GreyEnergy IOCs

• C:\Documents and Settings\Administrator\Application Data\Microsoft\{FA17E5EB-9499-4985-85A4-F12974C2E25E}.db
• C:\Documents and Settings\Administrator\Application Data\ .lnk
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{99FE2AB5-9CEF-4943-88C0-BF0304C31D06}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{AB5E27DE-E03B-43D5-91B4-CA3E010A2FC6}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{B06351A8-FF67-4882-9DFE-1941772BA07D}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{79805CB7-150E-45BD-B0BA-F7D65B414375}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{C8F19483-2C1A-4295-90E9-A7B3D36CCF97}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{2CF59D31-3F6D-4D6A-A892-4139B8495E10}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{BA87AF86-716B-47D1-B8BC-C4F993AD42E8}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{B5FD6FEF-9B1E-47C6-ADD8-36B1FE97D584}.db
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{97C5B72A-0A51-4096-AB40-CB0DF0B97591}.db

Permissions Requested

• SE_LOAD_DRIVER_PRIVILEGE

Processes Created

• C:\WINDOWS\system32\cmd.exe
• C:\WINDOWS\system32\rundll32.exe
• C:\WINDOWS\system32\ping.exe

Shell Commands

• “C:\WINDOWS\system32\cmd.exe” /c move “C:\Documents and Settings\Administrator\Application Data\ .lnk” “C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ .lnk”
• “C:\WINDOWS\System32\rundll32.exe” {FA17E5EB-9499-4985-85A4-F12974C2E25E}.db, #1 #1
• “C:\WINDOWS\system32\cmd.exe” /c (ping localhost >> nul & del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EB93A6\996E.exe >> nul)
• ping localhost
• “C:\WINDOWS\System32\rundll32.exe” {99FE2AB5-9CEF-4943-88C0-BF0304C31D06}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {AB5E27DE-E03B-43D5-91B4-CA3E010A2FC6}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {B06351A8-FF67-4882-9DFE-1941772BA07D}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {79805CB7-150E-45BD-B0BA-F7D65B414375}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {C8F19483-2C1A-4295-90E9-A7B3D36CCF97}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {2CF59D31-3F6D-4D6A-A892-4139B8495E10}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {BA87AF86-716B-47D1-B8BC-C4F993AD42E8}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {B5FD6FEF-9B1E-47C6-ADD8-36B1FE97D584}.db, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {97C5B72A-0A51-4096-AB40-CB0DF0B97591}.db, #1 #1

Registry Keys Opened

• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
• \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KERNEL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USER32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winime32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USP10.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LPK.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsp2res.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\actxprxy.dll
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoInternetIcon
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoControlPanel
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetFolders
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll
• \Registry\Machine\Software\Policies\Microsoft\System\DNSclient
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Documents
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.exe
• \Registry\Machine\Software\Classes\.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_Classes\.exe
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LINKINFO.dll
• \REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USERENV.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\System
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntshrui.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common AppData
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonPictures
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonMusic
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonVideo
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_Classes\exefile\shell\open\command
• \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
• \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\command
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RestrictRun
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
• \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Levels
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\LogFileName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\System
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{FA17E5EB-9499-4985-85A4-F12974C2E25E}.db
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\RpcThreadPoolThrottle
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\WinSock_Registry_Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32SpinCount
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Parameters\Transports
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Winsock\HelperDllName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{99FE2AB5-9CEF-4943-88C0-BF0304C31D06}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{AB5E27DE-E03B-43D5-91B4-CA3E010A2FC6}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{B06351A8-FF67-4882-9DFE-1941772BA07D}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{79805CB7-150E-45BD-B0BA-F7D65B414375}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{C8F19483-2C1A-4295-90E9-A7B3D36CCF97}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{2CF59D31-3F6D-4D6A-A892-4139B8495E10}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{BA87AF86-716B-47D1-B8BC-C4F993AD42E8}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{B5FD6FEF-9B1E-47C6-ADD8-36B1FE97D584}.db
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{97C5B72A-0A51-4096-AB40-CB0DF0B97591}.db

• C:\Documents and Settings\Administrator\Application Data\Microsoft\{1F5CE9E9-FF70-4A88-A3D4-7FE8B293C3BF}.dbf
• C:\Documents and Settings\Administrator\Application Data\ .lnk
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{17CBDA6E-B416-4476-9177-F5061146956B}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{A4F6A555-7CAA-4FCE-83D0-C570EAE453C3}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{B3C830CB-BFF7-4F2A-9AD6-22FA8155BE99}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{28ABF007-234D-487E-9A65-B2017C652CC7}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{0640DC04-94B8-494E-A689-E5DDEB254B61}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{7FF79022-79AE-4031-9BDE-22483A4A8D2A}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{342CA566-CDCE-4771-8306-0114D96DF56F}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{B6FA0E48-103D-4B46-BFE4-B67087839C30}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{5C4145FA-9F96-42AC-80D3-A0CF780A9228}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{B2E45CDA-4526-4E7D-9719-89463391C43D}.dbf

Permissions Requested

• SE_LOAD_DRIVER_PRIVILEGE

Processes Created

• C:\WINDOWS\system32\cmd.exe
• C:\WINDOWS\system32\rundll32.exe
• C:\WINDOWS\system32\ping.exe

Shell Commands

• “C:\WINDOWS\system32\cmd.exe” /c move “C:\Documents and Settings\Administrator\Application Data\ .lnk” “C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ .lnk”
• “C:\WINDOWS\System32\rundll32.exe” {1F5CE9E9-FF70-4A88-A3D4-7FE8B293C3BF}.dbf, #1 #1
• “C:\WINDOWS\system32\cmd.exe” /c (ping localhost >> nul & del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EB93A6\996E.exe >> nul)
• ping localhost
• “C:\WINDOWS\System32\rundll32.exe” {17CBDA6E-B416-4476-9177-F5061146956B}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {A4F6A555-7CAA-4FCE-83D0-C570EAE453C3}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {B3C830CB-BFF7-4F2A-9AD6-22FA8155BE99}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {28ABF007-234D-487E-9A65-B2017C652CC7}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {0640DC04-94B8-494E-A689-E5DDEB254B61}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {7FF79022-79AE-4031-9BDE-22483A4A8D2A}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {342CA566-CDCE-4771-8306-0114D96DF56F}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {B6FA0E48-103D-4B46-BFE4-B67087839C30}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {5C4145FA-9F96-42AC-80D3-A0CF780A9228}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {B2E45CDA-4526-4E7D-9719-89463391C43D}.dbf, #1 #1

Registry Keys Opened

• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
• \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KERNEL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USER32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winime32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USP10.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LPK.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsp2res.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\actxprxy.dll
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoInternetIcon
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoControlPanel
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetFolders
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll
• \Registry\Machine\Software\Policies\Microsoft\System\DNSclient
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Documents
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.exe
• \Registry\Machine\Software\Classes\.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_Classes\.exe
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LINKINFO.dll
• \REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USERENV.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\System
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntshrui.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common AppData
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonPictures
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonMusic
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonVideo
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_Classes\exefile\shell\open\command
• \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
• \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\command
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RestrictRun
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
• \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Levels
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\LogFileName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\System
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\RpcThreadPoolThrottle
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{1F5CE9E9-FF70-4A88-A3D4-7FE8B293C3BF}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\WinSock_Registry_Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32SpinCount
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Parameters\Transports
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Winsock\HelperDllName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{17CBDA6E-B416-4476-9177-F5061146956B}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{A4F6A555-7CAA-4FCE-83D0-C570EAE453C3}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{B3C830CB-BFF7-4F2A-9AD6-22FA8155BE99}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{28ABF007-234D-487E-9A65-B2017C652CC7}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{0640DC04-94B8-494E-A689-E5DDEB254B61}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{7FF79022-79AE-4031-9BDE-22483A4A8D2A}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{342CA566-CDCE-4771-8306-0114D96DF56F}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{B6FA0E48-103D-4B46-BFE4-B67087839C30}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{5C4145FA-9F96-42AC-80D3-A0CF780A9228}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{B2E45CDA-4526-4E7D-9719-89463391C43D}.dbf

Contacted URLs: http://217.12.204.100/news/

Contacted IPs: 217.12.204.100

• C:\Documents and Settings\Administrator\Application Data\Microsoft\{3479B41A-5B1E-4694-88C3-F50F7C8488E9}.dbf
• C:\Documents and Settings\Administrator\Application Data\ .lnk
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{8105617A-CA35-42AA-B0D3-149B4BED6DCB}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{B997E610-2169-4200-B82F-DE61DDEEF66D}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{76C8192F-C760-4605-8B4D-FC08769D1C26}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{44FB1D37-DC8C-4040-A013-58AE5079450E}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{018BFBE6-3F5E-4A79-8598-3EA72549A102}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{75B64431-1608-44A6-A752-A69BACB38DE4}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{47BE844F-1AF1-433F-9748-594644037772}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{EC60B9C3-28D2-46D5-ACE2-746C5CA1281A}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{16EA8B54-B095-46F9-83F0-2CC7EA6E991A}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{42A0EDBF-E802-4C77-A20A-68C1CD27298B}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{191DF1C3-E28D-4EF3-B8A8-146C2796C005}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{CBCF8585-E4D3-4D56-9CE5-D18DFE44FACE}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{C4C0B803-DFC6-4EBF-B819-CEF69C3DA782}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{84F9FE11-BB4B-4BA5-8C89-FD694AEB524F}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{0D648798-7F52-4039-B796-FFB5EDDA9821}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{03D5F98A-6726-4C26-A097-EB414B016B0B}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{818C866A-55C6-4EFD-9729-504429EB9C2D}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{30A10B31-ACDD-40EA-8BFA-63FF1D204417}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{4A84FD55-CC94-4E43-A73E-AEE678028C5A}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{0F600465-A8C2-489C-88ED-4C49B6C2E98B}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{6777AEA0-7268-497E-B05F-3A43095EB780}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{76761411-00E2-4B7A-A33B-BD240A204EFE}.dbf
• C:\Documents and Settings\Administrator\Application Data\Microsoft\{C9FB0E6B-CA38-4BB5-8AD0-1944D0CE67BF}.dbf

Permissions Requested

• SE_LOAD_DRIVER_PRIVILEGE

Processes Created

• C:\WINDOWS\system32\cmd.exe
• C:\WINDOWS\system32\rundll32.exe
• C:\WINDOWS\system32\ping.exe

Shell Commands

• “C:\WINDOWS\system32\cmd.exe” /c move “C:\Documents and Settings\Administrator\Application Data\ .lnk” “C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\ .lnk”
• “C:\WINDOWS\System32\rundll32.exe” {3479B41A-5B1E-4694-88C3-F50F7C8488E9}.dbf, #1 #1
• “C:\WINDOWS\system32\cmd.exe” /c (ping localhost >> nul & del C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EB93A6\996E.exe >> nul)
• ping localhost
• “C:\WINDOWS\System32\rundll32.exe” {8105617A-CA35-42AA-B0D3-149B4BED6DCB}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {B997E610-2169-4200-B82F-DE61DDEEF66D}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {76C8192F-C760-4605-8B4D-FC08769D1C26}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {44FB1D37-DC8C-4040-A013-58AE5079450E}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {018BFBE6-3F5E-4A79-8598-3EA72549A102}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {75B64431-1608-44A6-A752-A69BACB38DE4}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {47BE844F-1AF1-433F-9748-594644037772}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {EC60B9C3-28D2-46D5-ACE2-746C5CA1281A}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {16EA8B54-B095-46F9-83F0-2CC7EA6E991A}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {42A0EDBF-E802-4C77-A20A-68C1CD27298B}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {191DF1C3-E28D-4EF3-B8A8-146C2796C005}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {CBCF8585-E4D3-4D56-9CE5-D18DFE44FACE}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {C4C0B803-DFC6-4EBF-B819-CEF69C3DA782}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {84F9FE11-BB4B-4BA5-8C89-FD694AEB524F}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {0D648798-7F52-4039-B796-FFB5EDDA9821}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {03D5F98A-6726-4C26-A097-EB414B016B0B}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {818C866A-55C6-4EFD-9729-504429EB9C2D}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {30A10B31-ACDD-40EA-8BFA-63FF1D204417}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {4A84FD55-CC94-4E43-A73E-AEE678028C5A}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {0F600465-A8C2-489C-88ED-4C49B6C2E98B}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {6777AEA0-7268-497E-B05F-3A43095EB780}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {76761411-00E2-4B7A-A33B-BD240A204EFE}.dbf, #1 #1
• “C:\WINDOWS\System32\rundll32.exe” {C9FB0E6B-CA38-4BB5-8AD0-1944D0CE67BF}.dbf, #1 #1

• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
• \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINSTA.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WTSAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KERNEL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USER32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winime32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USP10.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LPK.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\AppData
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsp2res.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSCTF.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\actxprxy.dll
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoInternetIcon
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoControlPanel
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\NoSetFolders
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUPAPI.dll
• \Registry\Machine\Software\Policies\Microsoft\System\DNSclient
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Documents
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Desktop
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Desktop
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_CLASSES\.exe
• \Registry\Machine\Software\Classes\.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_Classes\.exe
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LINKINFO.dll
• \REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ATL.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USERENV.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\System
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntshrui.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Start Menu
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Start Menu
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common AppData
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\My Pictures
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonPictures
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonMusic
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\CommonVideo
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\urlmon.dll
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Security_HKLM_only
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cookies
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500_Classes\exefile\shell\open\command
• \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun
• \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\command
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RestrictRun
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun
• \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Levels
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\LogFileName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\System
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{3479B41A-5B1E-4694-88C3-F50F7C8488E9}.dbf
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\RpcThreadPoolThrottle
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\WinSock_Registry_Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32SpinCount
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Parameters\Transports
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Winsock\HelperDllName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM\Ime File
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msctfime.ime
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{8105617A-CA35-42AA-B0D3-149B4BED6DCB}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{B997E610-2169-4200-B82F-DE61DDEEF66D}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{76C8192F-C760-4605-8B4D-FC08769D1C26}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{44FB1D37-DC8C-4040-A013-58AE5079450E}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{018BFBE6-3F5E-4A79-8598-3EA72549A102}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{75B64431-1608-44A6-A752-A69BACB38DE4}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{47BE844F-1AF1-433F-9748-594644037772}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{EC60B9C3-28D2-46D5-ACE2-746C5CA1281A}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{16EA8B54-B095-46F9-83F0-2CC7EA6E991A}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{42A0EDBF-E802-4C77-A20A-68C1CD27298B}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{191DF1C3-E28D-4EF3-B8A8-146C2796C005}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{CBCF8585-E4D3-4D56-9CE5-D18DFE44FACE}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{C4C0B803-DFC6-4EBF-B819-CEF69C3DA782}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{84F9FE11-BB4B-4BA5-8C89-FD694AEB524F}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{0D648798-7F52-4039-B796-FFB5EDDA9821}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{03D5F98A-6726-4C26-A097-EB414B016B0B}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{818C866A-55C6-4EFD-9729-504429EB9C2D}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{30A10B31-ACDD-40EA-8BFA-63FF1D204417}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{4A84FD55-CC94-4E43-A73E-AEE678028C5A}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{0F600465-A8C2-489C-88ED-4C49B6C2E98B}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{6777AEA0-7268-497E-B05F-3A43095EB780}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{76761411-00E2-4B7A-A33B-BD240A204EFE}.dbf
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\{C9FB0E6B-CA38-4BB5-8AD0-1944D0CE67BF}.dbf

Processes Created

• C:\WINDOWS\system32\drwtsn32 -p 412 -e 168 -g

Contacted URLs

http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Contacted IPs

109.200.202.7
88.221.14.145
88.221.14.122

Files Written

• C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp
• C:\Documents and Settings\Administrator\Local Settings\Temp\RCX3.tmp
• C:\WINDOWS\system32\pypl.dll

Files Copied

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\RCX3.tmp  ->  C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  ->  C:\WINDOWS\system32\qvtkbg.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\RCX3.tmp  -> C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\qvtkbg.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  -> C:\WINDOWS\system32\fymmh.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\fymmh.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  ->  C:\WINDOWS\system32\suofc.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\suofc.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  ->  C:\WINDOWS\system32\tgnjf.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\tgnjf.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  ->  C:\WINDOWS\system32\fgxe.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\fgxe.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  -> C:\WINDOWS\system32\pypl.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\pypl.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp ->  C:\WINDOWS\system32\ywfr.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\ywfr.dll

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2.tmp  ->  C:\WINDOWS\system32\pvjogr.dll

C:\Documents and Settings\Administrator\Local Settings\Temp\2.tmp  ->  C:\WINDOWS\system32\pvjogr.dll

Registry Keys Set

• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\Parameters\ServiceDll  :  %SystemRoot%\system32\qvtkbg.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\FailureActions  :  0000000000000000000000000300000090DD12000100000060EA00000000000060EA00000000000060EA0000
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\ErrorControl  :  00000000
• \REGISTRY\– USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData  :  C:\Documents and Settings\LocalService\Application Data
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters\ServiceDll  :  %SystemRoot%\system32\fymmh.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\FailureActions  :  0000000000000000000000000300000090DD12000100000060EA00000000000060EA00000000000060EA0000
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\ErrorControl  :  00000000
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\Parameters\ServiceDll  :  %SystemRoot%\system32\suofc.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\Parameters\ServiceDll  :  %SystemRoot%\system32\tgnjf.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters\ServiceDll  :  %SystemRoot%\system32\fgxe.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\Parameters\ServiceDll  :  %SystemRoot%\system32\pypl.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteRegistry\Parameters\ServiceDll  :  %SystemRoot%\system32\ywfr.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteRegistry\FailureActions  :  0000000000000000000000000300000090DD12000100000060EA00000000000060EA00000000000060EA0000
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteRegistry\ErrorControl  :  00000000
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\Parameters\ServiceDll  :  %SystemRoot%\system32\pvjogr.dll

Registry Keys Opened

• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
• \Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntdll.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KERNEL32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\– USER32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secur32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RPCRT4.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ADVAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msvcrt.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2HELP.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2_32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHLWAPI.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSAPI.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winime32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IMM32.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USP10.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LPK.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OLEAUT32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NETAPI32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\imagehlp.dll
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\Rpc
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rsaenh.dll
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Cryptography
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\COMRes.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VERSION.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLBCATQ.DLL
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpsp2res.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbemcomn.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbemprox.dll
• \Registry\Machine\Software\Policies\Microsoft\System\DNSclient
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wbemsvc.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSVCP60.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DNSAPI.dll
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows NT\DnsClient
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WLDAP32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTDSAPI.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fastprox.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAMLIB.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NTMARTA.DLL
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteAccess\ImagePath
• \Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Apphelp.dll
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\LevelObjects
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\Levels
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{dda3f824-d8cb-441b-834d-be2efd2c1a33}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{349d35ab-37b5-462f-9b89-edd5fbde1328}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{7fb9cd2e-3076-4df9-a57b-b813f72dbb91}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{81d1fe15-dd9d-4762-b16d-7c29ddecae3f}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{94e3e076-8f53-42a5-8411-085bcc18a68d}\SaferFlags
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemData
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\HashAlg
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\ItemSize
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes\{dc971ee5-44eb-4fe4-ae2e-b91490411bfc}\SaferFlags
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\4096\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\65536\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\131072\UrlZones
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Hashes
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\UrlZones
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\DefaultLevel
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\PolicyScope
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache
• \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\LogFileName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe
• \REGISTRY\– USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\System
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\reg.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qvtkbg.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASN1.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CRYPT32.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINHTTP.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOERT2.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetcomm.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetres.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mlang.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\WinSock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\WinSock_Registry_Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\00000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Next_Catalog_Entry_ID
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015\PackedCatalogItem
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Serial_Access_Num
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\00000004
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Num_Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002\StoresServiceClassInfo
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\LibraryPath
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\DisplayString
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\ProviderId
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\AddressFamily
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\SupportedNameSpace
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Enabled
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\Version
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003\StoresServiceClassInfo
• \REGISTRY\MACHINE\System\CurrentControlSet\Services\Winsock2\Parameters
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32NumHandleBuckets
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\WinSock2\Parameters\Ws2_32SpinCount
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mswsock.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hnetcfg.dll
• \REGISTRY\MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ping.exe\RpcThreadPoolThrottle
• \REGISTRY\MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService\DefaultAuthLevel
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Winsock\Parameters\Transports
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Winsock\HelperDllName
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wshtcpip.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\HidServ\ImagePath
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fymmh.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\suofc.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgnjf.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fgxe.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pypl.dll
• \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\RemoteRegistry\ImagePath
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ywfr.dll
• \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pvjogr.dll