anubis left
Anubis - Analysis Report
anubis right

Analysis Report for file

Comment on this report

Table of Contents

expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 250 s 
Report created: 09/17/13, 14:51:43 UTC 
Termination reason: Timeout 
Program version: 1.76.3886 

2. file.exe

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: file.exe 
MD5: 47db7adff2526b3494e61300b5ad504b 
SHA-1: 982325cdf0274d5941149b33c9eb22ae7796fe54 
File Size: 20480 Bytes
Command Line: "C:\file.exe" 
Process-status at analysis end: dead 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\​gdiplus.dll  0x4EC50000  0x001A6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​netapi32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​CLBCATQ.DLL  0x76FD0000  0x0007F000 
C:\​WINDOWS\​system32\​COMRes.dll  0x77050000  0x000C5000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​SETUPAPI.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​Apphelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 

2.a) file.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common Desktop  C:\​Documents and Settings\​All Users\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common Documents  C:\​Documents and Settings\​All Users\​Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  BaseClass  Drive 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Desktop  C:\​Documents and Settings\​Administrator\​Desktop 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Personal  C:\​Documents and Settings\​Administrator\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache\​  C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​hhcbrnaff.exe  hhcbrnaff 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​.ASP    aspfile 
HKLM\​SOFTWARE\​CLASSES\​.BAT    batfile 
HKLM\​SOFTWARE\​CLASSES\​.CER    CERFile 
HKLM\​SOFTWARE\​CLASSES\​.CHM    chm.file 
HKLM\​SOFTWARE\​CLASSES\​.CMD    cmdfile 
HKLM\​SOFTWARE\​CLASSES\​.COM    comfile 
HKLM\​SOFTWARE\​CLASSES\​.CPL    cplfile 
HKLM\​SOFTWARE\​CLASSES\​.CRT    CERFile 
HKLM\​SOFTWARE\​CLASSES\​.EXE    exefile 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{20D04FE0-3AEA-1069-A2D8-08002B30309D}\​INPROCSERVER32    %SystemRoot%\​system32\​SHELL32.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32    C:\​WINDOWS\​system32\​urlmon.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32  ThreadingModel  Both 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{AEB6717E-7E19-11D0-97EE-00C04FD91972}\​INPROCSERVER32    shell32.dll 
HKLM\​SOFTWARE\​CLASSES\​DIRECTORY  AlwaysShowExt   
HKLM\​SOFTWARE\​CLASSES\​DRIVE\​SHELLEX\​FOLDEREXTENSIONS\​{FBEB8A05-BEEE-4442-804E-409D6C4515E9}  DriveMask  32 
HKLM\​SOFTWARE\​CLASSES\​EXEFILE\​SHELL\​OPEN\​COMMAND    "%1" %* 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​SYSTEM\​WPA\​MediaCenter  Installed 
HKLM\​Software\​Microsoft\​COM3  Com+Enabled 
HKLM\​Software\​Microsoft\​COM3  REGDBVersion  0x0b00000000000000 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​FileAssociation  CutList  0x4100700070006c00690063006100740069006f006e002000460069006c00 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​ShellExecuteHooks  {AEB6717E-7E19-11d0-97EE-00C04FD91972}   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common Desktop  %ALLUSERSPROFILE%\​Desktop 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common Documents  %ALLUSERSPROFILE%\​Documents 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  D:\​ 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  AuthenticodeEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  DefaultLevel  262144 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  PolicyScope 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemData  0x5eab304f957a49896a006c1c31154015 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  ItemSize  779 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{349d35ab-37b5-462f-9b89-edd5fbde1328}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemData  0x67b0d48b343a3fd3bce9dc646704f394 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  ItemSize  517 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemData  0x327802dcfef8c893dc8ab006dd847d1d 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  ItemSize  918 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemData  0xbd9a2adb42ebd8560e250e4df8162f67 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  ItemSize  229 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{94e3e076-8f53-42a5-8411-085bcc18a68d}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  HashAlg  32771 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemData  0x386b085f84ecf669d36b956a22c01e80 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  ItemSize  370 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Hashes\​{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}  SaferFlags 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  ItemData  %HKEY_CURRENT_USER\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders\​Cache%OLK* 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers\​0\​Paths\​{dda3f824-d8cb-441b-834d-be2efd2c1a33}  SaferFlags 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1274198464 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​  ShellState  0x2400000038080000000000000000000000000000010000000d0000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  DontPrettyPath 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Filter 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  Hidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideFileExt 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  HideIcons 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  MapNetDrvBtn 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  NoNetCrawling 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  SeparateProcess 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowCompColor 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowInfoTip 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  ShowSuperHidden 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Advanced  WebView 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c0049004400450023004300640052006f006d00 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094da8-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Data  0x000000005c005c003f005c00530054004f00520041004700450023005600 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​MountPoints2\​CPC\​Volume\​{a1094daa-30a0-11dd-817b-806d6172696f}\​  Generation 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Desktop  %USERPROFILE%\​Desktop 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  1806 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  Flags  33 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​1  Flags  219 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​2  Flags  71 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​4  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache  LangID  0x0904 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Classes  Key Change,Value Change 
HKLM\​Software\​Classes\​CLSID  Key Change,Value Change 
HKLM\​Software\​Microsoft\​COM3  Key Change,Value Change 
HKU  Key Change,Value Change 

2.b) file.exe - File Activities

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe

  - Files Read:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe
C:\Documents and Settings\Administrator\My Documents\desktop.ini
C:\Documents and Settings\All Users\Documents\desktop.ini
C:\WINDOWS\Registration\R00000000000b.clb
C:\file.exe
PIPE\lsarpc
PIPE\wkssvc

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe
MountPointManager
PIPE\lsarpc
PIPE\wkssvc

  - File System Control Communication:  
File Control Code Times
C:\Program Files\Common Files\  0x00090028 
PIPE\wkssvc  0x0011C017 
PIPE\lsarpc  0x0011C017 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0008 
STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}  0x004D0008 
MountPointManager  0x006D0034 

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\Apphelp.dll
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\SETUPAPI.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\urlmon.dll
C:\Windows\AppPatch\sysmain.sdb

2.c) file.exe - Process Activities

  - Processes Created:  
Executable Command Line
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe   
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe  "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe"  

  - Remote Threads Created:  
Affected Process
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe

  - Foreign Memory Regions Read:  
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe

  - Foreign Memory Regions Written:  
Process: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe

2.d) file.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c90ff71 

3. hhcbrnaff.exe

  - General information about this executable  
Analysis Reason: Started by file.exe 
Filename: hhcbrnaff.exe 
MD5: aa3eccab574364425b07854fb8a62b95 
SHA-1: 3f16d3478bbd38639edf59df124ea6d811729c4c 
File Size: 20506 Bytes
Command Line: "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe"  
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\​gdiplus.dll  0x4EC50000  0x001A6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​xpsp2res.dll  0x00E00000  0x002C5000 
C:\​WINDOWS\​system32\​WINHTTP.dll  0x4D4F0000  0x00059000 
C:\​WINDOWS\​system32\​netapi32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​system32\​rsaenh.dll  0x68000000  0x00036000 
C:\​WINDOWS\​system32\​dssenh.dll  0x68100000  0x00026000 
C:\​WINDOWS\​System32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​wsock32.dll  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​Cabinet.dll  0x75150000  0x00013000 
C:\​WINDOWS\​system32\​cryptnet.dll  0x75E60000  0x00013000 
C:\​WINDOWS\​system32\​schannel.dll  0x767F0000  0x00027000 
C:\​WINDOWS\​system32\​userenv.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​wintrust.dll  0x76C30000  0x0002E000 
C:\​WINDOWS\​system32\​IMAGEHLP.dll  0x76C90000  0x00028000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.DLL  0x76EE0000  0x0003C000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​system32\​WLDAP32.dll  0x76F60000  0x0002C000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​setupapi.dll  0x77920000  0x000F3000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 

3.a) hhcbrnaff.exe - Registry Activities

  - Registry Values Modified:  
Key Name New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Directory  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Paths 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache1 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache2 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache3 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache4 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​Administrator\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x3c0000001600000001000000000000000000000000000000040000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider Types\​Type 001  Name  Microsoft Strong Cryptographic Provider 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider Types\​Type 012  Name  Microsoft RSA SChannel Cryptographic Provider 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider Types\​Type 018  Name  Microsoft DH SChannel Cryptographic Provider 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft DH SChannel Cryptographic Provider  Image Path  dssenh.dll 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft DH SChannel Cryptographic Provider  Type  18 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft RSA SChannel Cryptographic Provider  Image Path  rsaenh.dll 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft RSA SChannel Cryptographic Provider  Type  12 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft Strong Cryptographic Provider  Image Path  rsaenh.dll 
HKLM\​SOFTWARE\​Microsoft\​Cryptography\​Defaults\​Provider\​Microsoft Strong Cryptographic Provider  Type 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Setup\​OC Manager\​Subcomponents  RootAutoUpdate 
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​SYSTEM\​Setup  OsLoaderPath  \​ 
HKLM\​SYSTEM\​Setup  SystemPartition  \​Device\​HarddiskVolume1 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Microsoft\​Cryptography  MachineGuid  4604e8cc-5b9c-4ffb-a374-a62e6d0494fc 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 0\​CertDllOpenStoreProv\​#16  Dll  cryptnet.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 0\​CertDllOpenStoreProv\​#16  FuncName  LdapProvOpenStore 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 0\​CertDllOpenStoreProv\​Ldap  Dll  cryptnet.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 0\​CertDllOpenStoreProv\​Ldap  FuncName  LdapProvOpenStore 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.1.1  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.1.1  FuncName  EssReceiptDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.1  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.1  FuncName  EssReceiptRequestDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.11  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.11  FuncName  EssKeyExchPreferenceDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.12  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.12  FuncName  EssSignCertificateDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.2  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.2  FuncName  EssSecurityLabelDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.3  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.3  FuncName  EssMLHistoryDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.4  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllDecodeObjectEx\​1.2.840.113549.1.9.16.2.4  FuncName  EssContentHintDecodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.1.1  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.1.1  FuncName  EssReceiptEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.1  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.1  FuncName  EssReceiptRequestEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.11  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.11  FuncName  EssKeyExchPreferenceEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.12  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.12  FuncName  EssSignCertificateEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.2  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.2  FuncName  EssSecurityLabelEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.3  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.3  FuncName  EssMLHistoryEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.4  Dll  inetcomm.dll 
HKLM\​Software\​Microsoft\​Cryptography\​OID\​EncodingType 1\​CryptDllEncodeObjectEx\​1.2.840.113549.1.9.16.2.4  FuncName  EssContentHintEncodeEx 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​CertCheck\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​CertCheck\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  SoftpubCheckCert 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Certificate\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Certificate\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  HTTPSCertificateTrust 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Cleanup\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Cleanup\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  SoftpubCleanup 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​FinalPolicy\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​FinalPolicy\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  HTTPSFinalProv 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Initialization\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Initialization\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  SoftpubInitialize 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Message\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Message\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  SoftpubLoadMessage 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Signature\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $DLL  WINTRUST.DLL 
HKLM\​Software\​Microsoft\​Cryptography\​Providers\​Trust\​Signature\​{573E31F8-AABA-11D0-8CCB-00C04FC295EE}  $Function  SoftpubLoadSignature 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​0048F8D37B153F6EA2798C323EF4F318A5624A9E  Blob  0x04000000010000001000000015b298a354704048703a375582c45afa1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​00EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099  Blob  0x0400000001000000100000003e80175badd77c104bf941b0cf1642b01400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​0483ED3399AC3608058722EDBC5E4600E3BEF9D7  Blob  0x0400000001000000100000004c5641e50dbb2be8caa3ed1808ad43391400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​049811056AFE9FD0F5BE01685AACE6A5D1C4454C  Blob  0x040000000100000010000000f27de954e4a3220d769fe70bbbb3242b1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​0B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52  Blob  0x040000000100000010000000266d2c1998b6706838505419ec9034601400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB  Blob  0x04000000010000001000000050e1419d59738b46732d7f7fcf5c44f11400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​1F55E8839BAC30728BE7108EDE7B0BB0D3298224  Blob  0x0400000001000000100000008cd79febc7b8144c5478a7903ba935671400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​209900B63D955728140CD13622D8C687A4EB0085  Blob  0x0400000001000000100000001e74c3863c0c35c53ec27fef3caa3cd91400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​216B2A29E62A00CE820146D8244141B92511B279  Blob  0x040000000100000010000000e14b5273d71bdb9330e5bde4096ebefb1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​23E594945195F2414803B4D564D2A3A3F5D88B8C  Blob  0x040000000100000010000000c570c4a2ed53780cc810538164cbd01d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​24A40A1F573643A67F0A4B0749F6A22BF28ABB6B  Blob  0x040000000100000010000000dd753f56bfbbc5a17a1553c690f9fbcc1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​24BA6D6C8A5B5837A48DB5FAE919EA675C94D217  Blob  0x0400000001000000100000007bb508999a8c18bf85277d0eaedab2ab1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​273EE12457FDC4F90C55E82B56167F62F532E547  Blob  0x040000000100000010000000db233df969fa4bb9958044735e7d41831400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​284F55C41A1A7A3F8328D4C262FB376ED6096F24  Blob  0x040000000100000010000000011a3f4db5f814c56848ad083eb9c8c21400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​2F173F7DE99667AFA57AF80AA2D1B12FAC830338  Blob  0x040000000100000010000000abbfeae36b29a6cca6783599efad2b801400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6  Blob  0x040000000100000010000000a923759bba49366e31c2dbf2e766ba871400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​36863563FD5128C7BEA6F005CFE9B43668086CCE  Blob  0x0400000001000000100000003ab2de229a209349f9edc8d28ae7680d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​394FF6850B06BE52E51856CC10E180E882B385CC  Blob  0x040000000100000010000000aabfbf6497da981d6fc6083a957033ca1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA  Blob  0x0400000001000000100000002a5d003739469475397b11a6f29341e11400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4072BA31FEC351438480F62E6CB95508461EAB2F  Blob  0x04000000010000001000000070b57c4881953e80dc289bbaef1ee4851400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC  Blob  0x040000000100000010000000e60bd2c9ca2d88db1a710e4b78eb02411400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​43DDB1FFF3B49B73831407F6BC8B975023D07C50  Blob  0x04000000010000001000000000531d1d7201d423c820d00b6088c5d11400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​43F9B110D5BAFD48225231B0D0082B372FEF9A54  Blob  0x040000000100000010000000259dcf5eb3259d95b93f00865f47943d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4463C531D7CCC1006794612BB656D3BF8257846F  Blob  0x040000000100000010000000747b820343f0009e6bb3ec47bf85a5931400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​47AFB915CDA26D82467B97FA42914468726138DD  Blob  0x04000000010000001000000050193e2fe8b6f4055449f3aec98b3e191400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4B421F7515F6AE8A6ECEF97F6982A400A4D9224E  Blob  0x0400000001000000100000005a11b922850289e1c3f22ce14ec101841400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4BA7B9DDD68788E12FF852E1A024204BF286A8F6  Blob  0x04000000010000001000000018ae695d15cab917673267d597b260c01400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4C95A9902ABE0777CED18D6ACCC3372D2748381E  Blob  0x0400000001000000100000004b1c568ca0e8c79e1ef5ee32939965fe1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5  Blob  0x040000000100000010000000cb17e431673ee209fe455793f30afa1c0300 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9  Blob  0x040000000100000010000000034287d7c1167d18afa4703cb8312c3e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C  Blob  0x040000000100000010000000852ff4764cd5426ccb5e7df717e835bd1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​4F65566336DB6598581D584A596C87934D5F2AB4  Blob  0x040000000100000010000000782a02dfdb2e14d5a75f0adfb68e9c5d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​54F9C163759F19045121A319F64C2D0555B7E073  Blob  0x0400000001000000100000004b798dd41d0392aa51ee04e5906f47491400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​58119F0E128287EA50FDD987456F4F78DCFAD6D4  Blob  0x040000000100000010000000b3a53e77216dac4ac0c9fbd5413dca061400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​5B4E0EC28EBD8292A51782241281AD9FEEDD4E4C  Blob  0x040000000100000010000000b774cd487c5f9a0d3bf3fe66f41b3dfa1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​5D989CDB159611365165641B560FDBEA2AC23EF1  Blob  0x040000000100000010000000bf6059a35bbaf6a77642da6f1a7b50cf1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​5E5A168867BFFF00987D0B1DC2AB466C4264F956  Blob  0x040000000100000010000000343339fc6d033a8fa25385443270dec41400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​5E997CA5945AAB75FFD14804A974BF2AE1DFE7E1  Blob  0x0400000001000000100000009aaef722f533fb4eec0a249dc63d7d251400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​627F8D7827656399D27D7F9044C9FEB3F33EFA9A  Blob  0x040000000100000010000000069f6979166690021b8c8ca2c3076f3a1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​6372C49DA9FFF051B8B5C7D4E5AAE30384024B9C  Blob  0x0400000001000000100000008956aa4d441e59d805a1886deac828b21400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​6782AAE0EDEEE21A5839D3C0CD14680A4F60142A  Blob  0x040000000100000010000000b39c25b1c32e32538015309d4d02773e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​67EB337B684CEB0EC2B0760AB488278CDD9597DD  Blob  0x040000000100000010000000cd3b3d625b09b80936879e122f7164ba1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​687EC17E0602E3CD3F7DFBD7E28D57A0199A3F44  Blob  0x040000000100000010000000824ad493004d66b6a32ca77b3536cf0b1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​688B6EB807E8EDA5C7B17C4393D0795F0FAE155F  Blob  0x040000000100000010000000e8cc9fb09b40c51f4fba7421f952857a1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​68ED18B309CD5291C0D3357C1D1141BF883866B1  Blob  0x0400000001000000100000008212f789e10b9160a4b6229f946811921400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​69BD8CF49CD300FB592E1793CA556AF3ECAA35FB  Blob  0x040000000100000010000000a26f53b7ee40db4a68e7fa18d9104b721400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​6A174570A916FBE84453EED3D070A1D8DA442829  Blob  0x0400000001000000100000002124a681c1d8f219af4998e39dfe0bf41400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​720FC15DDC27D456D098FABF3CDD78D31EF5A8DA  Blob  0x0400000001000000100000008d26ff2f316d5929dde636a7e2ce64251400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​74207441729CDD92EC7931D823108DC28192E2BB  Blob  0x040000000100000010000000882c8c52b8a23cf3f7bb03eaaeac420b1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​742C3192E607E424EB4549542BE1BBC53E6174E2  Blob  0x04000000010000001000000010fc635df6263e0df325be5f79cd67671400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​7639C71847E151B5C7EA01C758FBF12ABA298F7A  Blob  0x040000000100000010000000a8eddeeb938866d82fc3bd1dbe45be4d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​78E9DD0650624DB9CB36B50767F209B843BE15B3  Blob  0x0400000001000000100000005186e81fbcb1c371b51810db5fdcf6201400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​7A74410FB0CD5C972A364B71BF031D88A6510E9E  Blob  0x04000000010000001000000041b807f7a8d109eeb49a8e704dfc1b781400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​7AC5FFF8DCBC5583176877073BF751735E9BD358  Blob  0x0400000001000000100000004b6771be33b90db64b3a400187f08b1f1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​7CA04FD8064C1CAA32A37AA94375038E8DF8DDC0  Blob  0x0400000001000000100000005b6f532cbb8188fa6c042c325da56b961400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​7E784A101C8265CC2DE1F16D47B440CAD90A1945  Blob  0x0400000001000000100000008f5d770627c4983c5b9378e7d77d9bcc1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​81968B3AEF1CDC70F5FA3269C292A3635BD123D3  Blob  0x040000000100000010000000257aba832eb6a20bdafef5020f08d7ad1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​838E30F77FDD14AA385ED145009C0E2236494FAA  Blob  0x040000000100000010000000b816334c4c4cf2d8d34d06b4a65b40031400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​85371CA6E550143DCE2803471BDE3A09E8F8770F  Blob  0x040000000100000010000000a2339b4c747873d46ce7c1f38dcb5ce91400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​85A408C09C193E5D51587DCDD61330FD8CDE37BF  Blob  0x04000000010000001000000074014a91b108c458ce47cdf0dd1153081400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​879F4BEE05DF98583BE360D633E70D3FFE9871AF  Blob  0x0400000001000000100000003916aab96a41e11469df9e6c3b72dcb61400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​8EB03FC3CF7BB292866268B751223DB5103405CB  Blob  0x0400000001000000100000008bca525f7553d02c6f630d8f882e1cd71400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​9078C5A28F9A4325C2A7C73813CDFE13C20F934E  Blob  0x040000000100000010000000f20598e5964bbe5d55181b55b388e3921400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​90AEA26985FF14804C434952ECE9608477AF556F  Blob  0x0400000001000000100000009760e8575fd35047e5430c94368ab0621400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​90DEDE9E4C4E9F6FD88617579DD391BC65A68964  Blob  0x040000000100000010000000c4d7f0b2a3c57d6167f004cd43d3ba581400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​96974CD6B663A7184526B1D648AD815CF51E801A  Blob  0x040000000100000010000000711f0e21e7aaea323a6623d3ab50d6691400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​97817950D81C9670CC34D809CF794431367EF474  Blob  0x040000000100000010000000ca3dd368f1035cd032fab82b59e85adb1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​97E2E99636A547554F838FBA38B82E74F89A830A  Blob  0x040000000100000010000000c463ab44201c36e437c05f279d0f6f6e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​99A69BE61AFE886B4D2B82007CB854FC317E1539  Blob  0x040000000100000010000000dff28073ccf1e66173fcf542e9c57cee1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​9BACF3B664EAC5A17BED08437C72E4ACDA12F7E7  Blob  0x040000000100000010000000e2d52023eceeb872e12b5d296ffa43da1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​9E6CEB179185A29EC6060CA53E1974AF94AF59D4  Blob  0x0400000001000000100000009b340d1a315b97462698bca6136a71961400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​9FC796E8F8524F863AE1496D381242105F1B78F5  Blob  0x0400000001000000100000005f944a7322b8f7d131ec5939f78efe6e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​A399F76F0CBF4C9DA55E4AC24E8960984B2905B6  Blob  0x040000000100000010000000370971c4afeb7501ae636c3016bfd1e51400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​A3E31E20B2E46A328520472D0CDE9523E7260C6D  Blob  0x040000000100000010000000a33d88fe161bddf95c9f1a7fd8c890081400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​A5EC73D48C34FCBEF1005AEB85843524BBFAB727  Blob  0x040000000100000010000000ec407d2b765267052ceaf23a4f65f0d81400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​AB48F333DB04ABB9C072DA5B0CC1D057F0369B46  Blob  0x04000000010000001000000093c28e117bd4f30319bd2875134a454a1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​ACED5F6553FD25CE015F1F7A483B6A749F6178C6  Blob  0x04000000010000001000000086386d5e49636c855cdb6ddc94b7d0f71400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​B172B1A56D95F91FE50287E14D37EA6A4463768A  Blob  0x040000000100000010000000d7343def1d270928e131025b132bddf71400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​B19DD096DCD4E3E0FD676885505A672C438D4E9C  Blob  0x0400000001000000100000002b508718392d3bffc3917f2d7dc08a971400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​B3EAC44776C9C81CEAF29D95B6CCA0081B67EC9D  Blob  0x0400000001000000100000002dbbe525d3d165823ab70efae6ebe2e11400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​B5D303BF8682E152919D83F184ED05F1DCE5370C  Blob  0x040000000100000010000000978fc66b3b3e40857724750b76bb55f81400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​B6AF5BE5F878A00114C3D7FEF8C775C34CCD17B6  Blob  0x040000000100000010000000a37d2c27e4a7f3aa5f75d4c49264026a1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​B72FFF92D2CE43DE0A8D4C548C503726A81E2B93  Blob  0x0400000001000000100000006cc9a76e47f10ce3533b784c4dc26ac51400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​BC9219DDC98E14BF1A781F6E280B04C27F902712  Blob  0x040000000100000010000000b465220a7caddf41b7d544d5adfa9a751400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​BE36A4562FB2EE05DBB3D32323ADF445084ED656  Blob  0x0400000001000000100000007f667a71d3eb6978209a51149d83da201400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​CABB51672400588E6419F1D40878D0403AA20264  Blob  0x040000000100000010000000bdd6f58a7c3cc4a6f934ccc38961f6b21400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​CFDEFE102FDA05BBE4C78D2E4423589005B2571D  Blob  0x040000000100000010000000ad8e0f9e016ba0c574d50cd368654f1e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​CFF360F524CB20F1FEAD89006F7F586A285B2D5B  Blob  0x04000000010000001000000074a82c81432b35609b78056b58f365821400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​CFF810FB2C4FFC0156BFE1E1FABCB418C68D31C5  Blob  0x04000000010000001000000071e265fbcd7b0b845be3bcd76320c5981400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​D23209AD23D314232174E40D7F9D62139786633A  Blob  0x04000000010000001000000067cb9dc013248a829bb2171ed11becd41400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​D29F6C98BEFC6D986521543EE8BE56CEBC288CF3  Blob  0x0400000001000000100000000efa4bf7d760cd65f7a70688579862391400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​D2EDF88B41B6FE01461D6E2834EC7C8F6C77721E  Blob  0x040000000100000010000000bd8ace34a8ae6148e85ec87a1ce8ccbf1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​DA40188B9189A3EDEEAEDA97FE2F9DF5B7D18A41  Blob  0x040000000100000010000000649cef2e44fcc68f5207d051738fcb3d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​DBAC3C7AA4254DA1AA5CAAD68468CB88EEDDEEA8  Blob  0x040000000100000010000000df168a83ea83845db96501c6a65d193e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46  Blob  0x040000000100000010000000a7f2e41606411150306b9ce3b49cb0c91400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​E392512F0ACFF505DFF6DE067F7537E165EA574B  Blob  0x0400000001000000100000004febf1f070c280635d589fda123ca9c41400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​E4554333CA390E128B8BF81D90B70F4002D1D6E9  Blob  0x040000000100000010000000bfb5e77d3dea6f1df08a50bc8c1cfa1d1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​E5DF743CB601C49B9843DCAB8CE86A81109FE48E  Blob  0x0400000001000000100000006558ab15ad576c1ea8a7b569acbfffeb1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​EBBC0E2D020CA69B222C2BFFD203CB8BF5A82766  Blob  0x040000000100000010000000b2407992461a19c4180fec34ec68afd51400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​EC0C3716EA9EDFADD35DFBD55608E60A05D3CBF3  Blob  0x04000000010000001000000078a5fb104be4632ed26bfbf2b6c24b8e1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​EF2DACCBEABB682D32CE4ABD6CB90025236C07BC  Blob  0x040000000100000010000000c69f6d5cb379b00389cbf03fa4c09f8a1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​F44095C238AC73FC4F77BF8F98DF70F8F091BC52  Blob  0x040000000100000010000000f4ff97428070fe66168bbed35315819b1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​\​Certificates\​F88015D3F98479E1DA553D24FD42BA3F43886AEF  Blob  0x040000000100000010000000160a1613c17ff01d887ee3d9e71261cc1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​CRLs\​A377D1B1C0538833035211F4083D00FECC414DAB  Blob  0x030000000100000014000000a377d1b1c0538833035211f4083d00fecc41 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​063DA67748F0ECCC690D319BCDCD0E72AC8D48D5  Blob  0x19000000010000001000000012fabd58acd5fc77cd7608b3d3378c3d0300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​109F1CAED645BB78B3EA2B94C0697C740733031C  Blob  0x030000000100000014000000109f1caed645bb78b3ea2b94c0697c740733 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​12519AE9CD777A560184F1FBD54215222E95E71F  Blob  0x190000000100000010000000a889c4496403d2619e040ad282ffc1590300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​189271E573FED295A8C130EAF357A20C4A9F115E  Blob  0x19000000010000001000000099c03958d4138c59ae87672beb67432a0300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​2D69A20EC4F0CD19037FD6D6246B1EE0EC41BA22  Blob  0x1900000001000000100000004187d1f7d569d7cab129111df89991810300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​7B02312BACC59EC388FEAE12FD277F6A9FB4FAC1  Blob  0x190000000100000010000000c4f1f90b2787ece21c32340df76cc67c0300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​8B24CD8D8B58C6DA72ACE097C7B1E3CEA4DC3DC6  Blob  0x1900000001000000100000006ed6ed7df52fc19bdc9e5fe9e2be21fb0300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​9F025D9F58711A605EB0694B0E8BC0CA4F25FD6F  Blob  0x190000000100000010000000fe4d945be7ca1f62953a5c89cd07a9960300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​BA9E3C32562A67128CAABD4AB0C500BEE1D0C256  Blob  0x19000000010000001000000083b65318664e6fa245e0d7609fb958200300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​E5215D3460C2C20BBE2D9FE5FB665DAA2C0E225C  Blob  0x190000000100000010000000a823b4a20180beb460cab955c24d7e210300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​F6357239B7C39725BD8000646E4A0D18EBCE4CFA  Blob  0x1900000001000000100000008d1180a8ac4f2b186c7da5fffd8b86e10300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​FE622EA7B33CA46519AB39736A66B8F6E41FF157  Blob  0x1900000001000000100000005dc45e2cd1845791bdde7600050af5100300 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​FEE449EE0E3965A5246F000E87FDE2A065FD89D4  Blob  0x190000000100000010000000edbccdd5106a071c5d8b4690918e48aa0300 
HKLM\​Software\​Microsoft\​SystemCertificates\​disallowed\​\​Certificates\​637162CC59A3A1E25956FA5FA8F60D2E1C52EAC6  Blob  0x0f000000010000001000000033592925e547604fd98c09f1fa44c2790b00 
HKLM\​Software\​Microsoft\​SystemCertificates\​disallowed\​\​Certificates\​7D7F4414CCEF168ADF6BF40753B5BECD78375931  Blob  0x0f00000001000000100000008cdb18e99a266c9be818e94229cf0fca0b00 
HKLM\​Software\​Microsoft\​SystemCertificates\​root\​\​Certificates\​18F7C1FCC3090203FD5BAA2F861A754976C8DD25  Blob  0x040000000100000010000000ebb04f1d3a2e372f1dda6e27d6b680fa1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​root\​\​Certificates\​245C97DF7514E7CF2DF8BE72AE957B9E04741E85  Blob  0x040000000100000010000000556ebef54c1d7c0360c43418bc9649c11400 
HKLM\​Software\​Microsoft\​SystemCertificates\​root\​\​Certificates\​7F88CD7223F3C813818C994614A89C99FA3B5247  Blob  0x040000000100000010000000dc6d6faf897cdd17332fb5ba9035e9ce1400 
HKLM\​Software\​Microsoft\​SystemCertificates\​root\​\​Certificates\​A43489159A520F0D93D032CCAF37E7FE20A8B419  Blob  0x1900000001000000100000003fc8cb0bc05241e58d65e9448b2d07c21400 
HKLM\​Software\​Microsoft\​SystemCertificates\​root\​\​Certificates\​CDD4EEAE6000AC7F40C3802C171E30148030C072  Blob  0x190000000100000010000000983b132635b7e91deef54a6780c092691400 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users  10 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User  10 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings  20 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  ProfileImagePath  %SystemDrive%\​Documents and Settings\​Administrator  10 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files  10 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  DevicePath  %SystemRoot%\​inf 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files  10 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  DriverCachePath  %SystemRoot%\​Driver Cache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  LogLevel 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackCachePath  c:\​windows\​ServicePackFiles\​ServicePackCache 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  ServicePackSourcePath  D:\​ 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Setup  SourcePath  D:\​ 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC  14 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Capabilities  16464 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Comment  Digest SSPI Authentication Package 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Name  Digest 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  RpcId  65535 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  TokenSize  65535 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Type  49 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​digest.dll  Version 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Capabilities  55 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Comment  DPA Security Package 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Name  DPA 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  RpcId  17 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  TokenSize  768 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Type  49 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msapsspc.dll  Version 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Capabilities  55 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Comment  MSN Security Package 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Name  MSN 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  RpcId  18 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  TokenSize  768 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Type  49 
HKLM\​System\​CurrentControlSet\​Control\​Lsa\​SspiCache\​msnsspc.dll  Version 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​SecurityProviders  SecurityProviders  msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll 
HKLM\​System\​CurrentControlSet\​Control\​SecurityProviders\​SaslProfiles  GSSAPI  Kerberos 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP  20 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot%  20 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Services\​LDAP  LdapClientIntegrity 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1020 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  13 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000012  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000013  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 
HKLM\​System\​WPA\​PnP  seed  1274198464 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Security  Safety Warning Level  Query 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​SystemCertificates\​Root\​ProtectedRoots  Certificates  0x180000000100000050a5c0c5adc5c8010000000018000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​SystemCertificates\​ca\​\​Certificates\​F77A3F82B7C4B3A9D869A93E3335CF1F78BC441E  Blob  0x030000000100000014000000f77a3f82b7c4b3a9d869a93e3335cf1f78bc 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec  10 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  History  %USERPROFILE%\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache  Signature  Client UrlCache MMF Ver 5.2 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CacheLimit  163410 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CachePrefix   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CachePrefix  Cookie: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CacheOptions  11 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CachePath  %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012011021720110218\​ 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CachePrefix  :2011021720110218:  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021720110218  CacheRepair 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CacheOptions  11 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CachePath  %USERPROFILE%\​Local Settings\​History\​History.IE5\​MSHist012011021820110219\​ 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CachePrefix  :2011021820110219:  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Extensible Cache\​MSHist012011021820110219  CacheRepair 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CachePrefix  Visited: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  https 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  Flags  33 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​1  Flags  219 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​2  Flags  71 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1A10 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​4  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​WinTrust\​Trust Providers\​Software Publishing  State  146432 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  DefaultConnectionSettings  0x3c0000000300000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  SavedLegacySettings  0x3c0000001500000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  APPDATA  C:\​Documents and Settings\​Administrator\​Application Data  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  CLIENTNAME  Console  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEDRIVE  C:  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEPATH  \​Documents and Settings\​Administrator  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMESHARE    20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  LOGONSERVER  \​\​PC  20 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  SESSIONNAME  Console  20 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Microsoft\​EnterpriseCertificates\​ca\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​EnterpriseCertificates\​disallowed\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​EnterpriseCertificates\​root\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​EnterpriseCertificates\​trust\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​SystemCertificates\​AuthRoot\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​SystemCertificates\​ca\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​SystemCertificates\​disallowed\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​SystemCertificates\​root\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​SystemCertificates\​trust\​  Key Change,Value Change 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  Attributes Change,Value Change,Security Descriptor Change 
HKLM\​Software\​Policies\​Microsoft\​SystemCertificates  Key Change,Value Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​SystemCertificates\​ca\​  Key Change,Value Change 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​SystemCertificates\​disallowed\​  Key Change,Value Change 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​SystemCertificates\​root\​  Key Change,Value Change 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​SystemCertificates\​trust\​  Key Change,Value Change 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​\​Software\​Policies\​Microsoft\​SystemCertificates  Key Change,Value Change 

3.b) hhcbrnaff.exe - File Activities

  - Files Deleted:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab3.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp
C:\file.exe

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab3.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhgnrddkjee.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\tp7[1].exe

  - Files Read:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab3.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\hhcbrnaff.exe
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
C:\WINDOWS\system32\dssenh.dll
C:\WINDOWS\system32\rsaenh.dll
PIPE\lsarpc
c:\autoexec.bat

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab1.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab3.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Cab5.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar2.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar4.tmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Tar6.tmp
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004info
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015info
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004info
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015info
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\tp7[1].exe
PIPE\lsarpc
\Device\Afd\AsyncConnectHlpinfo
\Device\Afd\Endpointinfo
\Device\RasAcdinfo

  - File System Control Communication:  
File Control Code Times
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\  0x00090028 
PIPE\lsarpc  0x0011C017  16 

  - Device Control Communication:  
File Control Code Times
\Device\KsecDD  0x00390008 
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047)  15 
\Device\Afd\Endpoint  AFD_BIND (0x00012003) 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037) 
\Device\Afd\Endpoint  AFD_GET_SOCK_NAME (0x0001202F) 
\Device\Afd\Endpoint  AFD_CONNECT (0x00012007) 
unnamed file  0x00120028 
\Device\Afd\Endpoint  AFD_SEND (0x0001201F) 
\Device\Afd\Endpoint  AFD_RECV (0x00012017)  106 
\Device\KsecDD  0x0039000E 
\Device\KsecDD  0x00390012 
\Device\Afd\Endpoint  AFD_SET_INFO (0x0001203B)  12 
\Device\Afd\AsyncConnectHlp  AFD_CONNECT (0x00012007) 
\Device\Afd\Endpoint  AFD_SELECT (0x00012024) 

  - Memory Mapped Files:  
File Name
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\Cabinet.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\WINHTTP.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\cryptnet.dll
C:\WINDOWS\system32\dssenh.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\schannel.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\setupapi.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\userenv.dll
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\xpsp2res.dll

  - Directories Monitored:  
Directory Watch subtree Notify Filter Count
C:\Documents and Settings\Administrator\Application Data\Microsoft\SystemCertificates\My  File Name Change,Directory Name Change,Name Change,Size Change,Last Write Change 

3.c) hhcbrnaff.exe - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
awcoomer.com  DNS_TYPE_A  78.157.201.219  YES  udp 
www.download.windowsupdate.com  DNS_TYPE_A  95.101.0.114 95.101.0.115 95.101.0.90 95.101.0.104 95.101.0.97  YES  udp 

  -  HTTP Conversations:  
From ANUBIS:1029 to 95.101.0.114:80 - [www.download.windowsupdate.com]
Request: GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt
Response: 200 "OK"
Request: GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab
Response: 200 "OK"

  -  TCP Connection Attempts:  
from ANUBIS:1028 to 78.157.201.219:443

3.d) hhcbrnaff.exe - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x7c90ff71 


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org