___ __ _ + /- / | ____ __ __/ /_ (_)____ -\ + /s h- / /| | / __ \/ / / / __ \/ / ___/ -h s\ oh-:d/ / ___ |/ / / / /_/ / /_/ / (__ ) /d:-ho shh+hy- /_/ |_/_/ /_/\__,_/_.___/_/____/ -yh+hhs -:+hhdhyys/- -\syyhdhh+:- -//////dhhhhhddhhyss- Analysis Report -ssyhhddhhhhhd\\\\\\- /++/////oydddddhhyys/ ooooooooooooooooooooo \syyhhdddddyo\\\\\++\ -+++///////odh/- -+hdo\\\\\\\+++- +++++++++//yy+/: :\+yy\\+++++++++ /+soss+sys//yyo/os++o+: :+o++so\oyy\\sys+ssos+\ +oyyyys++o/+yss/+/oyyyy: :yyyyo\+\ssy+\o++syyyyo+ +oyyyyyyso+os/o/+yyyyyy/ \yyyyyy+\o\so+osyyyyyyo+ [#############################################################################] Analysis Report for 912c406c3558adae5497eeef740ed652 MD5: 912c406c3558adae5497eeef740ed652 [#############################################################################] Summary: - Start/Install windows service: This executable starts a windows service. Services have the highest level of privilege in Windows, and are thus useful for a number of malicious purposes. - Load driver: This executable loads a driver into the windows kernel. Device drivers are used by advanced malware (rootkits) to operate stealthily and escape detection. - AV Hit: This executable is detected by an antivirus software. - Modify system files: This executable modifies files in the windows system directories. - Autostart capabilities: This executable registers processes to be executed at system start. This could result in unwanted actions to be performed automatically. - Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. - Creates files in the Windows system directory: Malware often keeps copies of itself in the Windows directory to stay undetected by users. - Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. - Performs Registry Activities: The executable creates and/or modifies registry entries. [=============================================================================] Table of Contents [=============================================================================] - General information - 912c406c35.exe a) Registry Activities b) File Activities c) Windows Service Activities d) Network Activities - services.exe a) Registry Activities b) File Activities c) Other Activities [#############################################################################] 1. General Information [#############################################################################] [=============================================================================] Information about Anubis' invocation [=============================================================================] Time needed: 251 s Report created: 04/17/11, 04:34:49 UTC Termination reason: Timeout Program version: 1.75.3394 [#############################################################################] 2. 912c406c35.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: Primary Analysis Subject Filename: 912c406c35.exe MD5: 912c406c3558adae5497eeef740ed652 SHA-1: 17b4ca0dd6e89444d0672e417ee45bc5fedb462d File Size: 126976 Bytes Command Line: "C:\912c406c35.exe" Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] [=============================================================================] Run-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntoskrnl.exe ], Base Address: [0x01200000 ], Size: [0x00216680 ] Module Name: [ C:\WINDOWS\system32\wmdrtc32.dll ], Base Address: [0x10000000 ], Size: [0x00015000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\comctl32.dll ], Base Address: [0x5D090000 ], Size: [0x0009A000 ] Module Name: [ C:\WINDOWS\System32\mswsock.dll ], Base Address: [0x71A50000 ], Size: [0x0003F000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\wsock32.dll ], Base Address: [0x71AD0000 ], Size: [0x00009000 ] Module Name: [ C:\WINDOWS\system32\sensapi.dll ], Base Address: [0x722B0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\LZ32.dll ], Base Address: [0x73DC0000 ], Size: [0x00003000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\WINMM.dll ], Base Address: [0x76B40000 ], Size: [0x0002D000 ] Module Name: [ C:\WINDOWS\system32\sfc.dll ], Base Address: [0x76BB0000 ], Size: [0x00005000 ] Module Name: [ C:\WINDOWS\system32\WINTRUST.dll ], Base Address: [0x76C30000 ], Size: [0x0002E000 ] Module Name: [ C:\WINDOWS\system32\sfc_os.dll ], Base Address: [0x76C60000 ], Size: [0x0002A000 ] Module Name: [ C:\WINDOWS\system32\IMAGEHLP.dll ], Base Address: [0x76C90000 ], Size: [0x00028000 ] Module Name: [ C:\WINDOWS\system32\rtutils.dll ], Base Address: [0x76E80000 ], Size: [0x0000E000 ] Module Name: [ C:\WINDOWS\system32\rasman.dll ], Base Address: [0x76E90000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\TAPI32.dll ], Base Address: [0x76EB0000 ], Size: [0x0002F000 ] Module Name: [ C:\WINDOWS\system32\RASAPI32.DLL ], Base Address: [0x76EE0000 ], Size: [0x0003C000 ] Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ], Base Address: [0x76F20000 ], Size: [0x00027000 ] Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ], Base Address: [0x76F60000 ], Size: [0x0002C000 ] Module Name: [ C:\WINDOWS\System32\winrnr.dll ], Base Address: [0x76FB0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\rasadhlp.dll ], Base Address: [0x76FC0000 ], Size: [0x00006000 ] Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ], Base Address: [0x77120000 ], Size: [0x0008B000 ] Module Name: [ C:\WINDOWS\system32\WININET.dll ], Base Address: [0x771B0000 ], Size: [0x000AA000 ] Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ], Base Address: [0x773D0000 ], Size: [0x00103000 ] Module Name: [ C:\WINDOWS\system32\ole32.dll ], Base Address: [0x774E0000 ], Size: [0x0013D000 ] Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ], Base Address: [0x77A80000 ], Size: [0x00095000 ] Module Name: [ C:\WINDOWS\system32\MSASN1.dll ], Base Address: [0x77B20000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ], Base Address: [0x77F60000 ], Size: [0x00076000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\shell32.dll ], Base Address: [0x7C9C0000 ], Size: [0x00817000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] [=============================================================================] Ikarus Virus Scanner [=============================================================================] Trojan.Fakealert (Sig-Id: 1480928) [=============================================================================] 2.a) 912c406c35.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot ], Value Name: [ AlternateShell ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F} ], Value Name: [ ] Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ], Value Name: [ ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CURRENTCONTROLSET\HARDWARE PROFILES\CURRENT\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Common AppData ], New Value: [ C:\Documents and Settings\All Users\Application Data ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Directory ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths ], Value Name: [ Paths ], New Value: [ 4 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path1 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path2 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path3 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CacheLimit ], New Value: [ 40852 ] Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Path4 ], Value Name: [ CachePath ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ AppData ], New Value: [ C:\Documents and Settings\Administrator\Application Data ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cache ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ Cookies ], New Value: [ C:\Documents and Settings\Administrator\Cookies ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders ], Value Name: [ History ], New Value: [ C:\Documents and Settings\Administrator\Local Settings\History ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ GlobalUserOffline ], New Value: [ 0 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ MigrateProxy ], New Value: [ 1 ] Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], New Value: [ 0 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ UrlEncoding ], Value: [ 0x00000000 ], 2 times Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time Key: [ HKLM\SYSTEM\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 1 time Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ ConsoleTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableConsoleTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ EnableFileTracing ], Value: [ 0 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileDirectory ], Value: [ %windir%\tracing ], 4 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ FileTracingMask ], Value: [ 4294901760 ], 2 times Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Value Name: [ MaxFileSize ], Value: [ 1048576 ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ AllUsersProfile ], Value: [ All Users ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ DefaultUserProfile ], Value: [ Default User ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList ], Value Name: [ ProfilesDirectory ], Value: [ %SystemDrive%\Documents and Settings ], 4 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-842925246-1425521274-308236825-500 ], Value Name: [ ProfileImagePath ], Value: [ %SystemDrive%\Documents and Settings\Administrator ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ CommonFilesDir ], Value: [ C:\Program Files\Common Files ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 2 times Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Common AppData ], Value: [ %ALLUSERSPROFILE%\Application Data ], 1 time Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], Value Name: [ ComputerName ], Value: [ PC ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], Value Name: [ wheel ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\ProductOptions ], Value Name: [ ProductType ], Value: [ WinNT ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot ], Value Name: [ AlternateShell ], Value: [ cmd.exe ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\AppMgmt ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Base ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Boot file system ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\CryptSvc ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\DcomLaunch ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\EventLog ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\File system ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Filter ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\HelpSvc ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Netlogon ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PCI Configuration ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PNP Filter ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\PlugPlay ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\Primary disk ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SCSI Class ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\SRService ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinMgmt ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\dmserver ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sermouse.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys ], Value Name: [ FSFilter System Recovery ], Value: [ FSFilter System Recovery ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vga.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{36FC9E60-C465-11CF-8056-444553540000} ], Value Name: [ Universal Serial Bus controllers ], Value: [ Universal Serial Bus controllers ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318} ], Value Name: [ CD-ROM Drive ], Value: [ CD-ROM Drive ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318} ], Value Name: [ DiskDrive ], Value: [ DiskDrive ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Standard floppy disk controller ], Value: [ Standard floppy disk controller ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Hdc ], Value: [ Hdc ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Keyboard ], Value: [ Keyboard ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Mouse ], Value: [ Mouse ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318} ], Value Name: [ PCMCIA Adapters ], Value: [ PCMCIA Adapters ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ SCSIAdapter ], Value: [ SCSIAdapter ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318} ], Value Name: [ System ], Value: [ System ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Floppy disk drive ], Value: [ Floppy disk drive ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F} ], Value Name: [ Volume ], Value: [ Volume ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ], Value Name: [ Human Interface Devices ], Value: [ Human Interface Devices ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AFD ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\AppMgmt ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Base ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Boot file system ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Browser ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\CryptSvc ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DcomLaunch ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Dhcp ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\DnsCache ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\EventLog ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\File system ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Filter ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\HelpSvc ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanServer ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LanmanWorkstation ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\LmHosts ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Messenger ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NDIS Wrapper ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Ndisuio ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOS ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBIOSGroup ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetBT ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetDDEGroup ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetMan ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Netlogon ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Network ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NetworkProvider ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\NtLmSsp ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PCI Configuration ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP Filter ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PNP_TDI ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\PlugPlay ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Primary disk ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\RpcSs ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SCSI Class ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SRService ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\SharedAccess ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Streams Drivers ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\TDI ], Value Name: [ Driver Group ], Value: [ Driver Group ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\Tcpip ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WZCSVC ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\WinMgmt ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmadmin ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmboot.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmio.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmload.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\dmserver ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ip6fw.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\ipnat.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpcdd.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpdd.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdpwd.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\rdsessmgr ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sermouse.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\sr.sys ], Value Name: [ FSFilter System Recovery ], Value: [ FSFilter System Recovery ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdpipe.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\tdtcp.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\termservice ], Value Name: [ Service ], Value: [ Service ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vga.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\vgasave.sys ], Value Name: [ Driver ], Value: [ Driver ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{36FC9E60-C465-11CF-8056-444553540000} ], Value Name: [ Universal Serial Bus controllers ], Value: [ Universal Serial Bus controllers ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318} ], Value Name: [ CD-ROM Drive ], Value: [ CD-ROM Drive ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318} ], Value Name: [ DiskDrive ], Value: [ DiskDrive ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Standard floppy disk controller ], Value: [ Standard floppy disk controller ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Hdc ], Value: [ Hdc ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Keyboard ], Value: [ Keyboard ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Mouse ], Value: [ Mouse ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Net ], Value: [ Net ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318} ], Value Name: [ NetClient ], Value: [ NetClient ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318} ], Value Name: [ NetService ], Value: [ NetService ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318} ], Value Name: [ NetTrans ], Value: [ NetTrans ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318} ], Value Name: [ PCMCIA Adapters ], Value: [ PCMCIA Adapters ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318} ], Value Name: [ SCSIAdapter ], Value: [ SCSIAdapter ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318} ], Value Name: [ System ], Value: [ System ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318} ], Value Name: [ Floppy disk drive ], Value: [ Floppy disk drive ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F} ], Value Name: [ Volume ], Value: [ Volume ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\SafeBoot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} ], Value Name: [ Human Interface Devices ], Value: [ Human Interface Devices ], 1 time Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ ComSpec ], Value: [ %SystemRoot%\system32\cmd.exe ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ FP_NO_HOST_CHECK ], Value: [ NO ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ NUMBER_OF_PROCESSORS ], Value: [ 1 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ OS ], Value: [ Windows_NT ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PATHEXT ], Value: [ .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_ARCHITECTURE ], Value: [ x86 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_IDENTIFIER ], Value: [ x86 Family 6 Model 3 Stepping 3, GenuineIntel ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_LEVEL ], Value: [ 6 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ PROCESSOR_REVISION ], Value: [ 0303 ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ Path ], Value: [ %SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TEMP ], Value: [ %SystemRoot%\TEMP ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ TMP ], Value: [ %SystemRoot%\TEMP ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Session Manager\Environment ], Value Name: [ windir ], Value: [ %SystemRoot% ], 4 times Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], Value Name: [ TSUserEnabled ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Domain ], Value: [ ], 3 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ Hostname ], Value: [ pc ], 3 times Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ DisplayString ], Value: [ NTDS ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Enabled ], Value: [ 1 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], Value Name: [ Version ], Value: [ 0 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time Key: [ HKLM\System\Setup ], Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], Value Name: [ TEMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Environment ], Value Name: [ TMP ], Value: [ %USERPROFILE%\Local Settings\Temp ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableHttp1_1 ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ EnableNegotiate ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ GlobalUserOffline ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ MimeExclusionListForCache ], Value: [ multipart/mixed multipart/x-mixed-replace multipart/x-byteranges ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ], Value Name: [ WarnOnPost ], Value: [ 0x01000000 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows NT\CurrentVersion\Winlogon ], Value Name: [ ParseAutoexec ], Value: [ 1 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ AppData ], Value: [ %USERPROFILE%\Application Data ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cache ], Value: [ %USERPROFILE%\Local Settings\Temporary Internet Files ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Cookies ], Value: [ %USERPROFILE%\Cookies ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ History ], Value: [ %USERPROFILE%\Local Settings\History ], 3 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Local Settings ], Value: [ %USERPROFILE%\Local Settings ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders ], Value Name: [ Personal ], Value: [ %USERPROFILE%\My Documents ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache ], Value Name: [ Signature ], Value: [ Client UrlCache MMF Ver 5.2 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CacheLimit ], Value: [ 163410 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ CachePrefix ], Value: [ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ CachePrefix ], Value: [ Cookie: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CacheOptions ], Value: [ 11 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021720110218\ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CachePrefix ], Value: [ :2011021720110218: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021720110218 ], Value Name: [ CacheRepair ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CacheOptions ], Value: [ 11 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CachePath ], Value: [ %USERPROFILE%\Local Settings\History\History.IE5\MSHist012011021820110219\ ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CachePrefix ], Value: [ :2011021820110219: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012011021820110219 ], Value Name: [ CacheRepair ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CacheLimit ], Value: [ 8192 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ CachePrefix ], Value: [ Visited: ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History ], Value Name: [ PerUserItem ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ], Value Name: [ CTFMON.EXE ], Value: [ C:\WINDOWS\system32\ctfmon.exe ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Run ], Value Name: [ MSMSGS ], Value: [ "C:\Program Files\Messenger\msmsgs.exe" /background ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ MigrateProxy ], Value: [ 1 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings ], Value Name: [ ProxyEnable ], Value: [ 0 ], 1 time Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ DefaultConnectionSettings ], Value: [ 0x3c0000000300000001000000000000000000000000000000040000000000 ], 2 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections ], Value Name: [ SavedLegacySettings ], Value: [ 0x3c0000001500000001000000000000000000000000000000040000000000 ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ APPDATA ], Value: [ C:\Documents and Settings\Administrator\Application Data ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ CLIENTNAME ], Value: [ Console ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMEDRIVE ], Value: [ C: ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMEPATH ], Value: [ \Documents and Settings\Administrator ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ HOMESHARE ], Value: [ ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ LOGONSERVER ], Value: [ \\PC ], 4 times Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Volatile Environment ], Value Name: [ SESSIONNAME ], Value: [ Console ], 4 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Monitored Registry Keys: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\Software\Microsoft\Tracing\RASAPI32 ], Watch subtree: [ 0 ], Notify Filter: [ Attributes Change,Value Change,Security Descriptor Change ], 2 times Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time [=============================================================================] 2.b) 912c406c35.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\KUKU400alpha ] File Name: [ C:\WINDOWS\system32\drivers\jookin.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\KUKU400alpha ] File Name: [ C:\WINDOWS\system32\drivers\jookin.sys ] File Name: [ C:\WINDOWS\system32\wmdrtc32.dl_ ] File Name: [ C:\WINDOWS\system32\wmdrtc32.dll ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\SYSTEM.INI ] File Name: [ C:\WINDOWS\system32\wmdrtc32.dl_ ] File Name: [ PIPE\SfcApi ] File Name: [ PIPE\lsarpc ] File Name: [ c:\autoexec.bat ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\SYSTEM.INI ] File Name: [ C:\WINDOWS\system32\drivers\jookin.sys ] File Name: [ C:\WINDOWS\system32\wmdrtc32.dl_ ] File Name: [ C:\WINDOWS\system32\wmdrtc32.dll ] File Name: [ NdisFileServices32 ] File Name: [ PIPE\SfcApi ] File Name: [ PIPE\lsarpc ] File Name: [ \Device\RasAcd ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 16 times File: [ PIPE\SfcApi ], Control Code: [ 0x0011C017 ], 2 times [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Device Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times File: [ \Device\RasAcd ], Control Code: [ 0x00F14014 ], 1 time [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Memory Mapped Files: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\WINDOWS\System32\mswsock.dll ] File Name: [ C:\WINDOWS\System32\winrnr.dll ] File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll ] File Name: [ C:\WINDOWS\WindowsShell.Manifest ] File Name: [ C:\WINDOWS\system32\DNSAPI.dll ] File Name: [ C:\WINDOWS\system32\RASAPI32.DLL ] File Name: [ C:\WINDOWS\system32\TAPI32.dll ] File Name: [ C:\WINDOWS\system32\WININET.dll ] File Name: [ C:\WINDOWS\system32\WINMM.dll ] File Name: [ C:\WINDOWS\system32\WS2HELP.dll ] File Name: [ C:\WINDOWS\system32\WS2_32.dll ] File Name: [ C:\WINDOWS\system32\comctl32.dll ] File Name: [ C:\WINDOWS\system32\ntoskrnl.exe ] File Name: [ C:\WINDOWS\system32\rasadhlp.dll ] File Name: [ C:\WINDOWS\system32\rasman.dll ] File Name: [ C:\WINDOWS\system32\rtutils.dll ] File Name: [ C:\WINDOWS\system32\sensapi.dll ] File Name: [ C:\WINDOWS\system32\sfc.dll ] File Name: [ C:\WINDOWS\system32\sfc_os.dll ] File Name: [ C:\WINDOWS\system32\shell32.dll ] File Name: [ C:\WINDOWS\system32\wmdrtc32.dll ] File Name: [ C:\WINDOWS\system32\wsock32.dll ] [=============================================================================] 2.c) 912c406c35.exe - Windows Service Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Started: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ IPFILTERDRIVER ] Service: [ NdisFileServices32 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ NdisFileServices32 ], Type: [ SERVICE_AUTO_START ], Path: [ C:\WINDOWS\system32\drivers\jookin.sys ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ ALG ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Services Changed: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Service: [ ALG ], Control Code: [ SERVICE_CONTROL_STOP ] [=============================================================================] 2.d) 912c406c35.exe - Network Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] DNS Queries: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Name: [ www.microsoft.com ], Query Type: [ DNS_TYPE_A ], Query Result: [ 65.55.21.250 ], Successful: [ YES ], Protocol: [ udp ] [#############################################################################] 3. services.exe [#############################################################################] [=============================================================================] General information about this executable [=============================================================================] Analysis Reason: A service was started. Filename: services.exe MD5: 0e776ed5f7cc9f94299e70461b7b8185 SHA-1: cb5a33cec4c7b8ef4bd5dc8c241005b66b26cbbf File Size: 108544 Bytes Command Line: C:\WINDOWS\system32\services.exe Process-status at analysis end: alive Exit Code: 0 [=============================================================================] Load-time Dlls [=============================================================================] Module Name: [ C:\WINDOWS\system32\ntdll.dll ], Base Address: [0x7C900000 ], Size: [0x000AF000 ] Module Name: [ C:\WINDOWS\system32\kernel32.dll ], Base Address: [0x7C800000 ], Size: [0x000F6000 ] Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ], Base Address: [0x77DD0000 ], Size: [0x0009B000 ] Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ], Base Address: [0x77E70000 ], Size: [0x00092000 ] Module Name: [ C:\WINDOWS\system32\Secur32.dll ], Base Address: [0x77FE0000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\msvcrt.dll ], Base Address: [0x77C10000 ], Size: [0x00058000 ] Module Name: [ C:\WINDOWS\system32\NCObjAPI.DLL ], Base Address: [0x5F770000 ], Size: [0x0000C000 ] Module Name: [ C:\WINDOWS\system32\MSVCP60.dll ], Base Address: [0x76080000 ], Size: [0x00065000 ] Module Name: [ C:\WINDOWS\system32\SCESRV.dll ], Base Address: [0x7DBD0000 ], Size: [0x00051000 ] Module Name: [ C:\WINDOWS\system32\AUTHZ.dll ], Base Address: [0x776C0000 ], Size: [0x00012000 ] Module Name: [ C:\WINDOWS\system32\USER32.dll ], Base Address: [0x7E410000 ], Size: [0x00091000 ] Module Name: [ C:\WINDOWS\system32\GDI32.dll ], Base Address: [0x77F10000 ], Size: [0x00049000 ] Module Name: [ C:\WINDOWS\system32\USERENV.dll ], Base Address: [0x769C0000 ], Size: [0x000B4000 ] Module Name: [ C:\WINDOWS\system32\umpnpmgr.dll ], Base Address: [0x7DBA0000 ], Size: [0x00021000 ] Module Name: [ C:\WINDOWS\system32\WINSTA.dll ], Base Address: [0x76360000 ], Size: [0x00010000 ] Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ], Base Address: [0x5B860000 ], Size: [0x00055000 ] Module Name: [ C:\WINDOWS\system32\ShimEng.dll ], Base Address: [0x5CB70000 ], Size: [0x00026000 ] Module Name: [ C:\WINDOWS\AppPatch\AcAdProc.dll ], Base Address: [0x47260000 ], Size: [0x0000F000 ] Module Name: [ C:\WINDOWS\system32\Apphelp.dll ], Base Address: [0x77B40000 ], Size: [0x00022000 ] Module Name: [ C:\WINDOWS\system32\VERSION.dll ], Base Address: [0x77C00000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\eventlog.dll ], Base Address: [0x77B70000 ], Size: [0x00011000 ] Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ], Base Address: [0x76BF0000 ], Size: [0x0000B000 ] Module Name: [ C:\WINDOWS\system32\WS2_32.dll ], Base Address: [0x71AB0000 ], Size: [0x00017000 ] Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ], Base Address: [0x71AA0000 ], Size: [0x00008000 ] Module Name: [ C:\WINDOWS\system32\wtsapi32.dll ], Base Address: [0x76F50000 ], Size: [0x00008000 ] [=============================================================================] 3.a) services.exe - Registry Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Created: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32\Security ] Key: [ HKLM\SYSTEM\CONTROLSET001\CONTROL\CLASS\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Keys Deleted: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\System\CurrentControlSet\Control\Class\{8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ALG\0000\Control ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ALG\0000 ] Key: [ HKLM\System\CurrentControlSet\Enum\Root\LEGACY_ALG ] Key: [ HKLM\System\CurrentControlSet\Services\ALG\Security ] Key: [ HKLM\System\CurrentControlSet\Services\ALG\Enum ] Key: [ HKLM\System\CurrentControlSet\Services\ALG ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_ALG\0000 ], Value Name: [ Driver ], New Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ] Key: [ HKLM\System\CurrentControlSet\Services\ALG ], Value Name: [ DeleteFlag ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\ALG ], Value Name: [ Start ], New Value: [ 4 ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ], Value Name: [ DisplayName ], New Value: [ NdisFileServices32 ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ], Value Name: [ ErrorControl ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ], Value Name: [ ImagePath ], New Value: [ \??\C:\WINDOWS\system32\drivers\jookin.sys ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ], Value Name: [ Start ], New Value: [ 2 ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ], Value Name: [ Type ], New Value: [ 1 ] Key: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32\Security ], Value Name: [ Security ], New Value: [ 0x01001480900000009c000000140000003000000002001c00010000000280 ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Registry Values Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_ALG\0000 ], Value Name: [ ClassGUID ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1} ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\ENUM\Root\LEGACY_ALG\0000 ], Value Name: [ Driver ], Value: [ {8ECC055D-047F-11D1-A537-0000F8753ED1}\0000 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\ALG\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_ALG\0000 ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\ALG\Enum ], Value Name: [ Count ], Value: [ 1 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\IPSec\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_IPSEC\0000 ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\IPSec\Enum ], Value Name: [ Count ], Value: [ 1 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\IpFilterDriver\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_IPFILTERDRIVER\0000 ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\IpFilterDriver\Enum ], Value Name: [ Count ], Value: [ 1 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\NdisFileServices32\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_NDISFILESERVICES32\0000 ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\NdisFileServices32\Enum ], Value Name: [ Count ], Value: [ 1 ], 2 times Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\Tcpip\Enum ], Value Name: [ 0 ], Value: [ Root\LEGACY_TCPIP\0000 ], 1 time Key: [ HKLM\SYSTEM\CONTROLSET001\SERVICES\Tcpip\Enum ], Value Name: [ Count ], Value: [ 1 ], 2 times Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19 ], Value Name: [ RefCount ], Value: [ 2 ], 1 time Key: [ HKLM\System\CurrentControlSet\Services\ALG ], Value Name: [ ObjectName ], Value: [ NT AUTHORITY\LocalService ], 1 time [=============================================================================] 3.b) services.exe - File Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Read: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Files Modified: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File Name: [ C:\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER, Flags: Named pipe ] File Name: [ C:\WINDOWS\system32\config\SysEvent.Evt ] File Name: [ PIPE\lsarpc ] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File System Control Communication: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] File: [ C:\net\NtControlPipe9, Flags: Named pipe ], Control Code: [ 0x0011C017 ], 2 times File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 3 times [=============================================================================] 3.c) services.exe - Other Activities [=============================================================================] [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Drivers Loaded: [=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=] Driver: [ HKLM\System\CurrentControlSet\Services\IpFilterDriver ] Driver: [ HKLM\System\CurrentControlSet\Services\NdisFileServices32 ] [#############################################################################] International Secure Systems Lab http://www.iseclab.org Vienna University of Technology Eurecom France UC Santa Barbara http://www.tuwien.ac.at http://www.eurecom.fr http://www.cs.ucsb.edu Contact: anubis@iseclab.org