SHARE
TWEET

Shadow Logger Registry Trace in Memory Dump (forensics)

MalwareMustDie Jan 2nd, 2014 881 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. (37852): 0000007FC144   \REGISTRY\MACHINE
  2. (37868): 0000007FC40A   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003
  3. (37870): 0000007FC4B2   \REGISTRY\MACHINE\SOFTWARE\Microsoft\.NETFramework
  4. (37913): 0000007FC978   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default
  5. (37914): 0000007FCA1C   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
  6. (37938): 0000007FD30E   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default
  7. (37947): 0000007FD460   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer
  8. (37950): 0000007FD5EA   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
  9. (37951): 0000007FD6A4   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  10. (37952): 0000007FD73E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
  11. (37953): 0000007FD84E   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
  12. (37954): 0000007FD906   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
  13. (37955): 0000007FDA14   \REGISTRY\MACHINE\SOFTWARE\Classes
  14. (37956): 0000007FDA6A   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  15. (37958): 0000007FDB14   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  16. (37960): 0000007FDB88   \REGISTRY\USER
  17. (37962): 0000007FDBC6   \REGISTRY\MACHINE\SOFTWARE\Classes
  18. (37964): 0000007FDC2C   \REGISTRY\USER
  19. (37966): 0000007FDC6A   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  20. (37968): 0000007FDCDE   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  21. (37970): 0000007FDD52   \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
  22. (37972): 0000007FDDC4   \REGISTRY\MACHINE\SOFTWARE\Classes
  23. (37974): 0000007FDE2A   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  24. (37976): 0000007FDE9E   \REGISTRY\USER
  25. (37978): 0000007FDEDC   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  26. (37980): 0000007FDF50   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  27. (37982): 0000007FDFC4   \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
  28. (37986): 0000007FE094   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  29. (37987): 0000007FE12E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  30. (37996): 0000007FE31C   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  31. (38013): 0000007FE636   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  32. (38015): 0000007FE748   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam
  33. (38017): 0000007FE830   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache
  34. (38026): 0000007FEBDC   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  35. (38032): 0000007FED6E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  36. (38038): 0000007FEF9E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  37. (38044): 0000007FF268   \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
  38. (38065): 0000007FF8F6   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  39. (38072): 0000007FFAF2   \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
  40. (38075): 0000007FFBDC   \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
  41. (38080): 0000007FFD56   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  42. (38081): 0000007FFE3C   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  43. (38082): 0000007FFF22   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  44. (38083): 000000800008   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  45. (38084): 0000008000EE   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  46. (38085): 0000008001D4   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  47. (38086): 0000008002BA   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  48. (38092): 0000008003F2   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  49. (38093): 0000008004D8   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  50. (38094): 0000008005BE   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  51. (38095): 0000008006A4   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  52. (38096): 00000080078A   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  53. (38097): 000000800870   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  54. (38098): 000000800956   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  55. (38099): 000000800A3C   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  56. (38100): 000000800B22   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  57. (38101): 000000800C08   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  58. (75953): 0000007FC144   \REGISTRY\MACHINE
  59. (75969): 0000007FC40A   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003
  60. (75971): 0000007FC4B2   \REGISTRY\MACHINE\SOFTWARE\Microsoft\.NETFramework
  61. (76014): 0000007FC978   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\GACChangeNotification\Default
  62. (76015): 0000007FCA1C   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
  63. (76039): 0000007FD30E   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Fusion\PublisherPolicy\Default
  64. (76048): 0000007FD460   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer
  65. (76051): 0000007FD5EA   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
  66. (76052): 0000007FD6A4   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  67. (76053): 0000007FD73E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked
  68. (76054): 0000007FD84E   \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
  69. (76055): 0000007FD906   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
  70. (76056): 0000007FDA14   \REGISTRY\MACHINE\SOFTWARE\Classes
  71. (76057): 0000007FDA6A   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  72. (76059): 0000007FDB14   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  73. (76061): 0000007FDB88   \REGISTRY\USER
  74. (76063): 0000007FDBC6   \REGISTRY\MACHINE\SOFTWARE\Classes
  75. (76065): 0000007FDC2C   \REGISTRY\USER
  76. (76067): 0000007FDC6A   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  77. (76069): 0000007FDCDE   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  78. (76071): 0000007FDD52   \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
  79. (76073): 0000007FDDC4   \REGISTRY\MACHINE\SOFTWARE\Classes
  80. (76075): 0000007FDE2A   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  81. (76077): 0000007FDE9E   \REGISTRY\USER
  82. (76079): 0000007FDEDC   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  83. (76081): 0000007FDF50   \REGISTRY\MACHINE\SOFTWARE\Microsoft\COM3
  84. (76083): 0000007FDFC4   \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID
  85. (76087): 0000007FE094   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  86. (76088): 0000007FE12E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  87. (76097): 0000007FE31C   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003_CLASSES
  88. (76114): 0000007FE636   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
  89. (76116): 0000007FE748   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam
  90. (76118): 0000007FE830   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache
  91. (76127): 0000007FEBDC   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  92. (76133): 0000007FED6E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  93. (76139): 0000007FEF9E   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  94. (76145): 0000007FF268   \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale\Alternate Sorts
  95. (76166): 0000007FF8F6   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  96. (76173): 0000007FFAF2   \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Locale
  97. (76176): 0000007FFBDC   \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language Groups
  98. (76181): 0000007FFD56   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  99. (76182): 0000007FFE3C   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  100. (76183): 0000007FFF22   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  101. (76184): 000000800008   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  102. (76185): 0000008000EE   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  103. (76186): 0000008001D4   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  104. (76187): 0000008002BA   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  105. (76193): 0000008003F2   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  106. (76194): 0000008004D8   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  107. (76195): 0000008005BE   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  108. (76196): 0000008006A4   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  109. (76197): 00000080078A   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  110. (76198): 000000800870   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  111. (76199): 000000800956   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  112. (76200): 000000800A3C   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  113. (76201): 000000800B22   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
  114. (76202): 000000800C08   \REGISTRY\USER\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Run
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top