Welcome to The Bytecode Club - Reverse Engineering Forum

**smellysocks** · (This post was last modified: 10-30-2014, 07:21 AM by smellysocks.)

(10-30-2014, 06:55 AM)apemanzilla Wrote: Alright, managed to get the file downloaded and sort of working... Except it crashes whenever I tell it to start the bot...
Blah.
It's made with a program called QuickMacro AFAIK, not sure if that's any use to anyone. I'll check more later.

FYI, thought I'd also add, the server check doesn't really do anything AFAIK, you can get as many codes you want on a virtual machine. So, it must be something to do with the local computer that it changes.
I used regshot to see if I could find anything added before/after adding the program:
Here's what I found:

Code:
[i]After launching the program..[/i]

Keys added: 29 

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID

HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer

HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID

HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary

HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID

HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine

HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID

HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine

HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID

HKLM\SOFTWARE\Classes\QMPlugin.File

HKLM\SOFTWARE\Classes\QMPlugin.File\CLSID

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList

Values added: 45 

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\: "QMDispatch.QMVBSRoutine"

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel: "Apartment"

HKLM\SOFTWARE\Classes\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\: "QMDispatch.QMVBSRoutine"

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\: "QMPlugin.File"

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\Desktop\LAZYPR~1.35\plugin\FILE.dll"

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ThreadingModel: "Apartment"

HKLM\SOFTWARE\Classes\CLSID\{57477331-126E-4FC8-B430-1C6143484AA9}\ProgID\: "QMPlugin.File"

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\: "QMDispatch.QMRoutine"

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel: "Apartment"

HKLM\SOFTWARE\Classes\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\: "QMDispatch.QMRoutine"

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\: "MyMacro.MyGUIMacroControlServer"

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32\: "ole32.dll"

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32\: "C:\DOCUME~1\ADMINI~1\Desktop\LAZYPR~1.35\LAZYPR~1.EXE"

HKLM\SOFTWARE\Classes\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID\: "MyMacro.MyGUIMacroControlServer"

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\: "QMDispatch.QMLibrary"

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\: "C:\DOCUME~1\ADMINI~1\APPLIC~1\mymacro\qdisp.dll"

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel: "Apartment"

HKLM\SOFTWARE\Classes\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\: "QMDispatch.QMLibrary"

HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\: "MyMacro.MyGUIMacroControlServer"

HKLM\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID\: "{DACDED71-1201-4F76-9C30-BDA795A55678}"

HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\: "QMDispatch.QMLibrary"

HKLM\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\: "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"

HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\: "QMDispatch.QMRoutine"

HKLM\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\: "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"

HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\: "QMDispatch.QMVBSRoutine"

HKLM\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\: "{241D7F03-9232-4024-8373-149860BE27C0}"

HKLM\SOFTWARE\Classes\QMPlugin.File\: "QMPlugin.File"

HKLM\SOFTWARE\Classes\QMPlugin.File\CLSID\: "{57477331-126E-4FC8-B430-1C6143484AA9}"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\b: 52 00 65 00 67 00 73 00 68 00 6F 00 74 00 2D 00 78 00 38 00 36 00 2D 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 2E 00 65 00 78 00 65 00 00 00 43 00 3A 00 5C 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 20 00 61 00 6E 00 64 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 5C 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 5C 00 4D 00 79 00 20 00 44 00 6F 00 63 00 75 00 6D 00 65 00 6E 00 74 00 73 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\b: "C:\Documents and Settings\Administrator\My Documents\1.hivu"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\a: "C:\Documents and Settings\Administrator\My Documents\1.hivu"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "a"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList\a: "Regshot-x86-Unicode.exe"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.hivu\OpenWithList\MRUList: "a"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 06 00 00 00 00 61 D1 8C C6 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31249: "Transfers copies of the selected items to a public Web page so that you can share them with other people."

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31242: "Rename this file"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31244: "Move this file"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31246: "Copy this file"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31248: "Publish this file to the Web"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31370: "E-mail this file"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31252: "Delete this file"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\Administrator\Desktop\LazyPressing v1.35\LazyPressing v1.35.exe: "QMacro's macro runner."

Values modified: 5 

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: DF 2B 8C F7 77 AF 32 A2 D8 E6 3D 2D AF 9E 86 E4 B5 3B DD 0A C1 46 AE C0 AD 55 DE 2A D3 7A 07 8A 38 EE 72 9C C1 5E 0D E8 C7 B1 3E 24 46 68 97 E8 57 DC 33 36 AD DC 0F 68 08 A2 46 39 A0 3D 49 6A FD 3D 02 85 1C 86 87 D4 37 74 03 97 66 7B 8D EA

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 4D 07 1C A3 A0 95 48 74 16 A6 E8 E2 58 CE D9 8D 0D 24 D8 79 4C 7D C3 D7 1D D3 99 C2 D2 46 4F D6 0A 0A A2 CA 75 DE C1 98 95 AF 09 F7 4F AD 46 7D 2F F9 AA E5 1E 3C 01 53 69 FD C6 A5 70 69 FA F0 B5 66 CF CF 7A 6D 0D 3B 1E 2B 0C 3D BA 8B 6E 95

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "a"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "ba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "a"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "ba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 06 00 00 00 D0 A9 0C F9 C4 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 07 00 00 00 00 61 D1 8C C6 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF

Total changes: 79 

[i]Requesting the trial successfully[/i]

Keys added: 8

HKLM\SOFTWARE\Brothers

HKLM\SOFTWARE\Brothers\Reg

HKLM\SOFTWARE\Brothers\Reg\Q10061

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell

Values added: 12

HKLM\SOFTWARE\Microsoft\Internet Explorer\Ver: "6f8a9300"

HKLM\SOFTWARE\Brothers\Reg\Q10061\Code: "633D947CCC82144C1C5BF9420D0DBFA8B58F35D264964F907A1BC0DAB3C77B95F97FFC7AED6368EF"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\d: "C:\Documents and Settings\Administrator\Local Settings\Temp\11.hivu"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\c: "C:\Documents and Settings\Administrator\Local Settings\Temp\11.hivu"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1: 4A 00 31 00 00 00 00 00 5D 45 36 B1 10 00 41 44 4D 49 4E 49 7E 31 00 00 32 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 36 B1 14 00 00 00 41 00 64 00 6D 00 69 00 6E 00 69 00 73 00 74 00 72 00 61 00 74 00 6F 00 72 00 00 00 18 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0: 4C 00 31 00 00 00 00 00 5D 45 06 AF 12 00 4C 4F 43 41 4C 53 7E 31 00 00 34 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 21 B1 14 00 00 00 4C 00 6F 00 63 00 61 00 6C 00 20 00 53 00 65 00 74 00 74 00 69 00 6E 00 67 00 73 00 00 00 18 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\MRUListEx: 00 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0: 34 00 31 00 00 00 00 00 5D 45 98 B2 10 00 54 65 6D 70 00 00 20 00 03 00 04 00 EF BE 5D 45 C2 B0 5D 45 98 B2 14 00 00 00 54 00 65 00 6D 00 70 00 00 00 14 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\MRUListEx: 00 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0\NodeSlot: 0x00000005

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\1\0\0\MRUListEx: FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\Bags\5\Shell\FolderType: "Documents"

Values modified: 6

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "cba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "dcba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "ba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "cba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0A 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\NodeSlots: 02 02 02 02 02

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 00 00 00 00 02 00 00 00 01 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\MRUListEx: 00 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\1\0\0\MRUListEx: 01 00 00 00 00 00 00 00 FF FF FF FF

and

Values added: 7

HKLM\SOFTWARE\Microsoft\Internet Explorer\RN0F36C6F337B05EB8644E6C694A098C866EC5646098579A54B57D768181380D2BBF41F3109F7A0E5B38B5D6BED6E87E6AE73F0905FE6CA6A18848D4F5C4B7A9D59B51693A48ACBF5B60D0808C29BB83660DA5E535ADDD8440AE61FF9FBDD1710D: "8747E76F996AE043"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\g: "C:\Documents and Settings\Administrator\My Documents\33.hivu"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\e: "C:\Documents and Settings\Administrator\My Documents\33.hivu"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31234: "These tasks apply to the files and folders you select."

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31243: "Gives this file or folder a new label that you type for it."

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31371: "Sends an e-mail message with copies of the selected files, or the files within a selected folder."

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-31253: "Moves the selected items to the Recycle Bin. If you want to recover them later, go to the Recycle Bin."

Values modified: 9 

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 06 97 FF DD E4 DB 47 23 08 60 18 CC 05 EF CF 97 67 69 BE 60 DF A2 00 97 22 20 5C 0E 96 30 A7 3D 2A B9 A2 82 6E D3 AF 2D E8 31 B3 40 F0 64 36 D2 C0 AA 3E 4B 82 EA AE 83 69 53 2F DA E2 7D C1 0F C0 51 8E 9E 14 53 54 B5 0D FE D1 C8 D5 34 2D 5E

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 9F B3 8C 22 12 C4 52 8B 68 EC 97 33 A5 03 DD 54 A1 F4 70 B3 62 BE AD 05 9C C7 15 21 81 26 23 70 0D 69 23 86 4E B3 6B B7 29 2B 32 B3 96 7F EF 32 3B 48 08 4A C0 AD BD 6E 77 77 45 DF 2D 51 55 20 D1 B7 67 65 E8 45 5C 1F 4C 6C 1E 1D 27 A1 21 42

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "cba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU\MRUList: "bca"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "fedcba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*\MRUList: "gfedcba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "dcba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\hivu\MRUList: "edcba"

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 08 00 00 00 50 A2 37 C6 C7 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 01 00 00 00 09 00 00 00 10 0F 06 79 C9 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 06 00 00 00 00 FE DE 82 C6 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 01 00 00 00 07 00 00 00 50 2D 21 78 C9 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 06 00 00 00 00 61 D1 8C C6 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Nqzvavfgengbe\Qrfxgbc\YnmlCerffvat i1.35\YnmlCerffvat i1.35.rkr: 01 00 00 00 07 00 00 00 10 0F 06 79 C9 F3 CF 01

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0A 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 0C 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 C5 3F 00 C5 F3 CF 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 5E 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 01 00 00 00 00 00 00 00 02 00 00 00 FF FF FF FF

HKU\S-1-5-21-343818398-861567501-682003330-500\Software\Microsoft\Windows\ShellNoRoam\BagMRU\MRUListEx: 02 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF

Total changes: 16

About The Bytecode Club

Resources

FOSS Software

Website