forked from scottydelta/autoreg-parse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathExample_Output.txt
114 lines (90 loc) · 3.65 KB
/
Example_Output.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
Auto Registry Parser now supports a plugin framework. Here are some examples:
autoreg-parse.py -p runkeys -soft goog/software -nt goog/NTUSER.DAT -sys goog/system
===================================================
TRADITIONAL "RUN" KEYS
===================================================
Key: BluetoothAuthenticationAgent
Value: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
RegPath: Microsoft\Windows\CurrentVersion\Run
Key: VMware User Process
Value: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
RegPath: Microsoft\Windows\CurrentVersion\Run
Key: LogMeIn GUI
Value: "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
RegPath: Microsoft\Windows\CurrentVersion\Run
python autoreg-parse.py -p services -sys goog/system
Hint...the malware is a service....
===================================================
UNKNOWN/NON-BASELINED TYPE 2 SERVICES)
===================================================
Disp: Google Update Service (gupdate)
Name: . etadpug
Path: "c:\program files\google\desktop\install\{0f91adea-a35c-b700-d36c-83378aa58eea}\ \ \\{0f91adea-a35c-b700-d36c-83378aa58eea}\googleupdate.exe" <
Time: 2013-10-17 11:46:43.680927
===================================================
TYPE 2 SERVICES NOT IN SYSTEM32
===================================================
Disp: HWDeviceService.exe
Name: hwdeviceservice.exe
Path: "c:\documents and settings\all users\application data\datacardservice\hwdeviceservice.exe" -/service
Time: 2013-10-17 04:06:56.718750
Disp: LMIGuardianSvc
Name: lmiguardiansvc
Path: "c:\program files\logmein\x86\lmiguardiansvc.exe"
Time: 2013-10-17 04:06:56.734373
Disp: LogMeIn Kernel Information Provider
Name: lmiinfo
Path: \??\c:\program files\logmein\x86\rainfo.sys
Time: 2013-10-17 04:06:56.734373
Disp: LogMeIn Maintenance Service
Name: lmimaint
Path: "c:\program files\logmein\x86\ramaint.exe"
Time: 2013-10-17 04:06:56.734373
Disp: LogMeIn
Name: logmein
Path: "c:\program files\logmein\x86\logmein.exe"
Time: 2013-10-17 04:06:56.734373
Disp: ???
Name: parvdm
Path: no image path found!
Time: 2013-10-17 04:06:56.734373
Disp: Memory Control Driver
Name: vmmemctl
Path: \??\c:\program files\common files\vmware\drivers\memctl\vmmemctl.sys
Time: 2013-10-17 04:06:56.734373
Disp: VMware Tools
Name: vmtools
Path: "c:\program files\vmware\vmware tools\vmtoolsd.exe"
Time: 2013-10-17 04:06:56.734373
Disp: VMware Physical Disk Helper Service
Name: vmware physical disk helper service
Path: "c:\program files\vmware\vmware tools\vmacthlp.exe"
Time: 2013-10-17 04:06:56.734373
Disp: Google Update Service (gupdate)
Name: . etadpug
Path: "c:\program files\google\desktop\install\{0f91adea-a35c-b700-d36c-83378aa58eea}\ \ \\{0f91adea-a35c-b700-d36c-83378aa58eea}\googleupdate.exe" <
Time: 2013-10-17 11:46:43.680927
python autoreg-parse.py -p userassist -nt goog/NTUSER.DAT
===================================================
USER ASSIST
===================================================
UEME_CTLSESSION
UEME_CTLCUACount:ctor
UEME_UITOOLBAR
UEME_UITOOLBAR:0x1,120
UEME_CTLSESSION
UEME_RUNPIDL:%csidl2%\MSN.lnk
UEME_RUNPIDL:%csidl2%\Windows Media Player.lnk
UEME_RUNPIDL:%csidl2%\Windows Messenger.lnk
UEME_RUNPIDL:%csidl2%\Accessories\Tour Windows XP.lnk
UEME_RUNPIDL:%csidl2%\Accessories\System Tools\Files and Settings Transfer Wizard.lnk
UEME_CTLCUACount:ctor
UEME_RUNCPL
UEME_RUNCPL:SYSDM.CPL
UEME_RUNPATH
UEME_RUNPATH:C:\WINDOWS\system32\tourstart.exe
UEME_RUNPIDL
UEME_RUNPIDL:%csidl2%\Accessories\Command Prompt.lnk
UEME_RUNPIDL:%csidl2%\Accessories
UEME_RUNPATH:C:\WINDOWS\system32\cmd.exe
<snip>