Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Chinese Fake AV

JMC31337
JMC31337
in Malware Reverse Engineering

Featured Replies

Posted

while cruising around China (looking for setcsum.exe to reset the tcpip.sys checksum), enjoying the scenery and attractions, (damn those chinese women are sexy )  i was redirected to a web site saying YOUR PC IS INFECTED!


 


In Chinese... even the download exe under chrome was in Chinese.. we all know the one:


 


Your redirected to a site and it scrolls through about a 1000 list of trojans and the number increases by the second syaing your PC is infected with 100's of malware and you need this program to remove them


 


so i downloaded the exe and rar'd it up


 


pass:infected


 


Havent had the time to really go through this exe.... and it may not even be a virus (they could have switched the exe back to a non infected sample) no sooner than they sent the first one, or the NSA couldve hijacked the outgoing connections and redirected me to a server making me think it was Chinese but.. the exe is here


 


if someone gets to it before i do, and determines that its not FAKE AV; let me know and ill have the Moderator delete this topic


 


otherwise.... first time i've ever seen a Fake AV in China


 


thank you China!  .. you do great things for me and I appreciate it


khsajsf_30282.rar

Edited by JMC31337

  • Author

heres the Anubis text report:




                        ___                __    _                          

         +  /-            /   |  ____  __  __/ /_  (_)____       -\  +         

        /s  h-           / /| | / __ \/ / / / __ \/ / ___/       -h  s\        

        oh-:d/          / ___ |/ / / / /_/ / /_/ / (__  )        /d:-ho        

        shh+hy-        /_/  |_/_/ /_/\__,_/_.___/_/____/        -yh+hhs        

      -:+hhdhyys/-                                           -\syyhdhh+:-      

    -//////dhhhhhddhhyss-       Analysis Report       -ssyhhddhhhhhd\\\\\\-    

   /++/////oydddddhhyys/     ooooooooooooooooooooo     \syyhhdddddyo\\\\\++\   

 -+++///////odh/-                                             -+hdo\\\\\\\+++- 

 +++++++++//yy+/:                                             :\+yy\\+++++++++ 

/+soss+sys//yyo/os++o+:                                 :+o++so\oyy\\sys+ssos+\

+oyyyys++o/+yss/+/oyyyy:                               :yyyyo\+\ssy+\o++syyyyo+

+oyyyyyyso+os/o/+yyyyyy/                               \yyyyyy+\o\so+osyyyyyyo+

[#############################################################################]

    Analysis Report for khsajsf_30282.exe

                   MD5: ade704c557f2e1a2e8881910ae42bf57

[#############################################################################]

[=============================================================================]

    Table of Contents

[=============================================================================]
- General information

- khsajsf_30.exe

  a) Registry Activities
 File Activities

  c) Other Activities

[#############################################################################]

    1. General Information

[#############################################################################]

[=============================================================================]

    Information about Anubis' invocation

[=============================================================================]

        Time needed:        119 s

        Report created:     12/23/13, 13:55:43 UTC

        Termination reason: All tracked processes have exited

        Program version:    1.76.3886
[=============================================================================]

    Popups

[=============================================================================]

        Process:         0

        Window Name:     unpacking data: 13%

        Displayed Times: 1

        Window Text:

0

[=============================================================================]

    Global Network Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    DNS Queries:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Name: [ p.x.baidu.com ], Query Type: [ DNS_TYPE_A ],

            Query Result: [  ], Successful: [ 0 ], Protocol: [ udp ]
[#############################################################################]

    2. khsajsf_30.exe

[#############################################################################]

[=============================================================================]

    General information about this executable

[=============================================================================]

        Analysis Reason: Primary Analysis Subject

        Filename:        khsajsf_30.exe

        MD5:             ade704c557f2e1a2e8881910ae42bf57

        SHA-1:           3bd62ae7c36d4dab1141e28975afc52885ff1046

        File Size:       1970376 Bytes

        Command Line:    "C:\khsajsf_30.exe"

        Process-status

        at analysis end: dead

        Exit Code:       0
[=============================================================================]

    Load-time Dlls

[=============================================================================]

        Module Name: [ C:\WINDOWS\system32\ntdll.dll ],

               Base Address: [0x7C900000 ], Size: [0x000AF000 ]

        Module Name: [ C:\WINDOWS\system32\kernel32.dll ],

               Base Address: [0x7C800000 ], Size: [0x000F6000 ]

        Module Name: [ C:\WINDOWS\system32\USER32.dll ],

               Base Address: [0x7E410000 ], Size: [0x00091000 ]

        Module Name: [ C:\WINDOWS\system32\GDI32.dll ],

               Base Address: [0x77F10000 ], Size: [0x00049000 ]

        Module Name: [ C:\WINDOWS\system32\SHELL32.dll ],

               Base Address: [0x7C9C0000 ], Size: [0x00817000 ]

        Module Name: [ C:\WINDOWS\system32\ADVAPI32.dll ],

               Base Address: [0x77DD0000 ], Size: [0x0009B000 ]

        Module Name: [ C:\WINDOWS\system32\RPCRT4.dll ],

               Base Address: [0x77E70000 ], Size: [0x00092000 ]

        Module Name: [ C:\WINDOWS\system32\Secur32.dll ],

               Base Address: [0x77FE0000 ], Size: [0x00011000 ]

        Module Name: [ C:\WINDOWS\system32\msvcrt.dll ],

               Base Address: [0x77C10000 ], Size: [0x00058000 ]

        Module Name: [ C:\WINDOWS\system32\SHLWAPI.dll ],

               Base Address: [0x77F60000 ], Size: [0x00076000 ]

        Module Name: [ C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ],

               Base Address: [0x773D0000 ], Size: [0x00103000 ]

        Module Name: [ C:\WINDOWS\system32\ole32.dll ],

               Base Address: [0x774E0000 ], Size: [0x0013D000 ]

        Module Name: [ C:\WINDOWS\system32\VERSION.dll ],

               Base Address: [0x77C00000 ], Size: [0x00008000 ]
[=============================================================================]

    Run-time Dlls

[=============================================================================]

        Module Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMSkin.dll ],

               Base Address: [0x012C0000 ], Size: [0x00157000 ]

        Module Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMNetGetInfo.dll ],

               Base Address: [0x01E80000 ], Size: [0x00044000 ]

        Module Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\tmpqklee9.dll ],

               Base Address: [0x10000000 ], Size: [0x002B4000 ]

        Module Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ],

               Base Address: [0x4EC50000 ], Size: [0x001A6000 ]

        Module Name: [ C:\WINDOWS\system32\dbghelp.dll ],

               Base Address: [0x59A60000 ], Size: [0x000A1000 ]

        Module Name: [ C:\WINDOWS\system32\UxTheme.dll ],

               Base Address: [0x5AD70000 ], Size: [0x00038000 ]

        Module Name: [ C:\WINDOWS\system32\NETAPI32.dll ],

               Base Address: [0x5B860000 ], Size: [0x00055000 ]

        Module Name: [ C:\WINDOWS\System32\mswsock.dll ],

               Base Address: [0x71A50000 ], Size: [0x0003F000 ]

        Module Name: [ C:\WINDOWS\system32\WS2HELP.dll ],

               Base Address: [0x71AA0000 ], Size: [0x00008000 ]

        Module Name: [ C:\WINDOWS\system32\WS2_32.dll ],

               Base Address: [0x71AB0000 ], Size: [0x00017000 ]

        Module Name: [ C:\WINDOWS\system32\MSCTF.dll ],

               Base Address: [0x74720000 ], Size: [0x0004C000 ]

        Module Name: [ C:\WINDOWS\system32\RichEd20.dll ],

               Base Address: [0x74E30000 ], Size: [0x0006D000 ]

        Module Name: [ C:\WINDOWS\system32\browseui.dll ],

               Base Address: [0x75F80000 ], Size: [0x000FD000 ]

        Module Name: [ C:\WINDOWS\system32\msimg32.dll ],

               Base Address: [0x76380000 ], Size: [0x00005000 ]

        Module Name: [ C:\WINDOWS\system32\SHFOLDER.dll ],

               Base Address: [0x76780000 ], Size: [0x00009000 ]

        Module Name: [ C:\WINDOWS\system32\WINMM.dll ],

               Base Address: [0x76B40000 ], Size: [0x0002D000 ]

        Module Name: [ C:\WINDOWS\system32\PSAPI.DLL ],

               Base Address: [0x76BF0000 ], Size: [0x0000B000 ]

        Module Name: [ C:\WINDOWS\system32\DNSAPI.dll ],

               Base Address: [0x76F20000 ], Size: [0x00027000 ]

        Module Name: [ C:\WINDOWS\system32\WLDAP32.dll ],

               Base Address: [0x76F60000 ], Size: [0x0002C000 ]

        Module Name: [ C:\WINDOWS\System32\winrnr.dll ],

               Base Address: [0x76FB0000 ], Size: [0x00008000 ]

        Module Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ],

               Base Address: [0x76FD0000 ], Size: [0x0007F000 ]

        Module Name: [ C:\WINDOWS\system32\COMRes.dll ],

               Base Address: [0x77050000 ], Size: [0x000C5000 ]

        Module Name: [ C:\WINDOWS\system32\OLEAUT32.dll ],

               Base Address: [0x77120000 ], Size: [0x0008B000 ]

        Module Name: [ C:\WINDOWS\system32\WININET.dll ],

               Base Address: [0x771B0000 ], Size: [0x000AA000 ]

        Module Name: [ C:\WINDOWS\system32\SETUPAPI.dll ],

               Base Address: [0x77920000 ], Size: [0x000F3000 ]

        Module Name: [ C:\WINDOWS\system32\CRYPT32.dll ],

               Base Address: [0x77A80000 ], Size: [0x00095000 ]

        Module Name: [ C:\WINDOWS\system32\MSASN1.dll ],

               Base Address: [0x77B20000 ], Size: [0x00012000 ]

        Module Name: [ C:\WINDOWS\system32\urlmon.dll ],

               Base Address: [0x7E1E0000 ], Size: [0x000A2000 ]
[=============================================================================]

    Popups

[=============================================================================]

        Window Name:     ????-????

        Displayed Times: 1

        Window Text:     
[attachment=11001:download.png]			  

[=============================================================================]

    2.a) khsajsf_30.exe - Registry Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Registry Values Modified:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], 

             Value Name: [ BaseClass ], New Value: [ Drive ]

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], 

             Value Name: [ BaseClass ], New Value: [ Drive ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Registry Values Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\INPROCSERVER32 ], 

             Value Name: [  ], Value: [ %SystemRoot%\system32\browseui.dll ], 2 times

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\INPROCSERVER32 ], 

             Value Name: [ ThreadingModel ], Value: [ Apartment ], 1 time

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\INPROCSERVER32 ], 

             Value Name: [  ], Value: [ %SystemRoot%\system32\browseui.dll ], 1 time

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\INPROCSERVER32 ], 

             Value Name: [ ThreadingModel ], Value: [ Apartment ], 1 time

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\INPROCSERVER32 ], 

             Value Name: [  ], Value: [ %SystemRoot%\system32\browseui.dll ], 2 times

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\INPROCSERVER32 ], 

             Value Name: [ ThreadingModel ], Value: [ Apartment ], 1 time

        Key: [ HKLM\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\INPROCSERVER32 ], 

             Value Name: [  ], Value: [ %SystemRoot%\system32\SHELL32.dll ], 1 time

        Key: [ HKLM\SOFTWARE\CLASSES\DIRECTORY ], 

             Value Name: [ AlwaysShowExt ], Value: [  ], 1 time

        Key: [ HKLM\SOFTWARE\CLASSES\DRIVE\SHELLEX\FOLDEREXTENSIONS\{FBEB8A05-BEEE-4442-804E-409D6C4515E9} ], 

             Value Name: [ DriveMask ], Value: [ 32 ], 1 time

        Key: [ HKLM\SOFTWARE\Microsoft\CTF\SystemShared\ ], 

             Value Name: [ CUAS ], Value: [ 0 ], 1 time

        Key: [ HKLM\SYSTEM\CurrentControlSet\Control\Session Manager ], 

             Value Name: [ CriticalSectionTimeout ], Value: [ 2592000 ], 1 time

        Key: [ HKLM\SYSTEM\Setup ], 

             Value Name: [ OsLoaderPath ], Value: [ \ ], 2 times

        Key: [ HKLM\SYSTEM\Setup ], 

             Value Name: [ SystemPartition ], Value: [ \Device\HarddiskVolume1 ], 2 times

        Key: [ HKLM\SYSTEM\Setup ], 

             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 1 time

        Key: [ HKLM\Software\Microsoft\COM3 ], 

             Value Name: [ Com+Enabled ], Value: [ 1 ], 2 times

        Key: [ HKLM\Software\Microsoft\COM3 ], 

             Value Name: [ REGDBVersion ], Value: [ 0x0b00000000000000 ], 6 times

        Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS ], 

             Value Name: [ * ], Value: [ 1 ], 1 time

        Key: [ HKLM\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL ], 

             Value Name: [ * ], Value: [ 1 ], 1 time

        Key: [ HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows ], 

             Value Name: [ AppInit_DLLs ], Value: [  ], 1 time

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 

             Value Name: [ DevicePath ], Value: [ %SystemRoot%\inf ], 1 time

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion ], 

             Value Name: [ ProgramFilesDir ], Value: [ C:\Program Files ], 1 time

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 

             Value Name: [ DriverCachePath ], Value: [ %SystemRoot%\Driver Cache ], 2 times

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 

             Value Name: [ LogLevel ], Value: [ 0 ], 2 times

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 

             Value Name: [ ServicePackCachePath ], Value: [ c:\windows\ServicePackFiles\ServicePackCache ], 2 times

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 

             Value Name: [ ServicePackSourcePath ], Value: [ D:\ ], 2 times

        Key: [ HKLM\Software\Microsoft\Windows\CurrentVersion\Setup ], 

             Value Name: [ SourcePath ], Value: [ D:\ ], 2 times

        Key: [ HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers ], 

             Value Name: [ TransparentEnabled ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName ], 

             Value Name: [ ComputerName ], Value: [ PC ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\Joystick\Winmm ], 

             Value Name: [ wheel ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 

             Value Name: [ 1 ], Value: [ 1 ], 95 times

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 

             Value Name: [ 2 ], Value: [ 1 ], 12 times

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 

             Value Name: [ 3 ], Value: [ 1 ], 3 times

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 

             Value Name: [ 4 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 

             Value Name: [ 5 ], Value: [ 1 ], 14 times

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Language Groups ], 

             Value Name: [ 6 ], Value: [ 1 ], 3 times

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ (Default) ], Value: [ 00000409 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000401 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000402 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000403 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000404 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000405 ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000406 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000407 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000408 ], Value: [ 4 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000409 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000040a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000040b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000040c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000040d ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000040e ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000040f ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000410 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000411 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000412 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000413 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000414 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000415 ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000416 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000417 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000418 ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000419 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000041a ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000041b ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000041c ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000041d ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000041e ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000041f ], Value: [ 6 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000420 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000421 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000422 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000423 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000424 ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000425 ], Value: [ 3 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000426 ], Value: [ 3 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000427 ], Value: [ 3 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000429 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000042a ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000042b ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000042c ], Value: [ 6 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000042d ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000042f ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000432 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000434 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000435 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000436 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000437 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000438 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000439 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000043a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000043b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000043e ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000043f ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000440 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000441 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000443 ], Value: [ 6 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000444 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000446 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000447 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000449 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000044a ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000044b ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000044e ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000044f ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000450 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000452 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000456 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000457 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000045a ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000462 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000464 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000465 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000046b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000046c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000046e ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000047a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000047c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000481 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000801 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000804 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000807 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000809 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000080a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000080c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000810 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000813 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000814 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000816 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000081a ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000081d ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000082c ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000083b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000083c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000083e ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000843 ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000085d ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000086b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000C07 ], Value: [ 1 ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c01 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c04 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c07 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c09 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c0a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c0c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c1a ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c3b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00000c6b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001001 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001004 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001007 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001009 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000100a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000100c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000101a ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000103b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001401 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001404 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001407 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001409 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000140a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000140c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000141a ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000143b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001801 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001809 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000180a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000180c ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000181a ], Value: [ 2 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000183b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001c01 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001c09 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001c0a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001c1a ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00001c3b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002001 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002009 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000200a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000201a ], Value: [ 5 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000203b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002401 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002409 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000240a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000243b ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002801 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002809 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000280a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002c01 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002c09 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00002c0a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003001 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003009 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000300a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003401 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003409 ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000340a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003801 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000380a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003c01 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00003c0a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00004001 ], Value: [  ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000400a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000440a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000480a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 00004c0a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Nls\Locale ], 

             Value Name: [ 0000500a ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Control\Terminal Server ], 

             Value Name: [ TSAppCompat ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\LDAP ], 

             Value Name: [ LdapClientIntegrity ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 

             Value Name: [ Domain ], Value: [  ], 3 times

        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 

             Value Name: [ Hostname ], Value: [ pc ], 3 times

        Key: [ HKLM\System\CurrentControlSet\Services\Tcpip\Parameters ], 

             Value Name: [ UseDomainNameDevolution ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters ], 

             Value Name: [ WinSock_Registry_Version ], Value: [ 2.0 ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 

             Value Name: [ Num_Catalog_Entries ], Value: [ 3 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 

             Value Name: [ Serial_Access_Num ], Value: [ 4 ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ DisplayString ], Value: [ Tcpip ], 4 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ Enabled ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ ProviderId ], Value: [ 0x409d05229e7ecf11ae5a00aa00a7112b ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ SupportedNameSpace ], Value: [ 12 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 ], 

             Value Name: [ Version ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ DisplayString ], Value: [ NTDS ], 4 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ Enabled ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\winrnr.dll ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ ProviderId ], Value: [ 0xee37263b80e5cf11a55500c04fd8d4ac ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ SupportedNameSpace ], Value: [ 32 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 ], 

             Value Name: [ Version ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ DisplayString ], Value: [ Network Location Awareness (NLA) Namespace ], 4 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ Enabled ], Value: [ 1 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ LibraryPath ], Value: [ %SystemRoot%\System32\mswsock.dll ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ ProviderId ], Value: [ 0x3a244266a83ba64abaa52e0bd71fdd83 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ StoresServiceClassInfo ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ SupportedNameSpace ], Value: [ 15 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 ], 

             Value Name: [ Version ], Value: [ 0 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 

             Value Name: [ Next_Catalog_Entry_ID ], Value: [ 1020 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 

             Value Name: [ Num_Catalog_Entries ], Value: [ 13 ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 

             Value Name: [ Serial_Access_Num ], Value: [ 6 ], 2 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\rsvpsp.d ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013 ], 

             Value Name: [ PackedCatalogItem ], Value: [ %SystemRoot%\system32\mswsock. ], 1 time

        Key: [ HKLM\System\Setup ], 

             Value Name: [ SystemSetupInProgress ], Value: [ 0 ], 2 times

        Key: [ HKLM\System\WPA\PnP ], 

             Value Name: [ seed ], Value: [ 1274198464 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 

             Value Name: [ Language Hotkey ], Value: [ 1 ], 4 times

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Keyboard Layout\Toggle ], 

             Value Name: [ Layout Hotkey ], Value: [ 2 ], 4 times

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ ], 

             Value Name: [ ShellState ], Value: [ 0x2400000038080000000000000000000000000000010000000d0000000000 ], 2 times

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ DontPrettyPath ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ Filter ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ Hidden ], Value: [ 1 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ HideFileExt ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ HideIcons ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ MapNetDrvBtn ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ NoNetCrawling ], Value: [ 1 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ SeparateProcess ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ ShowCompColor ], Value: [ 1 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ ShowInfoTip ], Value: [ 1 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ ShowSuperHidden ], Value: [ 1 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ WebView ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], 

             Value Name: [ Data ], Value: [ 0x000000005c005c003f005c0049004400450023004300640052006f006d00 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094da8-30a0-11dd-817b-806d6172696f}\ ], 

             Value Name: [ Generation ], Value: [ 1 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], 

             Value Name: [ Data ], Value: [ 0x000000005c005c003f005c00530054004f00520041004700450023005600 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{a1094daa-30a0-11dd-817b-806d6172696f}\ ], 

             Value Name: [ Generation ], Value: [ 1 ], 2 times

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ ListviewAlphaSelect ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ ListviewShadow ], Value: [ 0 ], 1 time

        Key: [ HKU\S-1-5-21-842925246-1425521274-308236825-500\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ], 

             Value Name: [ ListviewWatermark ], Value: [ 1 ], 1 time
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Monitored Registry Keys:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Key: [ HKLM\Software\Classes ], 

             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times

        Key: [ HKLM\Software\Classes\CLSID ], 

             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 2 times

        Key: [ HKLM\Software\Microsoft\COM3 ], 

             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 6 times

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5 ], 

             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time

        Key: [ HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9 ], 

             Watch subtree: [ 0 ], Notify Filter: [ Key Change ], 1 time

        Key: [ HKU ], 

             Watch subtree: [ 1 ], Notify Filter: [ Key Change,Value Change ], 3 times

[=============================================================================]

    2. khsajsf_30.exe - File Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Files Deleted:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj1.tmp ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Files Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsj1.tmp ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDLogicUtils.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMDownload.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMNetGetInfo.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMSkin.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\dl.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\hu.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\res ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\res\onlineWnd.zip ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\tmpqklee9.dll ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Files Read:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\res\onlineWnd.zip ]

        File Name: [ C:\WINDOWS\Registration\R00000000000b.clb ]

        File Name: [ C:\WINDOWS\win.ini ]

        File Name: [ C:\khsajsf_30.exe ]

        File Name: [ PIPE\lsarpc ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Files Modified:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nse2.tmp ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDLogicUtils.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMDownload.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMNetGetInfo.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMSkin.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\dl.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\hu.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\res\onlineWnd.zip ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\tmpqklee9.dll ]

        File Name: [ MountPointManager ]

        File Name: [ PIPE\lsarpc ]

        File Name: [ WMIDataDevice ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Directories Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Directory: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp ]

        Directory: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\res ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    File System Control Communication:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File: [ C:\Program Files\Common Files\ ], Control Code: [ 0x00090028 ], 1 time

        File: [ PIPE\lsarpc ], Control Code: [ 0x0011C017 ], 6 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Device Control Communication:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File: [ \Device\KsecDD ], Control Code: [ 0x00390008 ], 8 times

        File: [ IDE#CdRomQEMU_QEMU_CD-ROM________________________0.9.____#4d51303030302033202020202020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time

        File: [ MountPointManager ], Control Code: [ 0x006D0008 ], 2 times

        File: [ STORAGE#Volume#1&30a96598&0&SignatureB15FB15FOffset7E00Length13F291800#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} ], Control Code: [ 0x004D0008 ], 1 time

        File: [ MountPointManager ], Control Code: [ 0x006D0034 ], 4 times

        File: [ WMIDataDevice ], Control Code: [ 0x0022414C ], 1 time

        File: [ WMIDataDevice ], Control Code: [ 0x00228144 ], 2 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Memory Mapped Files:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMNetGetInfo.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\BDMSkin.dll ]

        File Name: [ C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nsp3.tmp\tmpqklee9.dll ]

        File Name: [ C:\WINDOWS\System32\mswsock.dll ]

        File Name: [ C:\WINDOWS\System32\winrnr.dll ]

        File Name: [ C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\COMCTL32.dll ]

        File Name: [ C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5512_x-ww_dfb54e0c\gdiplus.dll ]

        File Name: [ C:\WINDOWS\WindowsShell.Manifest ]

        File Name: [ C:\WINDOWS\system32\CLBCATQ.DLL ]

        File Name: [ C:\WINDOWS\system32\COMRes.dll ]

        File Name: [ C:\WINDOWS\system32\DNSAPI.dll ]

        File Name: [ C:\WINDOWS\system32\MSCTF.dll ]

        File Name: [ C:\WINDOWS\system32\PSAPI.DLL ]

        File Name: [ C:\WINDOWS\system32\RichEd20.dll ]

        File Name: [ C:\WINDOWS\system32\SETUPAPI.dll ]

        File Name: [ C:\WINDOWS\system32\SHELL32.dll ]

        File Name: [ C:\WINDOWS\system32\SHFOLDER.dll ]

        File Name: [ C:\WINDOWS\system32\UxTheme.dll ]

        File Name: [ C:\WINDOWS\system32\WININET.dll ]

        File Name: [ C:\WINDOWS\system32\WINMM.dll ]

        File Name: [ C:\WINDOWS\system32\WS2HELP.dll ]

        File Name: [ C:\WINDOWS\system32\WS2_32.dll ]

        File Name: [ C:\WINDOWS\system32\browseui.dll ]

        File Name: [ C:\WINDOWS\system32\dbghelp.dll ]

        File Name: [ C:\WINDOWS\system32\imm32.dll ]

        File Name: [ C:\WINDOWS\system32\msimg32.dll ]

        File Name: [ C:\WINDOWS\system32\rpcss.dll ]

        File Name: [ C:\WINDOWS\system32\urlmon.dll ]
[=============================================================================]

    2.c) khsajsf_30.exe - Other Activities

[=============================================================================]

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Mutexes Created:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Mutex: [ CTF.Asm.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

        Mutex: [ CTF.Compart.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

        Mutex: [ CTF.LBES.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

        Mutex: [ CTF.Layouts.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

        Mutex: [ CTF.TMD.MutexDefaultS-1-5-21-842925246-1425521274-308236825-500 ]

        Mutex: [ CTF.TimListCache.FMPDefaultS-1-5-21-842925246-1425521274-308236825-500MUTEX.DefaultS-1-5-21-842925246-1425521274-308236825-500 ]

        Mutex: [ MSCTF.Shared.MUTEX.IFG ]

        Mutex: [ ZonesCacheCounterMutex ]

        Mutex: [ ZonesCounterMutex ]

        Mutex: [ ZonesLockedCacheCounterMutex ]
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Keyboard Keys Monitored:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Virtual Key Code: [ VK_SHIFT (16) ], 1 time

        Virtual Key Code: [ VK_ESCAPE (27) ], 22 times
[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

    Windows SEH exceptions:

[=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=]

        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10039fef ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003a286 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003a62f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003a8b3 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100788cc ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1007899c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10078b71 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10078e14 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10078e92 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10079754 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100797d2 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10079c36 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10032575 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003299e ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10032a1c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10032eef ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10032f6d ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003336f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003354c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1006c0cf ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1006c775 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10033b84 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10033c5f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10033ef5 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100344bc ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003453a ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10034cec ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10041d95 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10041f7b ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1004206c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10042469 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100424e7 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10042682 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100436f1 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1004376f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002e5b6 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002e76b ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002ec22 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002eddc ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002f2b9 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002f42c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002f644 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002fc62 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002ff55 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10030488 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10030593 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1003079d ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100309bf ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10030be6 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10030c64 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10030ed8 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10031ca1 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10062a65 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10062efb ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10063016 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10063b30 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10063c21 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10063dc1 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10063e3f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1006443d ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100648ab ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10072310 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1007277f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10072b06 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100737cf ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1007389f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10073bdf ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100217a2 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10021854 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002191a ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10021bbe ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10021cd9 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002201a ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002247f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002267c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100226fa ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10022778 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10022ad5 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10022ea8 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002334d ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1005613f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10056205 ], 1 time
        Description: [ Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x10056278 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x100562f0 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10056525 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10056df8 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10056fc8 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10057821 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1005789f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10057dc8 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10057e46 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1005817c ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10058383 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x10058474 ], 1 time
        Description: [ Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x1002c8f2 ], 1 time
        Description: [ Exception 0xc0000094 (STATUS_INTEGER_DIVIDE_BY_ZERO) at 0x1002c974 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002c9ec ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002cd06 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002cd84 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002cecd ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002cfe8 ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002d52f ], 1 time
        Description: [ Exception 0xc0000005 (STATUS_ACCESS_VIOLATION) at 0x1002d734 ], 1 time
[#############################################################################]

                       International Secure Systems Lab                        
 http://www.iseclab.org                             
Vienna University of Technology     Eurecom France            UC Santa Barbara

http://www.tuwien.ac.at          http://www.eurecom.fr  http://www.cs.ucsb.edu
                          Contact: anubis@iseclab.org

post-54883-0-36332600-1387808880_thumb.p

Edited by JMC31337

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.