Changeset 1684
- Timestamp:
- 07/11/08 17:05:26 (5 months ago)
- Files:
-
- honeyclient/branches/exp/kindlund-selenium/auto_drive.pl (modified) (1 diff)
- honeyclient/branches/exp/kindlund-selenium/auto_drive2.pl (added)
- honeyclient/branches/exp/kindlund-selenium/bin/bootstrap_agent.sh (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-selenium/etc/honeyclient.xml (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-selenium/lib/HoneyClient/Agent.pm (modified) (5 diffs)
- honeyclient/branches/exp/kindlund-selenium/t/honeyclient_agent.t (modified) (2 diffs)
- honeyclient/branches/exp/kindlund-selenium/thirdparty/capture-mod/FileMonitor.exl (modified) (1 diff)
- honeyclient/branches/exp/kindlund-selenium/thirdparty/capture-mod/RegistryMonitor.exl (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
honeyclient/branches/exp/kindlund-selenium/auto_drive.pl
r1677 r1684 25 25 # Drive HoneyClient::Agent::Driver::Browser::IE to a website. 26 26 $som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE", 27 parameters => encode_base64("http://www. google.com"));27 parameters => encode_base64("http://www.cnn.com")); 28 28 29 29 # Check the result to see if any compromise was found. honeyclient/branches/exp/kindlund-selenium/bin/bootstrap_agent.sh
r1672 r1684 9 9 10 10 # Remove any old capture logs entries. 11 rm -rf ~/honeyclient/thirdparty/capture-mod/logs 11 rm -rf ~/honeyclient/thirdparty/capture-mod/logs > /dev/null 2>&1 12 12 13 13 # Determine the IP address of the VM running. … … 31 31 32 32 # Perform an SVN update (optional). 33 svn update33 #svn update 34 34 35 35 # Start up the selenium server. 36 36 cd ~/honeyclient/thirdparty/selenium 37 java -jar selenium-server.jar -trustAllSSLCertificates& 37 # Note: The port listed should match the 'selenium_port' entry in etc/honeyclient.xml 38 java -jar selenium-server.jar -port 4444 -browserSessionReuse -trustAllSSLCertificates& 38 39 cd ~/honeyclient 39 40 honeyclient/branches/exp/kindlund-selenium/etc/honeyclient.xml
r1674 r1684 84 84 <!-- TODO: Update this. XXX: Command-line option, eventually? --> 85 85 <timeout description="How long the Driver waits during a drive operation, before timing out (in seconds)." default="60"> 86 20 86 20 87 87 </timeout> 88 88 <selenium_enable description="If set to 1, then the Agent will attempt to drive the application using Selenium. Otherwise, Win32::Job will be used." default="1"> 89 89 1 90 90 </selenium_enable> 91 <selenium_port description="The TCP port that the Selenium Java server will listen on for requests." default="4444"> 92 4444 93 </selenium_port> 91 94 <Browser> 92 95 <IE> … … 99 102 </process_name> 100 103 <selenium_driver description="The corresponding Selenium browser name to use for this driver." default="*iehta"> 101 *ie hta104 *iexplore 102 105 </selenium_driver> 103 106 </IE> honeyclient/branches/exp/kindlund-selenium/lib/HoneyClient/Agent.pm
r1674 r1684 278 278 use Data::Dumper; 279 279 280 # Make sure ExtUtils::MakeMaker loads. 281 BEGIN { use_ok('ExtUtils::MakeMaker', qw(prompt)) or diag("Can't load ExtUtils::MakeMaker package. Check to make sure the package library is correctly listed within the path."); } 282 require_ok('ExtUtils::MakeMaker'); 283 can_ok('ExtUtils::MakeMaker', 'prompt'); 284 use ExtUtils::MakeMaker qw(prompt); 285 280 286 # Make sure WWW::Selenium loads. 281 287 BEGIN { use_ok('WWW::Selenium') or diag("Can't load WWW::Selenium package. Check to make sure the package library is correctly listed within the path."); } … … 537 543 538 544 my $ret = undef; 545 539 546 # Make sure the PID is defined and not 540 547 # the parent process... … … 672 679 close(REALTIME_CHANGES_FILE); 673 680 681 if (getVar(name => "selenium_enable", 682 namespace => "HoneyClient::Agent::Driver")) { 683 684 my $selenium_port = getVar(name => "selenium_port", 685 namespace => "HoneyClient::Agent::Driver"); 686 diag(""); 687 diag("You appear to have Selenium support enabled."); 688 diag(""); 689 diag("In order to test this support, you will need to make sure the"); 690 diag("Selenium Java server is running before proceeding further."); 691 diag(""); 692 diag("To run the Selenium server, type the following in another Cygwin shell:"); 693 diag(""); 694 diag("cd ~/honeyclient/thirdparty/selenium"); 695 diag("java -jar selenium-server.jar -port " . $selenium_port . " -trustAllSSLCertificates"); 696 diag(""); 697 my $question; 698 $question = prompt("# Is the Selenium server now running?", "yes"); 699 if ($question !~ /^y.*/i) { 700 fail("Selenium server not running."); 701 # Kill the child daemon, if it still exists. 702 HoneyClient::Agent->destroy(); 703 exit; 704 } 705 diag(""); 706 diag("Note: Once all tests have finished, just press CTRL-C to shutdown the Selenium server."); 707 diag(""); 708 } 709 674 710 diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and no changes..."); 675 711 … … 1405 1441 1406 1442 # Destroy the existing Selenium handle, if our driver changes. 1407 if (defined($SELENIUM) &&1408 ($SELENIUM_DRIVER ne $args{'driver_name'})) {1409 $SELENIUM->stop();1410 $SELENIUM = undef;1411 }1412 1413 # Create a new Selenium handle, if need be.1414 if (!defined($SELENIUM)) {1443 # if (defined($SELENIUM) && 1444 # ($SELENIUM_DRIVER ne $args{'driver_name'})) { 1445 # $SELENIUM->stop(); 1446 # $SELENIUM = undef; 1447 # } 1448 1449 # # Create a new Selenium handle, if need be. 1450 # if (!defined($SELENIUM)) { 1415 1451 1416 1452 $SELENIUM = WWW::Selenium->new( 1417 1453 host => "localhost", 1418 port => 4444, 1419 browser => getVar(name => "selenium_driver", 1454 port => getVar(name => "selenium_port", 1455 namespace => "HoneyClient::Agent::Driver"), 1456 browser => getVar(name => "selenium_driver", 1420 1457 namespace => $args{'driver_name'}), 1458 # TODO: Fix this. 1421 1459 browser_url => "http://localhost", 1460 #browser_url => $args{'parameters'}, 1422 1461 ); 1423 1462 $SELENIUM_DRIVER = $args{'driver_name'}; … … 1425 1464 $SELENIUM->start(); 1426 1465 $SELENIUM->set_timeout($args{'timeout'} * 1000); 1427 $SELENIUM->open("/"); 1466 #$SELENIUM->open("/"); 1467 #$SELENIUM->window_maximize(); 1468 #$SELENIUM->window_focus(); 1469 # } 1470 1471 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'}); 1472 1473 # TODO: We set a parent process ID in our 'status' hash, since it's informational and not 1474 # really being used currently. This is to avoid the corresponding Win32::Process::Info 1475 # calls we would have to make (expensive) that don't currently provide any direct 1476 # benefit. 1477 $ret->{'status'}->{$$} = undef; 1478 1479 eval { 1480 #$SELENIUM->choose_ok_on_next_confirmation(); 1481 $SELENIUM->open($args{'parameters'}); 1428 1482 $SELENIUM->window_maximize(); 1429 1483 $SELENIUM->window_focus(); 1430 }1431 1432 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'});1433 eval {1434 $SELENIUM->open($args{'parameters'});1435 1484 }; 1436 1485 if ($@) { 1437 1486 # TODO: This may occur when timeouts hit -- which isn't fatal. 1438 $LOG->error("Error: Unable to drive application. " . $@); 1439 # TODO: Is this needed? 1440 $SELENIUM->stop(); 1441 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()") 1442 ->faultstring("Error: Unable to drive application. " . $@); 1487 my $errMsg = $@; 1488 1489 # Check to see if the browser just timed out. 1490 if ($errMsg =~ /Timed out after/i) { 1491 $LOG->warn($args{'driver_name'} . " - Operation Timed Out: " . $args{'parameters'}); 1492 # TODO: Is this needed? 1493 #$SELENIUM->stop(); 1494 #$SELENIUM->start(); 1495 #$SELENIUM->set_timeout($args{'timeout'} * 1000); 1496 #$SELENIUM->open("/"); 1497 #$SELENIUM->window_maximize(); 1498 #$SELENIUM->window_focus(); 1499 } else { 1500 $LOG->error("Error: Unable to drive application. " . $errMsg); 1501 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()") 1502 ->faultstring("Error: Unable to drive application. " . $errMsg); 1503 } 1443 1504 } 1505 $SELENIUM->stop(); 1444 1506 1445 1507 } else { 1446 1508 ### TODO: START 1447 1509 1448 # Create a new Job.1449 my $job = Win32::Job->new();1450 1451 # Sanity check.1452 if (!defined($job)) {1453 $LOG->error("Error: Unable to spawn a new process - " . $^E . ".");1454 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()")1455 ->faultstring("Error: Unable to spawn a new process - " . $^E . ".");1456 }1457 1458 # Spawn the job.1459 my $processExec = getVar(name => "process_exec",1460 namespace => $args{'driver_name'});1461 my $processName = getVar(name => "process_name",1462 namespace => $args{'driver_name'});1463 my $status = $job->spawn($processExec, $processName . " " . $args{'parameters'});1464 1465 # Sanity check.1466 if (!defined($status)) {1467 $LOG->error("Error: Unable to execute '" . $processExec . "'");1468 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()")1469 ->faultstring("Error: Unable to execute '" . $processExec . "'");1470 }1471 1472 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'});1473 1474 # Run the job.1475 $job->run($args{'timeout'});1476 1477 # Check to see if run fails.1478 $status = $job->status();1479 $ret->{'status'} = $status;1480 1481 # Sanity check.1482 if (!defined($status) ||1483 !scalar(%{$status})) {1484 $LOG->error("Error: Unable to retrieve job status from spawned process.");1485 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()")1486 ->faultstring("Error: Unable to retrieve job status from spawned process.");1487 }1488 1489 # Figure out the correct Process ID.1490 my @keys = keys(%{$status});1491 my $processID = pop(@keys);1492 1493 # Sanity checks.1494 if (!defined($processID) ||1495 !exists($status->{$processID}->{'exitcode'}) ||1496 !defined($status->{$processID}->{'exitcode'})) {1497 $LOG->error("Error: Unable to retrieve job status from spawned process.");1498 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()")1499 ->faultstring("Error: Unable to retrieve job status from spawned process.");1500 }1501 1502 # Check to make sure the exitcode is '293', meaning, that the1503 # application didn't unexpectedly die early.1504 if ($status->{$processID}->{'exitcode'} != 293) {1505 $LOG->warn("Unexpected: '" . $processName . "' process (ID = " . $processID . ") terminated early!");1506 }1510 # Create a new Job. 1511 my $job = Win32::Job->new(); 1512 1513 # Sanity check. 1514 if (!defined($job)) { 1515 $LOG->error("Error: Unable to spawn a new process - " . $^E . "."); 1516 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()") 1517 ->faultstring("Error: Unable to spawn a new process - " . $^E . "."); 1518 } 1519 1520 # Spawn the job. 1521 my $processExec = getVar(name => "process_exec", 1522 namespace => $args{'driver_name'}); 1523 my $processName = getVar(name => "process_name", 1524 namespace => $args{'driver_name'}); 1525 my $status = $job->spawn($processExec, $processName . " " . $args{'parameters'}); 1526 1527 # Sanity check. 1528 if (!defined($status)) { 1529 $LOG->error("Error: Unable to execute '" . $processExec . "'"); 1530 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()") 1531 ->faultstring("Error: Unable to execute '" . $processExec . "'"); 1532 } 1533 1534 $LOG->info($args{'driver_name'} . " - Driving To Resource: " . $args{'parameters'}); 1535 1536 # Run the job. 1537 $job->run($args{'timeout'}); 1538 1539 # Check to see if run fails. 1540 $status = $job->status(); 1541 $ret->{'status'} = $status; 1542 1543 # Sanity check. 1544 if (!defined($status) || 1545 !scalar(%{$status})) { 1546 $LOG->error("Error: Unable to retrieve job status from spawned process."); 1547 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()") 1548 ->faultstring("Error: Unable to retrieve job status from spawned process."); 1549 } 1550 1551 # Figure out the correct Process ID. 1552 my @keys = keys(%{$status}); 1553 my $processID = pop(@keys); 1554 1555 # Sanity checks. 1556 if (!defined($processID) || 1557 !exists($status->{$processID}->{'exitcode'}) || 1558 !defined($status->{$processID}->{'exitcode'})) { 1559 $LOG->error("Error: Unable to retrieve job status from spawned process."); 1560 die SOAP::Fault->faultcode(__PACKAGE__ . "->drive()") 1561 ->faultstring("Error: Unable to retrieve job status from spawned process."); 1562 } 1563 1564 # Check to make sure the exitcode is '293', meaning, that the 1565 # application didn't unexpectedly die early. 1566 if ($status->{$processID}->{'exitcode'} != 293) { 1567 $LOG->warn("Unexpected: '" . $processName . "' process (ID = " . $processID . ") terminated early!"); 1568 } 1507 1569 1508 1570 ### TODO: END honeyclient/branches/exp/kindlund-selenium/t/honeyclient_agent.t
r1677 r1684 112 112 use Data::Dumper; 113 113 114 # Make sure ExtUtils::MakeMaker loads. 115 BEGIN { use_ok('ExtUtils::MakeMaker', qw(prompt)) or diag("Can't load ExtUtils::MakeMaker package. Check to make sure the package library is correctly listed within the path."); } 116 require_ok('ExtUtils::MakeMaker'); 117 can_ok('ExtUtils::MakeMaker', 'prompt'); 118 use ExtUtils::MakeMaker qw(prompt); 119 114 120 # Make sure WWW::Selenium loads. 115 121 BEGIN { use_ok('WWW::Selenium') or diag("Can't load WWW::Selenium package. Check to make sure the package library is correctly listed within the path."); } … … 205 211 open(REALTIME_CHANGES_FILE, ">", $realtime_changes_file); 206 212 close(REALTIME_CHANGES_FILE); 213 214 # TODO: 215 if (getVar(name => "selenium_enable", 216 namespace => "HoneyClient::Agent::Driver")) { 217 218 my $selenium_port = getVar(name => "selenium_port", 219 namespace => "HoneyClient::Agent::Driver"); 220 diag(""); 221 diag("You appear to have Selenium support enabled."); 222 diag(""); 223 diag("In order to test this support, you will need to make sure the"); 224 diag("Selenium Java server is running before proceeding further."); 225 diag(""); 226 diag("To run the Selenium server, type the following in another Cygwin shell:"); 227 diag(""); 228 diag("cd ~/honeyclient/thirdparty/selenium"); 229 diag("java -jar selenium-server.jar -port " . $selenium_port . " -trustAllSSLCertificates"); 230 diag(""); 231 my $question; 232 $question = prompt("# Is the Selenium server now running?", "yes"); 233 if ($question !~ /^y.*/i) { 234 fail("Selenium server not running."); 235 # Kill the child daemon, if it still exists. 236 HoneyClient::Agent->destroy(); 237 exit; 238 } 239 diag(""); 240 diag("Note: Once all tests have finished, just press CTRL-C to shutdown the Selenium server."); 241 diag(""); 242 } 207 243 208 244 diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and no changes..."); honeyclient/branches/exp/kindlund-selenium/thirdparty/capture-mod/FileMonitor.exl
r1681 r1684 359 359 + Write C:\\WINDOWS\\system32\\java\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\customProfileDir.* 360 360 + Delete C:\\WINDOWS\\system32\\java\.exe C:\\Documents and Settings\\Administrator\\Local Settings\\Temp\\customProfileDir.* 361 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Temp\\.+ 362 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temporary Internet Files\\Content\.IE5\\.+ 363 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temp\\.+tmp 364 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Temp\\.+ 365 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temporary Internet Files\\Content\.IE5\\.+ 366 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Local Settings\\Temp\\.+tmp 367 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+ 368 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Local Settings\\History\\History\.IE5\\.+ 369 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Cookies\\.+ 370 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat 371 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Cookies\\.+ 372 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Cookies\\index.dat 373 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache 374 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\UserData\\.+ 375 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Application Data\\Microsoft\\CryptnetUrlCache 376 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\UserData\\.+ 377 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Application Data\\.+ 378 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\Application Data\\.+ 379 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\DRM\\.+ 380 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\Documents and Settings\\.+\\DRM\\.+ 381 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\system32\\Macromed\\Flash\\testUpdate\.txt 382 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Cab.*\.tmp 383 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Cab.*\.tmp 384 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Tar.*\.tmp 385 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Tar.*\.tmp 386 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\WindowsUpdate.log 387 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\system32\\wuweb\.dll 388 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\system32\\wuweb\.dll 389 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp 390 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.dll 391 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.dll 392 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.inf 393 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.inf 394 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.cat 395 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\ICD.?.?\.tmp\\wuweb\.cat 396 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\system32\\CatRoot2\\dberr\.txt 397 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\LastGood\\TMP.*\.tmp 398 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\system32\\SET.*\.tmp 399 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\system32\\SET.*\.tmp 400 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Downloaded Program Files\\SET.*\.tmp 401 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\Downloaded Program Files\\SET.*\.tmp 402 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.cab\.bak 403 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.cab\.bak 404 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.xml 405 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WuRedir\\9482F4B4-E343-43B6-B170-9A65BC822C77\\wuredir\.cab 406 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.txt 407 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.txt 408 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.cab 409 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wuident\.cab 410 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cab 411 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cab 412 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.inf 413 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.inf 414 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cat 415 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\SoftwareDistribution\\WebSetup\\wsus3setup\.cat 416 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\fla.*\.tmp 417 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\fla.*\.tmp 418 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\VGX.*\.tmp 419 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\wbk.*\.tmp 420 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\.+htm 421 + Write C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\.+html 422 + Delete C:\\WINDOWS\\system32\\mshta\.exe C:\\WINDOWS\\.+tmp honeyclient/branches/exp/kindlund-selenium/thirdparty/capture-mod/RegistryMonitor.exl
r1681 r1684 429 429 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.* 430 430 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\DirectDraw\\MostRecentApplication.* 431 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\EUDC\\.+ 432 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window_Placement 433 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Fullscreen 434 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs 435 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\Locked 436 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\International\\.+ 437 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\P3Global\\Enabled 438 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Extensions\\CmdMapping\\.+ 439 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\.+ 440 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+ 441 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\.+ 442 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+ 443 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState\\.+ 444 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet 445 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName 446 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect 447 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass 448 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet 449 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MigrateProxy 450 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable 451 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer 452 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 453 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\.+ 454 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\.+ 455 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.+ 456 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU.+ 457 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\Bags.+ 458 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.+\\iexplore\\(Count|Time|Type) 459 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ParseAutoexec 460 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\.+ 461 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\SystemCertificates\\.+ 462 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Classes\\.+ 463 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 464 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.+ 465 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 466 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Passport.* 467 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+ 468 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Direct3D.+ 469 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\DirectDraw.+ 470 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Cryptography\\RNG\\Seed 471 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\AudioCompressionManager\\.+ 472 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\.+ 473 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 474 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache. 475 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\ProxyEnable 476 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\EventLog\\.+ 477 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\EUDC\\.+ 478 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Window_Placement 479 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main\\Fullscreen 480 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs 481 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\Locked 482 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\International\\.+ 483 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\P3Global\\Enabled 484 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Extensions\\CmdMapping\\.+ 485 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder\\.+ 486 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\.+ 487 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\.+ 488 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+ 489 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CabinetState\\.+ 490 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet 491 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName 492 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect 493 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass 494 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet 495 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\MigrateProxy 496 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable 497 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyServer 498 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 499 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\.+ 500 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\.+ 501 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.+ 502 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU.+ 503 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\ShellNoRoam\\Bags.+ 504 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Stats\\.+\\iexplore\\(Count|Time|Type) 505 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\ParseAutoexec 506 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\.+ 507 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\SystemCertificates\\.+ 508 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Classes\\.+ 509 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 510 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.+ 511 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 512 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Passport.* 513 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders\\.+ 514 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Direct3D.+ 515 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\DirectDraw.+ 516 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Cryptography\\RNG\\Seed 517 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\AudioCompressionManager\\.+ 518 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\SystemCertificates\\.+ 519 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Cache.+ 520 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache.+ 521 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\ProxyEnable 522 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SYSTEM\\ControlSet001\\Services\\EventLog\\.+ 523 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Scrunch\\.+ 524 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\MediaPlayer\\.+ 525 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows Media\\.+ 526 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Multimedia\\ActiveMovie\\.+ 527 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\ActiveMovie\\.+ 528 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\MPEG2Demultiplexer\\.+ 529 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Multimedia\\msacm.imaadpcm\\.+ 530 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Scrunch\\.+ 531 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\MediaPlayer\\.+ 532 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows Media\\.+ 533 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Multimedia\\ActiveMovie\\.+ 534 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\ActiveMovie\\.+ 535 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\MPEG2Demultiplexer\\.+ 536 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Multimedia\\msacm.imaadpcm\\.+ 537 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders 538 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders 539 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main 540 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar 541 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings 542 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SYSTEM\\ControlSet001\\Hardware Profiles\\0001\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings 543 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings 544 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Macromedia\\FlashPlayerUpdate 545 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Macromedia\\FlashPlayer 546 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Macromedia\\FlashPlayer 547 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\\.css\\OpenWithList 548 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\\.css\\OpenWithProgids 549 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ModuleUsage\\C:\/WINDOWS\/System32\/wuweb\.dll 550 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs 551 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\} 552 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}\\DownloadInformation 553 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}\\InstalledVersion 554 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Code Store Database\\Distribution Units\\\{6414512B-B978-451D-A0D8-FCFDF33E833C\}\\Contains\\Files 555 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing\\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F 556 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\LowRegistry 557 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Zoom 558 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\CTF\\TIP\\\{1188450c-fdab-47ae-80d8-c9633f71be64\}\\LanguageProfile\\0x00000000\\\{63800dac-e7ca-4df9-9a5c-20765055488d\} 559 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\PhishingFilter 560 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchScopes\\.* 561 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\Extensions\\CmdMapping 562 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchUrl 563 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\IEXPLORE\.EXE\\DefaultIcon 564 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Toolbar\\WebBrowser 565 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Internet Explorer\\Setup\\7\.0 566 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Cached 567 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\SearchScopes 568 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components 569 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Security\\AntiPhishing\\.+\\Smart Screen DAT file 570 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks 571 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\Main 572 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\MPEG2Demultiplexer 573 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCU\\Software\\Microsoft\\Internet Explorer\\PageSetup 574 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\.* 575 + DeleteValueKey C:\\WINDOWS\\system32\\mshta\.exe HKLM\\SOFTWARE\\Microsoft\\PCHealth\\ErrorReporting\\.* 576 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCR\\CLSID\\.* 577 + SetValueKey C:\\WINDOWS\\system32\\mshta\.exe HKCR\\JavaPlugin.*
