e7+
,AnW>{h
!V+=d#
1nGFb9|
Y,EgQs
$?~Rl<
6hd%m|
T1>4>9
<k86uu
6inB{uV
SgdHrOu
>p6%*Gn7
H&AK/Z
\^<OgS
B("V:`?
aK,*>n
.qZ7U:
\0|C[A,
[qd%R%
vadv#a
'L]x=f
XO*qW{
y[$jq<#!
&Rvhb[x
s,-g9<
G}.JOUP
bpsj*@
T5T*-<
MlW0]q
qA*CLO
AtV">pOP
T;mGO!
Dr5y<dzI
`L4:9q
$=BTCW
3O5ziU
WuP*L
?{)cUq1vtf`
-A>NgR
^(+v4+
z7#yM):
NVfhn 1
]v"!3A
|/A'Sy7
S~'d]z
{&rL,,
~"4Yc.
af%@"]Y
XmIA=w]Rim 'ru
~`lbJG
IK(AbF
_%Q.`2eT,
|Yj!<t
>cUM2#
xu+xl#
mi7wzu8
-wD'oU
}Nz`.
nUDRd;=
0THRj<Zk
\~F\[nx
+WW(`@
O6}Qd$
){6\^<Jq
s9B!m8
LD2| j
Q6|H7z
N5NP<U
|[/G&D
t@=n%z
LrpP0'
+)9:T+
LV.C/1
@nJafv
QNtnkY
8-pC#x
9>Ef\7
HT_WGQ
aHD:P6DI
qwPVzI
kf}*9/
}`h-lTa
[<h<-$
kqn$"w
PJxt~f
%N8cu:|
o0M+CO
,,v:/c
ZbWx=
\X*?)@
.%00)zK#zy^
l0%\OJU
nR*:e{
5qk)C~e
MhNNEh1
J={-aA
%v)Y~y
ae*HNS
%ddtd
nu^5eJ
k4bl$J
z">GN[
AYuvks
sIxc-?h
n]8Ov2O
#m`d=_9
dATy8
$ago/_A9
3#~9,w,
yMlRZl+
O@m7)-
b:GlOBu
~"Ux6'
Ri|Gi=
&J~vr>
hC[:ib
8E'd'V
Lv3F8#
]m/6T6wm
jSxQ8h
|mp;~'
nka`~`
@Maximum allowed array size (%u) is exceeded
SeSecurityPrivilege
SeRestorePrivilege
SeCreateSymbolicLinkPrivilege
rtmp%d
__rar_
?*<>|"
*messages***
Crypt32.dll
CryptProtectMemory failed
CryptUnprotectMemory failed
kernel32
version.dll
DXGIDebug.dll
sfc_os.dll
SSPICLI.DLL
rsaenh.dll
UXTheme.dll
dwmapi.dll
cryptbase.dll
lpk.dll
usp10.dll
clbcatq.dll
comres.dll
ws2_32.dll
ws2help.dll
psapi.dll
ieframe.dll
ntshrui.dll
atl.dll
setupapi.dll
apphelp.dll
userenv.dll
netapi32.dll
shdocvw.dll
crypt32.dll
msasn1.dll
cryptui.dll
wintrust.dll
shell32.dll
secur32.dll
cabinet.dll
oleaccrc.dll
ntmarta.dll
profapi.dll
WindowsCodecs.dll
srvcli.dll
cscapi.dll
slc.dll
imageres.dll
dnsapi.DLL
iphlpapi.DLL
WINNSI.DLL
netutils.dll
mpr.dll
devrtl.dll
propsys.dll
mlang.dll
samcli.dll
samlib.dll
wkscli.dll
dfscli.dll
browcli.dll
rasadhlp.dll
dhcpcsvc6.dll
dhcpcsvc.dll
XmlLite.dll
linkinfo.dll
cryptsp.dll
RpcRtRemote.dll
aclui.dll
dsrole.dll
peerdist.dll
uxtheme.dll
Please remove %s from %s folder. It is unsecure to run %s until it is done.
CreateThread failed
WaitForMultipleObjects error %d, GetLastError %d
Thread pool initialization failed.
ARarHtmlClassName
Shell.Explorer
about:blank
<html>
<head><meta http-equiv="content-type" content="text/html; charset=
utf-8"></head>
</html>
<style>
</style>
<style>body{font-family:"Arial";font-size:12;}</style>
&nbsp;
riched20.dll
RarSFX
REPLACEFILEDLG
RENAMEDLG
%s %s %s
GETPASSWORD1
ASKNEXTVOL
winrarsfxmappingfile.tmp
sfxname
%4d-%02d-%02d-%02d-%02d-%02d-%03d
sfxstime
STARTDLG
sfxcmd
sfxpar
LICENSEDLG
__tmp_rar_sfx_access_check_%u
-el -s2 "-d%s" "-p%s" "-sp%s"
Delete
Silent
Overwrite
TempMode
License
Presetup
Shortcut
SavePath
Update
SetupCode
%s.%d.tmp
Software\Microsoft\Windows\CurrentVersion
ProgramFilesDir
%s%s%d
Install
Software\WinRAR SFX
STATIC
KERNEL32.DLL
Badvapi32
<pi-ms-win-core-fibers-l1-1-1
<pi-ms-win-core-synch-l1-2-0
(null)
mscoree.dll
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
((((( H
(
((((( H
Capi-ms-win-appmodel-runtime-l1-1-1
<pi-ms-win-core-datetime-l1-1-1
<pi-ms-win-core-file-l2-1-1
<pi-ms-win-core-localization-l1-2-1
<pi-ms-win-core-localization-obsolete-l1-2-0
<pi-ms-win-core-processthreads-l1-1-2
<pi-ms-win-core-string-l1-1-0
<pi-ms-win-core-sysinfo-l1-2-1
<pi-ms-win-core-winrt-l1-1-0
<pi-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-kernel32-package-current-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
user32
Cja-JP
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
STARTDLG
REPLACEFILEDLG
RENAMEDLG
GETPASSWORD1
LICENSEDLG
ASKNEXTVOL
WinRAR self-extracting archive
MS Shell Dlg 2
&Destination folder
Bro&wse...
hRichEdit20W
Installation progress
jmsctls_progress32
Install
Cancel
Confirm file replace
MS Shell Dlg 2
The following file already exists
Would you like to replace the existing file
with this one?
Yes to &All
&Rename
No to A&ll
&Cancel
Rename
MS Shell Dlg 2
Cancel
Rename file
Enter password
MS Shell Dlg 2
&Enter password for the encrypted file:
Cancel
License
MS Shell Dlg 2
Accept
Decline
Next volume is required
MS Shell Dlg 2
You need to have the following volume to continue extraction:
&Browse...
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Cancel
Select destination folder
Extracting %s
Skipping %s
Unexpected end of archiveThe file "%s" header is corrupt
Corrupt header is found
Main archive header is corrupt
%The archive comment header is corrupt
The archive comment is corrupt
Not enough memory
Unknown method in %s
Cannot open %s
Cannot create %s
Cannot create folder %sHChecksum error in the encrypted file %s. Corrupt file or wrong password.
Checksum error in %s Packed data checksum error in %s
5Write error in the file %s. Probably the disk is full
Read error in the file %s
File close error
The required volume is absent
2The archive is either in unknown format or damaged
Extracting from %s
Next volume
The archive header is corrupt
ErroraErrors encountered while performing the operation
Look at the information window for more details
modified on
folder is not accessible
lSome files could not be created.
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation
All files
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
manually.</li><br><br>8<li>If the destination folder does not exist, it will be
2created automatically before extraction.</li></ul>
The archive is corrupt
Extracting files to %s folder$Extracting files to temporary folder
Extract
Extraction progress
=Total path and file name length must not exceed %d characters
Unknown encryption method in %s$The specified password is incorrect.
Cannot copy %s to %s.
Cannot create symbolic link %s
Cannot create hard link %s
AYou may need to run this self-extracting archive as administrator
Continue
Security warningKPlease remove %s from folder %s. It is unsecure to run %s until it is done.
Antivirus Signature
Bkav Clean
MicroWorld-eScan Clean
CMC Clean
CAT-QuickHeal Clean
McAfee Clean
Cylance Clean
TheHacker Clean
BitDefender Clean
K7GW Clean
K7AntiVirus Clean
TrendMicro Clean
Baidu Clean
Babable Clean
Cyren Clean
Symantec Clean
ESET-NOD32 Clean
TrendMicro-HouseCall Clean
Paloalto Clean
ClamAV Clean
Kaspersky Clean
Alibaba Clean
NANO-Antivirus Clean
ViRobot Clean
SUPERAntiSpyware Clean
Tencent Clean
Ad-Aware Clean
Trustlook Clean
Sophos Clean
F-Secure Clean
DrWeb Clean
Zillya Clean
Invincea heuristic
McAfee-GW-Edition BehavesLike.Win32.Backdoor.gc
Emsisoft Clean
Ikarus Clean
F-Prot Clean
Jiangmin Clean
Webroot Clean
Avira Clean
Fortinet Clean
Antiy-AVL Clean
Kingsoft Clean
Endgame Clean
Arcabit Clean
AegisLab Clean
ZoneAlarm Clean
Avast-Mobile Clean
Microsoft Clean
TACHYON Clean
AhnLab-V3 Clean
VBA32 Clean
ALYac Clean
MAX Clean
Malwarebytes Clean
Panda Clean
Zoner Clean
Rising Clean
Yandex Clean
SentinelOne Clean
eGambit Clean
GData Clean
AVG Clean
Cybereason Clean
Avast Clean
CrowdStrike malicious_confidence_60% (D)
Qihoo-360 Clean

Process Tree


Winzip.exe, PID: 2300, Parent PID: 2276

default registry file network process services synchronisation iexplore office pdf

Deprecation note: While processing this analysis you did not have the httpreplay Python library installed. Installing this library (i.e., pip install httpreplay) will allow Cuckoo to do more proper PCAP analysis including but not limited to showing full HTTP and HTTPS (!) requests and responses. It is recommended that you install this library and possibly reprocess any interesting analysis tasks.

Hosts

No hosts contacted.

DNS

No domains contacted.

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.128.109 138 192.168.128.255 138

HTTP & HTTPS Requests

No HTTP requests performed.

ICMP traffic

No ICMP traffic performed.

IRC traffic

No IRC requests performed.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Snort Alerts

No Snort Alerts

Name e3b0c44298fc1c14___tmp_rar_sfx_access_check_25265894
Size 0.0B
Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
ssdeep 3::
Yara None matched
VirusTotal Search for analysis
Name 8c468122a647e4d6_Registry.exe
Filepath C:\Windows\reg\Registry.exe
Size 360.5KB
Processes 2300 (Winzip.exe)
Type data
MD5 b66874c9d84e3bd10ba753f1cdc18bd3
SHA1 2a9e9dc8b0a4c96b278dd500d9a67bde05512f38
SHA256 8c468122a647e4d6c39d23847565957705d56fc08aa7363652dcd43a178016f8
CRC32 61BBF941
ssdeep 3:F4IAKTWs4iv9lJF0s7Eq70G/l:XvTkilHj7GG/
Yara None matched
VirusTotal Search for analysis
Name 4332b157d5081340_registery.reg
Filepath C:\Windows\reg\registery.reg
Size 388.0B
Processes 2300 (Winzip.exe)
Type 8086 relocatable (Microsoft)
MD5 576f5aa6715baaad6c2a8846ec1a5fae
SHA1 7d3b8b95602668cde3960ded1c4157204ab47f4e
SHA256 4332b157d5081340fc526469e40729826109a6213612a72159bc5b2f45204dcb
CRC32 C15DE1C9
ssdeep 6:vrToLE4MhZ/+wv3iWDGi4DBOF72dm7deBe/3dWpuLwCFf0Xl:vrTowZvS95dy0IdlNBFfsl
Yara None matched
VirusTotal Search for analysis
Sorry! No dropped buffers.
Task ID 68
Mongo ID 5bf1540b11d3080b6a1c5c70
Cuckoo release 2.0-dev