API tools faq
paste
Advertisement
unixfreaxjp

DFIR - DarkKomet? Regshot

unixfreaxjp
Feb 1st, 2013
240
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.19 KB | None | 0 0
raw download clone embed print report
  1. =======================
  2. DarkKomet? Regshot
  3. ======================
  4.  
  5. Regshot 1.8.1
  6. Datetime:2013/1/30 13:59:00 , 2013/1/30 14:06:23
  7.  
  8. ----------------------------------
  9. Keys deleted:1
  10. ----------------------------------
  11. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122
  12.  
  13. ----------------------------------
  14. Keys added:12
  15. ----------------------------------
  16. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CAPTUREFILEMONITOR\0000\Control
  17. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CAPTUREFILEMONITOR\0000\Control
  18. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp
  19. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dmp
  20. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList
  21. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp
  22. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130128
  23. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131
  24. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3
  25. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37
  26. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell
  27. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\ProcessComments
  28.  
  29. ----------------------------------
  30. Values deleted:5
  31. ----------------------------------
  32. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013012120130122\"
  33. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122\CachePrefix: ":2013012120130122: "
  34. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122\CacheLimit: 0x00002000
  35. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122\CacheOptions: 0x0000000B
  36. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130122\CacheRepair: 0x00000000
  37.  
  38. ----------------------------------
  39. Values added:52
  40. ----------------------------------
  41. HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_CAPTUREFILEMONITOR\0000\Control\ActiveService: "CaptureFileMonitor"
  42. HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CAPTUREFILEMONITOR\0000\Control\ActiveService: "CaptureFileMonitor"
  43. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\d: 70 00 72 00 6F 00 63 00 65 00 78 00 70 00 2E 00 65 00 78 00 65 00 00 00 44 00 3A 00 00 00
  44. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\e: 6D 00 73 00 70 00 61 00 69 00 6E 00 74 00 2E 00 65 00 78 00 65 00 00 00 44 00 3A 00 00 00
  45. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\e: "D:\Adobe-Flash_WIN.exe.bin.txt"
  46. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\f: "D:\Adobe-Flash_WIN.exe.bin2.txt"
  47. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\g: "D:\Adobe-Flash_WIN2.dmp"
  48. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\h: "D:\001.bmp"
  49. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\i: "D:\002.bmp"
  50. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt\c: "D:\Adobe-Flash_WIN.exe.bin.txt"
  51. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt\d: "D:\Adobe-Flash_WIN.exe.bin2.txt"
  52. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\a: "D:\001.bmp"
  53. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\MRUList: "ba"
  54. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\bmp\b: "D:\002.bmp"
  55. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dmp\a: "D:\Adobe-Flash_WIN2.dmp"
  56. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\dmp\MRUList: "a"
  57. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList\a: "mspaint.exe"
  58. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.bmp\OpenWithList\MRUList: "a"
  59. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dmp\OpenWithList\a: "procexp.exe"
  60. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.dmp\OpenWithList\MRUList: "a"
  61. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\c: "procexp.exe"
  62. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\9: 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 2E 00 74 00 78 00 74 00 00 00 78 00 32 00 00 00 00 00 00 00 00 00 00 00 41 64 6F 62 65 2D 46 6C 61 73 68 5F 57 49 4E 2E 65 78 65 2E 62 69 6E 2E 6C 6E 6B 00 4E 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 2A 00 00 00
  63. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\10: EA 30 E0 30 FC 30 D0 30 D6 30 EB 30 20 00 C7 30 A3 30 B9 30 AF 30 20 00 28 00 44 00 3A 00 29 00 00 00 74 00 36 00 00 00 00 00 00 00 00 00 00 00 EA 30 E0 30 FC 30 D0 30 D6 30 EB 30 20 00 C7 30 A3 30 B9 30 AF 30 20 00 28 00 44 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 3E 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 EA 30 E0 30 FC 30 D0 30 D6 30 EB 30 20 00 C7 30 A3 30 B9 30 AF 30 20 00 28 00 44 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 36 00 00 00
  64. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\11: 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 32 00 2E 00 74 00 78 00 74 00 00 00 7C 00 32 00 00 00 00 00 00 00 00 00 00 00 41 64 6F 62 65 2D 46 6C 61 73 68 5F 57 49 4E 2E 65 78 65 2E 62 69 6E 32 2E 6C 6E 6B 00 00 50 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 2C 00 00 00
  65. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\12: 30 00 30 00 31 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 31 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 31 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
  66. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\13: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
  67. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\3: 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 2E 00 74 00 78 00 74 00 00 00 78 00 32 00 00 00 00 00 00 00 00 00 00 00 41 64 6F 62 65 2D 46 6C 61 73 68 5F 57 49 4E 2E 65 78 65 2E 62 69 6E 2E 6C 6E 6B 00 4E 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 2E 00 6C 00 6E 00 6B 00 00 00 2A 00 00 00
  68. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\4: 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 32 00 2E 00 74 00 78 00 74 00 00 00 7C 00 32 00 00 00 00 00 00 00 00 00 00 00 41 64 6F 62 65 2D 46 6C 61 73 68 5F 57 49 4E 2E 65 78 65 2E 62 69 6E 32 2E 6C 6E 6B 00 00 50 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 41 00 64 00 6F 00 62 00 65 00 2D 00 46 00 6C 00 61 00 73 00 68 00 5F 00 57 00 49 00 4E 00 2E 00 65 00 78 00 65 00 2E 00 62 00 69 00 6E 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 2C 00 00 00
  69. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\3: EA 30 E0 30 FC 30 D0 30 D6 30 EB 30 20 00 C7 30 A3 30 B9 30 AF 30 20 00 28 00 44 00 3A 00 29 00 00 00 74 00 36 00 00 00 00 00 00 00 00 00 00 00 EA 30 E0 30 FC 30 D0 30 D6 30 EB 30 20 00 C7 30 A3 30 B9 30 AF 30 20 00 28 00 44 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 3E 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 EA 30 E0 30 FC 30 D0 30 D6 30 EB 30 20 00 C7 30 A3 30 B9 30 AF 30 20 00 28 00 44 00 29 00 2E 00 6C 00 6E 00 6B 00 00 00 36 00 00 00
  70. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\0: 30 00 30 00 31 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 31 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 31 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
  71. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
  72. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.bmp\1: 30 00 30 00 32 00 2E 00 62 00 6D 00 70 00 00 00 3C 00 32 00 00 00 00 00 00 00 00 00 00 00 30 30 32 2E 6C 6E 6B 00 26 00 03 00 04 00 EF BE 00 00 00 00 00 00 00 00 14 00 00 00 30 00 30 00 32 00 2E 00 6C 00 6E 00 6B 00 00 00 16 00 00 00
  73. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\Nqbor-Synfu_JVA.rkr: 02 00 00 00 0E 00 00 00 A0 9A F1 DA F2 FE CD 01
  74. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\Nqbor-Synfu_JVA4.rkr: 02 00 00 00 06 00 00 00 F0 5B D9 7D F2 FE CD 01
  75. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\Nqbor-Synfu_JVA2.rkr: 02 00 00 00 07 00 00 00 30 28 58 BB F2 FE CD 01
  76. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130128\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013012120130128\"
  77. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130128\CachePrefix: ":2013012120130128: "
  78. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130128\CacheLimit: 0x00002000
  79. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130128\CacheOptions: 0x0000000B
  80. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013012120130128\CacheRepair: 0x00000000
  81. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131\CachePath: "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012013013020130131\"
  82. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131\CachePrefix: ":2013013020130131: "
  83. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131\CacheLimit: 0x00002000
  84. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131\CacheOptions: 0x0000000B
  85. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013013020130131\CacheRepair: 0x00000000
  86. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3: 58 00 31 00 00 00 00 00 47 41 48 4E 11 00 4D 59 50 49 43 54 7E 31 00 00 2E 00 03 00 04 00 EF BE 47 41 3D 4E 46 41 00 78 14 00 00 00 4D 00 79 00 20 00 50 00 69 00 63 00 74 00 75 00 72 00 65 00 73 00 00 00 18 00 12 00 27 00 06 00 EF BE 72 00 69 00 6B 00 00 00 18 00 00 00
  87. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3\NodeSlot: 0x00000025
  88. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\3\MRUListEx: FF FF FF FF
  89. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\Bags\37\Shell\FolderType: "MyPictures"
  90. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\Adobe-Flash_WIN.exe: "Image Extract v1.3"
  91. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\Adobe-Flash_WIN4.exe: "Image Extract v1.3"
  92. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\rik\デスクトップ\Adobe-Flash_WIN2.exe: "Image Extract v1.3"
  93.  
  94. ----------------------------------
  95. Values modified:19
  96. ----------------------------------
  97. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 52 A9 7B 0D E4 A4 78 32 3F 42 ED 0B EC 13 8D D6 68 79 29 C4 A3 B9 09 2A BA EC FD B0 AA 31 05 6D 85 51 75 A6 89 3D 5A 7F 46 94 A3 68 6A 1A BE 34 E6 48 65 E8 70 BB A1 77 58 84 47 89 38 CE 60 E9 A7 9B DE 0C 77 E9 00 27 1F D2 DA 1B A0 70 3A FA
  98. HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 8B E1 D6 F0 CF 17 22 1D 31 C2 F2 04 62 A3 E0 70 8A 29 B0 93 ED 8B 55 32 D2 74 4C 53 00 63 36 4E 76 92 6B FF 46 F4 BB B8 FD 78 4E 8D 3A 91 75 46 B2 BA B7 76 A4 4D 09 10 F8 49 4C 0B CE E6 34 38 DD 49 E9 31 16 4B CF A9 4D 33 72 D9 1F D5 6B 7B
  99. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000011
  100. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000001F
  101. HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x00000006
  102. HKLM\SYSTEM\ControlSet001\Services\RemoteAccess\Performance\Error Count: 0x000000BE
  103. HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x00000006
  104. HKLM\SYSTEM\CurrentControlSet\Services\RemoteAccess\Performance\Error Count: 0x000000BE
  105. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "acb"
  106. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "edacb"
  107. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"
  108. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "ihgfedcba"
  109. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt\MRUList: "ba"
  110. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt\MRUList: "dcba"
  111. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\MRUList: "ab"
  112. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList\MRUList: "cab"
  113. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 08 00 00 00 02 00 00 00 04 00 00 00 07 00 00 00 06 00 00 00 05 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
  114. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\MRUListEx: 0A 00 00 00 0D 00 00 00 0C 00 00 00 0B 00 00 00 09 00 00 00 08 00 00 00 02 00 00 00 04 00 00 00 07 00 00 00 06 00 00 00 05 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
  115. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\MRUListEx: 00 00 00 00 01 00 00 00 02 00 00 00 FF FF FF FF
  116. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.txt\MRUListEx: 04 00 00 00 03 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 FF FF FF FF
  117. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF
  118. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder\MRUListEx: 03 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
  119. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 5C 00 00 00 A0 73 50 B3 F1 FE CD 01
  120. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 02 00 00 00 69 00 00 00 B0 50 EF DA F2 FE CD 01
  121. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 9B 00 00 00 50 6D 6F B3 F1 FE CD 01
  122. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 02 00 00 00 A8 00 00 00 A0 9A F1 DA F2 FE CD 01
  123. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\PncgherONG.rkr: 02 00 00 00 0E 00 00 00 A0 7C 59 C6 BF F7 CD 01
  124. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\evx\デスクトップ\PncgherONG.rkr: 02 00 00 00 0F 00 00 00 00 F3 9E 61 F2 FE CD 01
  125. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
  126. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
  127. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
  128. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\MRUListEx: 03 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF
  129. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF 95 01 00 00 FE FF FF FF ED 03 00 00 F2 01 00 00
  130. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\Windowplacement: 2C 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF AE 00 00 00 73 00 00 00 BF 03 00 00 AA 02 00 00
  131. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000000
  132. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\SymbolWarningShown: 0x00000001
  133. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000004
  134. HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Sysinternals\Process Explorer\DefaultProcPropPage: 0x00000006
  135.  
  136. ----------------------------------
  137. Total changes:89
  138. ----------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!