| Registry values | |||
|---|---|---|---|
| Key | Value | Data | Key_Timestamp |
| HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\:::*:::\Default, | |||
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\igfxcui | Default | {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} | Default | GraphicsShellExt Class | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\InProcServer32 | Default | C:\WINDOWS\system32\igfxpph.dll | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4}\ProgID | Default | igfxpph.GraphicsShellExt.1 | 2007-12-13T21:59:58Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\New | Default | {D969A300-E7FF-11d0-A93B-00A0C90F2719} | 2007-12-13T22:04:28Z |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719} | Default | Microsoft New Object Service | 2007-12-13T22:04:28Z [Expected value: New Menu Handler] |
| HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D969A300-E7FF-11d0-A93B-00A0C90F2719}\InProcServer32 | Default | %SystemRoot%\system32\SHELL32.dll | 2007-12-13T22:04:28Z [Expected value: %SystemRoot%\system32\shell32.dll] |
| HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Nla\Parameters | ServiceDll | %SystemRoot%\System32\mswsock.dll | 2009-06-11T09:40:54Z [Match: %SystemRoot%\System32\mswsock.dll][Info: Microsoft Windows Sockets 2.0 Service Provider] |
| ntuser_john.dat | |||
| HKU\Software\Microsoft\Windows\CurrentVersion\Run\:::vk:::, | |||
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | CTFMON.EXE | C:\WINDOWS\system32\ctfmon.exe | 2012-10-29T16:40:24Z |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | H/PC Connection Agent | "C:\ARCHIV~1\MI3AA1~1\wcescomm.exe" | 2012-10-29T16:40:24Z |
| HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run | AbGame | c:\Winis7\opera.exe | 2012-10-29T16:40:24Z [Match: Winis7\opera.exe][Info: W32.Winiga] |
Maybe you can think that there are too much colors in the html output of Regkeval but you must keep in mind that there can be several thousand lines in the output to review.
The normal output will be full of green lines meaning that it matches exactly with the value that is expected to find so you can browse very quickly the document. Whenever the tool finds any mismatch with a value that is included in the file containing the expected values for the system, the regkeval_val_justif.tsv file, the line will be displayed as red text on white background and it will append to the time field the expected value as it appears in the regkeval_val_justif.tsv file.
When there is a match with any of the keywords contained in the regkeval_val_malw_espec.tsv file the entry is displayed as white on red background if it is classified as malware. But if it is classified as a special value then it will be displayed as blue on yellow background. The classification as malware or value of interest can be made by assigning to the corresponding keyword the string "dos" for malware or the string "cuatro" for values of interest in the regkeval_val_malw_espec.tsv file. In both cases the information included in the regkeval_val_malw_espec.tsv file will be appended to the time field in the output.
If there is no info about the value it is displayed as sunset color (http://en.wikipedia.org/wiki/Sunset_%28color%29 :-) ).
Finally the grey background color is used to display the beginning of the corresponding search path output and the blue background color is used to indicate the beginning of a ntuser.dat file analysis.
No comments:
Post a Comment