anubis left
Anubis - Analysis Report
anubis right

Analysis Report for output.197664.txt

 Comment on this report

Summary:

Description Risk
Changes security settings of Internet Explorer: This system alteration could seriously affect safety surfing the World Wide Web. medium
Performs File Modification and Destruction: The executable modifies and destructs files which are not temporary. high
Performs Registry Activities: The executable reads and modifies registry values. It may also create and monitor registry keys. low


Table of Contents
expand all expand all   collapse all collapse all

1. General Information

  - Information about Anubis' invocation  
Time needed: 240 s 
Report created: 09/17/09, 00:45:07 UTC 
Termination reason: Timeout 
Program version: 1.72.0 

1.a) - Network Activity

  -  Unknown UDP Traffic:  
from ANUBIS:1025 to 192.168.0.1:53
State: Normal establishment and termination - Transferred outbound Bytes: 64 - Transferred inbound Bytes: 206

2. output.197664.txt

  - General information about this executable  
Analysis Reason: Primary Analysis Subject 
Filename: output.197664.txt 
MD5: 321b7f529887eafd07fefe6b8ce467df 
SHA-1: 8c0c31b1fcf20d103b05c9ba8d4b0d00e8ecefe4 
File Size: 42496 Bytes
Command Line: "C:\output.197664.txt"  
Process-status at analysis end: alive 
Exit Code:

  - Load-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​ntdll.dll  0x7C900000  0x000AF000 
C:\​output.197664.txt  0x00400000  0x00022000 
C:\​WINDOWS\​system32\​kernel32.dll  0x7C800000  0x000F6000 
C:\​WINDOWS\​system32\​ADVAPI32.dll  0x77DD0000  0x0009B000 
C:\​WINDOWS\​system32\​RPCRT4.dll  0x77E70000  0x00092000 
C:\​WINDOWS\​system32\​Secur32.dll  0x77FE0000  0x00011000 
C:\​WINDOWS\​system32\​iphlpapi.dll  0x76D60000  0x00019000 
C:\​WINDOWS\​system32\​msvcrt.dll  0x77C10000  0x00058000 
C:\​WINDOWS\​system32\​USER32.dll  0x7E410000  0x00091000 
C:\​WINDOWS\​system32\​GDI32.dll  0x77F10000  0x00049000 
C:\​WINDOWS\​system32\​WS2_32.dll  0x71AB0000  0x00017000 
C:\​WINDOWS\​system32\​WS2HELP.dll  0x71AA0000  0x00008000 
C:\​WINDOWS\​system32\​MFC42.DLL  0x73DD0000  0x000FE000 
C:\​WINDOWS\​system32\​ole32.dll  0x774E0000  0x0013D000 
C:\​WINDOWS\​system32\​OLEACC.dll  0x74C80000  0x0002C000 
C:\​WINDOWS\​system32\​MSVCP60.dll  0x76080000  0x00065000 
C:\​WINDOWS\​system32\​OLEAUT32.dll  0x77120000  0x0008B000 
C:\​WINDOWS\​system32\​SHELL32.dll  0x7C9C0000  0x00817000 
C:\​WINDOWS\​system32\​SHLWAPI.dll  0x77F60000  0x00076000 
C:\​WINDOWS\​system32\​WININET.dll  0x771B0000  0x000AA000 
C:\​WINDOWS\​system32\​CRYPT32.dll  0x77A80000  0x00095000 
C:\​WINDOWS\​system32\​MSASN1.dll  0x77B20000  0x00012000 
C:\​WINDOWS\​WinSxS\​x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\​comctl32.dll  0x773D0000  0x00103000 
C:\​WINDOWS\​system32\​comctl32.dll  0x5D090000  0x0009A000 

  - Run-time Dlls  
Module Name Base Address Size
C:\​WINDOWS\​system32\​xpsp2res.dll  0x00DF0000  0x002C5000 
C:\​DOCUME~1\​ADMINI~1\​LOCALS~1\​Temp\​2.tmp  0x10000000  0x0000E000 
C:\​WINDOWS\​system32\​NETAPI32.dll  0x5B860000  0x00055000 
C:\​WINDOWS\​system32\​hnetcfg.dll  0x662B0000  0x00058000 
C:\​WINDOWS\​system32\​shdoclc.dll  0x71800000  0x00088000 
C:\​WINDOWS\​System32\​mswsock.dll  0x71A50000  0x0003F000 
C:\​WINDOWS\​System32\​wshtcpip.dll  0x71A90000  0x00008000 
C:\​WINDOWS\​system32\​wsock32.dll  0x71AD0000  0x00009000 
C:\​WINDOWS\​system32\​sensapi.dll  0x722B0000  0x00005000 
C:\​WINDOWS\​system32\​msls31.dll  0x746C0000  0x00027000 
C:\​WINDOWS\​system32\​msimtf.dll  0x746F0000  0x0002A000 
C:\​WINDOWS\​system32\​MSCTF.dll  0x74720000  0x0004C000 
C:\​WINDOWS\​system32\​RichEd20.dll  0x74E30000  0x0006D000 
C:\​WINDOWS\​system32\​CRYPTUI.dll  0x754D0000  0x00080000 
C:\​WINDOWS\​system32\​jscript.dll  0x75C50000  0x0007D000 
C:\​WINDOWS\​system32\​mlang.dll  0x75CF0000  0x00091000 
C:\​WINDOWS\​system32\​USERENV.dll  0x769C0000  0x000B4000 
C:\​WINDOWS\​system32\​WINMM.dll  0x76B40000  0x0002D000 
C:\​WINDOWS\​system32\​PSAPI.DLL  0x76BF0000  0x0000B000 
C:\​WINDOWS\​system32\​WINTRUST.dll  0x76C30000  0x0002E000 
C:\​WINDOWS\​system32\​IMAGEHLP.dll  0x76C90000  0x00028000 
C:\​WINDOWS\​system32\​rtutils.dll  0x76E80000  0x0000E000 
C:\​WINDOWS\​system32\​rasman.dll  0x76E90000  0x00012000 
C:\​WINDOWS\​system32\​TAPI32.dll  0x76EB0000  0x0002F000 
C:\​WINDOWS\​system32\​RASAPI32.DLL  0x76EE0000  0x0003C000 
C:\​WINDOWS\​system32\​DNSAPI.dll  0x76F20000  0x00027000 
C:\​WINDOWS\​system32\​WLDAP32.dll  0x76F60000  0x0002C000 
C:\​WINDOWS\​System32\​winrnr.dll  0x76FB0000  0x00008000 
C:\​WINDOWS\​system32\​rasadhlp.dll  0x76FC0000  0x00006000 
C:\​WINDOWS\​system32\​CLBCATQ.DLL  0x76FD0000  0x0007F000 
C:\​WINDOWS\​system32\​COMRes.dll  0x77050000  0x000C5000 
C:\​WINDOWS\​system32\​appHelp.dll  0x77B40000  0x00022000 
C:\​WINDOWS\​system32\​VERSION.dll  0x77C00000  0x00008000 
C:\​WINDOWS\​system32\​mshtml.dll  0x7DC30000  0x002F2000 
C:\​WINDOWS\​system32\​urlmon.dll  0x7E1E0000  0x000A2000 
C:\​WINDOWS\​system32\​shdocvw.dll  0x7E290000  0x00171000 
C:\​WINDOWS\​system32\​SXS.DLL  0x7E720000  0x000B0000 

  - SigBuster Output  
UPX All_Versions SN:1634

  - Ikarus Virus Scanner  
Trojan-Downloader.Win32.IstBar (Sig-Id:387156)

2.a) output.197664.txt - Registry Activities

  - Registry Keys Created:  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​P3P
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​P3P\​History

  - Registry Values Modified:  
Key Name New Value
HKLM\​SYSTEM\​CURRENTCONTROLSET\​HARDWARE PROFILES\​CURRENT\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main  info BandRest  Never 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Common AppData  C:\​Documents and Settings\​All Users\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Directory  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths  info Paths 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path1  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache1 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path2  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache2 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path3  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache3 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CacheLimit  40852 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Cache\​Paths\​Path4  info CachePath  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files\​Content.IE5\​Cache4 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  info BandRest  Never 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  AppData  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cache  C:\​Documents and Settings\​Administrator\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  Cookies  C:\​Documents and Settings\​Administrator\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​Shell Folders  History  C:\​Documents and Settings\​Administrator\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  info UNCAsIntranet 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  info ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info DefaultConnectionSettings  0x3c0000000300000001000000000000000000000000000000040000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  info SavedLegacySettings  0x3c0000000500000009000000000000000000000000000000000000000000 

  - Registry Values Read:  
Key Name Value Times
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-INTERNET-SIGNUP  Default  0x00000000 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-INTERNET-SIGNUP  DllFile  %SystemRoot%\​system32\​iedkcs32.dll 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-INTERNET-SIGNUP  FileExtensions  .ins 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  Default  0x01000000 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  DllFile  %SystemRoot%\​system32\​jsproxy.dll 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  FileExtensions  .pac;.jvs;.js 
HKLM\​SOFTWARE\​CLASSES\​AUTOPROXYTYPES\​APPLICATION/X-NS-PROXY-AUTOCONFIG  Flags  0x01000000 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{00021401-0000-0000-C000-000000000046}\​INPROCSERVER32    shell32.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{00021401-0000-0000-C000-000000000046}\​INPROCSERVER32  ThreadingModel  Apartment 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{25336920-03F9-11CF-8FD0-00AA00686F13}\​INPROCSERVER32    %SystemRoot%\​system32\​mshtml.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{25336920-03F9-11CF-8FD0-00AA00686F13}\​INPROCSERVER32  ThreadingModel  Apartment 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{25336920-03F9-11CF-8FD0-00AA00686F13}\​PROGID    htmlfile 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\​INPROCSERVER32    %SystemRoot%\​system32\​mshtml.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{3050F406-98B5-11CF-BB82-00AA00BDCE0B}\​INPROCSERVER32  ThreadingModel  Apartment 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{50D5107A-D278-4871-8989-F4CEAAF59CFC}\​INPROCSERVER32    C:\​WINDOWS\​system32\​msimtf.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{50D5107A-D278-4871-8989-F4CEAAF59CFC}\​INPROCSERVER32  ThreadingModel  Apartment 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32    C:\​WINDOWS\​system32\​urlmon.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{7B8A2D94-0AC9-11D1-896C-00C04FB6BFC4}\​INPROCSERVER32  ThreadingModel  Both 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{8856F961-340A-11D0-A96B-00C04FD705A2}\​INPROCSERVER32    C:\​WINDOWS\​system32\​shdocvw.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{8856F961-340A-11D0-A96B-00C04FD705A2}\​INPROCSERVER32  ThreadingModel  Apartment 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\​INPROCSERVER32    C:\​WINDOWS\​system32\​jscript.dll 
HKLM\​SOFTWARE\​CLASSES\​CLSID\​{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\​INPROCSERVER32  ThreadingModel  Both 
HKLM\​SOFTWARE\​CLASSES\​INTERFACE\​{000214E6-0000-0000-C000-000000000046}\​PROXYSTUBCLSID32    {bf50b68e-29b8-4386-ae9c-9734d5117cd5} 
HKLM\​SOFTWARE\​CLASSES\​INTERFACE\​{79EAC9C4-BAF9-11CE-8C82-00AA004BA90B}\​PROXYSTUBCLSID32    {B8DA6310-E19B-11D0-933C-00A0C90DCAA9} 
HKLM\​SOFTWARE\​CLASSES\​INTERFACE\​{93F2F68C-1D1B-11D3-A30E-00C04F79ABD1}\​PROXYSTUBCLSID32    {bf50b68e-29b8-4386-ae9c-9734d5117cd5} 
HKLM\​SOFTWARE\​CLASSES\​INTERFACE\​{B722BCCB-4E68-101B-A2BC-00AA00404770}\​PROXYSTUBCLSID32    {B8DA6310-E19B-11D0-933C-00A0C90DCAA9} 
HKLM\​SOFTWARE\​CLASSES\​INTERFACE\​{EAB22AC1-30C1-11CF-A7EB-0000C05BAE0B}\​TYPELIB    {EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B} 
HKLM\​SOFTWARE\​CLASSES\​MIME\​DATABASE\​CONTENT TYPE\​TEXT/HTML  Extension  .htm 
HKLM\​SOFTWARE\​CLASSES\​TYPELIB\​{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}\​1.1\​0\​WIN32    C:\​WINDOWS\​system32\​shdocvw.dll 
HKLM\​SOFTWARE\​CLASSES\​XML\​CLSID    {989D1DC0-B162-11D1-B6EC-D27DDCF9A923} 
HKLM\​SOFTWARE\​Classes\​PROTOCOLS\​Handler\​about  CLSID  {3050F406-98B5-11CF-BB82-00AA00BDCE0B} 
HKLM\​SOFTWARE\​Microsoft\​CTF\​SystemShared\​  CUAS 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​Post Platform  SV1   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​UA Tokens     
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​UA Tokens  MSN 2.0   
HKLM\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​User Agent\​UA Tokens  MSN 2.5   
HKLM\​SYSTEM\​CurrentControlSet\​Control\​Session Manager  CriticalSectionTimeout  2592000 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​NetBT\​Linkage  Export  0x5c004400650076006900630065005c004e0065007400420054005f005400 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Linkage  Bind  0x5c004400650076006900630065005c007b00310041004400340035004200 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{1AD45B38-4060-4F73-BB1E-A0439A2D97EB}  DhcpServer  255.255.255.255 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Interfaces\​{1AD45B38-4060-4F73-BB1E-A0439A2D97EB}  EnableDHCP 
HKLM\​SYSTEM\​CurrentControlSet\​Services\​Winsock\​Parameters  Transports  0x5400630070006900700000004e0065007400420049004f00530000000000 
HKLM\​SYSTEM\​Setup  SystemSetupInProgress 
HKLM\​Software\​Classes\​CLSID\​{00021401-0000-0000-c000-000000000046}\​InProcServer32    shell32.dll 
HKLM\​Software\​Microsoft\​COM3  COM+Enabled 
HKLM\​Software\​Microsoft\​COM3  Com+Enabled 
HKLM\​Software\​Microsoft\​COM3  REGDBVersion  0x0700000000000000  23 
HKLM\​Software\​Microsoft\​Internet Explorer  IntegratedBrowser 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{E2E2DD38-D088-4134-82B7-F2BA38496583}  Exec  %windir%\​Network Diagnostic\​xpnetdiag.exe 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{E2E2DD38-D088-4134-82B7-F2BA38496583}  MenuText  @xpsp3res.dll,-20001 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{FB5F1910-F110-11D2-BB9E-00C04F795683}  ButtonText  Messenger 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{FB5F1910-F110-11D2-BB9E-00C04F795683}  Default Visible  Yes 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{FB5F1910-F110-11D2-BB9E-00C04F795683}  Exec  C:\​Program Files\​Messenger\​msmsgs.exe 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{FB5F1910-F110-11D2-BB9E-00C04F795683}  MenuText  Windows Messenger 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{FB5F1910-F110-11d2-BB9E-00C04F795683}  clsid  {1FBA04EE-3024-11D2-8F1F-0000F87ABD16} 
HKLM\​Software\​Microsoft\​Internet Explorer\​Extensions\​{e2e2dd38-d088-4134-82b7-f2ba38496583}  clsid  {1FBA04EE-3024-11d2-8F1F-0000F87ABD16} 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_BEHAVIORS 
HKLM\​Software\​Microsoft\​Internet Explorer\​Main\​FeatureControl\​FEATURE_DISABLE_MK_PROTOCOL 
HKLM\​Software\​Microsoft\​Internet Explorer\​URL Compatibility\​~/CONNWIZ.HTM  Compatibility Flags 
HKLM\​Software\​Microsoft\​Internet Explorer\​URL Compatibility\​~/CWIZINTR.HTM  Compatibility Flags 
HKLM\​Software\​Microsoft\​Internet Explorer\​Version Vector  IE  6.0000 
HKLM\​Software\​Microsoft\​Internet Explorer\​Version Vector  VML  1.0 
HKLM\​Software\​Microsoft\​Tracing  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  ConsoleTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableConsoleTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  EnableFileTracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileDirectory  %windir%\​tracing 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  FileTracingMask  4294901760 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  MaxFileSize  1048576 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  AllUsersProfile  All Users 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  DefaultUserProfile  Default User 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList  ProfilesDirectory  %SystemDrive%\​Documents and Settings 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  CentralProfile   
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  Flags 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  ProfileImagePath  %SystemDrive%\​Documents and Settings\​Administrator 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  ProfileLoadTimeHigh  30014298 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  ProfileLoadTimeLow  833226792 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​ProfileList\​S-1-5-21-842925246-1425521274-308236825-500  State  256 
HKLM\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Windows  AppInit_DLLs   
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  CommonFilesDir  C:\​Program Files\​Common Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion  ProgramFilesDir  C:\​Program Files 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​App Paths\​ICWCONN1.EXE  Path  C:\​Program Files\​Internet Explorer\​Connection Wizard; 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Common AppData  %ALLUSERSPROFILE%\​Application Data 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Accepted Documents  image/gif 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Accepted Documents  image/x-xbitmap 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Accepted Documents  image/jpeg 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Accepted Documents  image/pjpeg 
HKLM\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Accepted Documents  flash  application/x-shockwave-flash 
HKLM\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  UrlEncoding  0x00000000 
HKLM\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Url History  DaysToKeep  0x14000000 
HKLM\​Software\​Policies\​Microsoft\​Windows\​Safer\​CodeIdentifiers  TransparentEnabled 
HKLM\​System\​CurrentControlSet\​Control\​ComputerName\​ActiveComputerName  ComputerName  PC 
HKLM\​System\​CurrentControlSet\​Control\​MediaProperties\​PrivateProperties\​Joystick\​Winmm  wheel 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​CodePage  950  c_950.nls 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Language Groups 
HKLM\​System\​CurrentControlSet\​Control\​Nls\​Locale  00000C07 
HKLM\​System\​CurrentControlSet\​Control\​ProductOptions  ProductType  WinNT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  ComSpec  %SystemRoot%\​system32\​cmd.exe 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  FP_NO_HOST_CHECK  NO 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  NUMBER_OF_PROCESSORS 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  OS  Windows_NT 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PATHEXT  .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_ARCHITECTURE  x86 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_IDENTIFIER  x86 Family 6 Model 3 Stepping 3, GenuineIntel 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_LEVEL 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  PROCESSOR_REVISION  0303 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  Path  %SystemRoot%\​system32;%SystemRoot%;%SystemRoot%\​System32\​Wbem 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TEMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  TMP  %SystemRoot%\​TEMP 
HKLM\​System\​CurrentControlSet\​Control\​Session Manager\​Environment  windir  %SystemRoot% 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSAppCompat 
HKLM\​System\​CurrentControlSet\​Control\​Terminal Server  TSUserEnabled 
HKLM\​System\​CurrentControlSet\​Services\​LDAP  LdapClientIntegrity 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Domain    10 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  Hostname  pc  10 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  NameServer   
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters  UseDomainNameDevolution 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  HelperDllName  %SystemRoot%\​System32\​wshtcpip.dll 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  Mapping  0x0b0000000300000002000000010000000600000002000000010000000000 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MaxSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  MinSockaddrLength  16 
HKLM\​System\​CurrentControlSet\​Services\​Tcpip\​Parameters\​Winsock  UseDelayedAcceptance 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters  WinSock_Registry_Version  2.0 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Num_Catalog_Entries 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  DisplayString  Tcpip 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  ProviderId  0x409d05229e7ecf11ae5a00aa00a7112b 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  SupportedNameSpace  12 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000001  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  DisplayString  NTDS 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  LibraryPath  %SystemRoot%\​System32\​winrnr.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  ProviderId  0xee37263b80e5cf11a55500c04fd8d4ac 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  SupportedNameSpace  32 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000002  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  DisplayString  Network Location Awareness (NLA) Namespace 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Enabled 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  LibraryPath  %SystemRoot%\​System32\​mswsock.dll 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  ProviderId  0x3a244266a83ba64abaa52e0bd71fdd83 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  StoresServiceClassInfo 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  SupportedNameSpace  15 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5\​Catalog_Entries\​000000000003  Version 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Next_Catalog_Entry_ID  1012 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Num_Catalog_Entries  11 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Serial_Access_Num 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000001  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000002  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000003  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000004  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000005  PackedCatalogItem  %SystemRoot%\​system32\​rsvpsp.d 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000006  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000007  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000008  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000009  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000010  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9\​Catalog_Entries\​000000000011  PackedCatalogItem  %SystemRoot%\​system32\​mswsock. 
HKLM\​System\​Setup  SystemSetupInProgress 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Control Panel\​International  NumShape 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TEMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Environment  TMP  %USERPROFILE%\​Local Settings\​Temp 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Language Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Keyboard Layout\​Toggle  Layout Hotkey 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​CTF\​TIP\​{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\​LanguageProfile\​0x00000409\​{09EA4E4B-46CE-4469-B450-0DE76A435BBB}  Enable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​CTF\​TIP\​{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\​LanguageProfile\​0x00000c07\​{09EA4E4B-46CE-4469-B450-0DE76A435BBB}  Enable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Internet Explorer\​Security\​P3Global  Enabled 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableHttp1_1 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  EnableNegotiate 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  MimeExclusionListForCache  multipart/mixed multipart/x-mixed-replace multipart/x-byteranges  
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  User Agent  Mozilla/4.0 (compatible; MSIE 6.0; Win32) 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​SOFTWARE\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  WarnOnPost  0x01000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Extensions\​CmdMapping  {FB5F1910-F110-11d2-BB9E-00C04F795683}  8193 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Extensions\​CmdMapping  {e2e2dd38-d088-4134-82b7-f2ba38496583}  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​International\​Scripts\​3  IEFixedFontName  Courier New 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​International\​Scripts\​3  IEPropFontName  Times New Roman 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  Anchor Underline  yes 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  BandRest  Never 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  Disable Script Debugger  yes 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  Display Inline Images  yes 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Main  Use_DlgBox_Colors  yes 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Settings  Anchor Color  0,0,255 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Settings  Anchor Color Visited  128,0,128 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Internet Explorer\​Settings  Use Anchor Hover Color  No 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows NT\​CurrentVersion\​Winlogon  ParseAutoexec 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  AppData  %USERPROFILE%\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cache  %USERPROFILE%\​Local Settings\​Temporary Internet Files 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Cookies  %USERPROFILE%\​Cookies 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  History  %USERPROFILE%\​Local Settings\​History 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Local Settings  %USERPROFILE%\​Local Settings 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Explorer\​User Shell Folders  Personal  %USERPROFILE%\​My Documents 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache  Signature  Client UrlCache MMF Ver 5.2 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CacheLimit  163410 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  CachePrefix   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Content  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  CachePrefix  Cookie: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​Cookies  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CacheLimit  8192 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  CachePrefix  Visited: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​5.0\​Cache\​History  PerUserItem 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  IntranetName 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​  ProxyBypass 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​ZoneMap\​\​ProtocolDefaults\​  http 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​0  Flags  33 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​1  Flags  219 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​2  Flags  71 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1201 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1400 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1809 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  1A10 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​3  {AEBA21FA-782A-4A90-978D-B72164C80120}  0x1a3761592352350c7a5f20172f1e1a190e2b01731e281a041b0c3bc22127 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​CurrentVersion\​Internet Settings\​Zones\​4  Flags 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache  LangID  0x0904 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​Windows\​ShellNoRoam\​MUICache\​  @xpsp3res.dll,-20001  Diagnose Connection Problems... 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  MigrateProxy 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings  ProxyEnable 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  DefaultConnectionSettings  0x3c0000000200000009000000000000000000000000000000000000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Software\​Microsoft\​windows\​CurrentVersion\​Internet Settings\​Connections  SavedLegacySettings  0x3c0000000400000009000000000000000000000000000000000000000000 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  APPDATA  C:\​Documents and Settings\​Administrator\​Application Data 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  CLIENTNAME   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEDRIVE  C: 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMEPATH  \​Documents and Settings\​Administrator 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  HOMESHARE   
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  LOGONSERVER  \​\​PC 
HKU\​S-1-5-21-842925246-1425521274-308236825-500\​Volatile Environment  SESSIONNAME  Console 

  - Monitored Registry Keys:  
Key Name Watch subtree Notify Filter Count
HKLM\​Software\​Classes  Key Change,Value Change 
HKLM\​Software\​Classes\​CLSID  Key Change,Value Change 
HKLM\​Software\​Microsoft\​COM3  Key Change,Value Change 
HKLM\​Software\​Microsoft\​Tracing\​RASAPI32  Attributes Change,Value Change,Security Descriptor Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​NameSpace_Catalog5  Key Change 
HKLM\​System\​CurrentControlSet\​Services\​WinSock2\​Parameters\​Protocol_Catalog9  Key Change 
HKU  Key Change,Value Change 

2.b) output.197664.txt - File Activities

  - Files Created:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\index[1].htm
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\istdialog.new[1].dll

  - Files Read:  
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\shdocvw.dll
PIPE\lsarpc
c:\autoexec.bat

  - Files Modified:  
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmpinfo
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\ODM3O1U3\index[1].htminfo
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WDUF49AN\istdialog.new[1].dllinfo
Ipinfo
PIPE\lsarpcinfo
\Device\Afd\AsyncConnectHlpinfo
\Device\Afd\Endpointinfo
\Device\Ipinfo
\Device\NetBT_Tcpip_{1AD45B38-4060-4F73-BB1E-A0439A2D97EB}info
\Device\RasAcdinfo
\Device\Tcpinfo

  - File System Control Communication:  
File Control Code Times
C:\  0x00090028 
PIPE\lsarpc  0x0011C017  19 

  - Device Control Communication:  
File Control Code Times
\Device\Tcp  0x00120003  19 
\Device\KsecDD  0x00390008 
\Device\Ip  0x00120040 
\Device\Ip  0x00120090 
\Device\NetBT_Tcpip_{1AD45B38-4060-4F73-BB1E-A0439A2D97EB}  0x0021009A 
\Device\NetBT_Tcpip_{1AD45B38-4060-4F73-BB1E-A0439A2D97EB}  0x00210096 
\Device\Afd\Endpoint  AFD_GET_INFO (0x0001207B) 
\Device\Afd\Endpoint  AFD_SET_CONTEXT (0x00012047)  22 
\Device\Afd\Endpoint  AFD_BIND (0x00012003) 
\Device\Afd\Endpoint  AFD_GET_TDI_HANDLES (0x00012037) 
\Device\Afd\Endpoint  AFD_GET_SOCK_NAME (0x0001202F) 
\Device\Afd\Endpoint  AFD_CONNECT (0x00012007) 
unnamed file  0x00120028 
\Device\Afd\Endpoint  AFD_SEND (0x0001201F) 
\Device\Afd\Endpoint  AFD_RECV (0x00012017)  25 
\Device\Afd\Endpoint  AFD_SET_INFO (0x0001203B) 
\Device\Afd\Endpoint  AFD_SELECT (0x00012024)  17 
\Device\Afd\Endpoint  AFD_DISCONNECT (0x0001202B) 
\Device\Afd\AsyncConnectHlp  AFD_CONNECT (0x00012007) 

  - Memory Mapped Files:  
File Name
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp
C:\WINDOWS\System32\mswsock.dll
C:\WINDOWS\System32\winrnr.dll
C:\WINDOWS\System32\wshtcpip.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\WindowsShell.manifest
C:\WINDOWS\system32\CLBCATQ.DLL
C:\WINDOWS\system32\COMRes.dll
C:\WINDOWS\system32\DNSAPI.dll
C:\WINDOWS\system32\MFC42.DLL
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\MSVCP60.dll
C:\WINDOWS\system32\OLEACC.dll
C:\WINDOWS\system32\OLEACCRC.DLL
C:\WINDOWS\system32\PSAPI.DLL
C:\WINDOWS\system32\RASAPI32.DLL
C:\WINDOWS\system32\RichEd20.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SXS.DLL
C:\WINDOWS\system32\TAPI32.dll
C:\WINDOWS\system32\WININET.dll
C:\WINDOWS\system32\WINMM.dll
C:\WINDOWS\system32\WS2HELP.dll
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\hnetcfg.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\iphlpapi.dll
C:\WINDOWS\system32\jscript.dll
C:\WINDOWS\system32\mlang.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\msimtf.dll
C:\WINDOWS\system32\msls31.dll
C:\WINDOWS\system32\rasadhlp.dll
C:\WINDOWS\system32\rasman.dll
C:\WINDOWS\system32\rpcss.dll
C:\WINDOWS\system32\rtutils.dll
C:\WINDOWS\system32\sensapi.dll
C:\WINDOWS\system32\shdoclc.dll
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wsock32.dll
C:\WINDOWS\system32\xpsp2res.dll

2.c) output.197664.txt - Network Activity

  - DNS Queries:  
Name Query Type Query Result Successful Protocol
www.ysbweb.com  DNS_TYPE_A     
wpad  DNS_TYPE_A     
www.tbcode.com  DNS_TYPE_A  66.152.93.119   

  -  HTTP Conversations:  
From ANUBIS:1038 to 66.152.93.119:80 - [www.ysbweb.com]
Request: GET /ist/scripts/istdownload_config.php?cfg=&account_id=0
Response: 200 "OK"
Request: GET /ist/softwares/v4.0/istdialog.new.dll
Response: 200 "OK"
Request: GET /ist/prompts/1/index.html?aid=0
Response: 200 "OK"

  -  TCP Connection Attempts:  
from ANUBIS:1039 to 66.152.93.119:80
from ANUBIS:1041 to 66.152.93.119:80

2.d) output.197664.txt - Other Activities

  - Mutexes Created:  
CTF.Asm.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Compart.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.LBES.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.Layouts.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TMD.MutexDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
CTF.TimListCache.FMPDefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500MUTEX.DefaultS-​1-​5-​21-​842925246-​1425521274-​308236825-​500
ISTdownloadMuTEX
ZonesCacheCounterMutex
ZonesCounterMutex
ZonesLockedCacheCounterMutex
oleacc-​msaa-​loaded

  - Keyboard Keys Monitored:  
Virtual Key Code Times
VK_SHIFT (16) 
VK_CONTROL (17) 
VK_MENU (18) 
VK_LSHIFT (160) 
VK_LCONTROL (162) 
VK_LMENU (164) 

  - Windows SEH exceptions:  
Description Times
Exception 0xc0000096 (STATUS_PRIVILEGED_INSTRUCTION) at 0x4077af 


International Secure Systems Lab
Vienna University of Technology, Eurecom France, UC Santa Barbara
Contact: anubis@iseclab.org