Based on the comments on the GOTD download page I thought it might be helpful for some people if I posted some of my log data from monitoring the app in the XP Mode VM.
Installed files:
C:\Documents and Settings\All Users\Application Data\ukl 1KB D
C:\Documents and Settings\All Users\Application Data\ukl\encryptedlogs 1KB D
C:\Documents and Settings\All Users\Application Data\ukl\encryptedlogs\XPMUser 1KB D
C:\Documents and Settings\All Users\Application Data\ukl\encryptedlogs\XPMUser\encryptedscrns 1KB D
C:\Documents and Settings\All Users\Application Data\ukl\encryptedlogs\XPMUser\encryptedscrns\Screenshot_XPMUser_at_VIRTUALXP-53643_16-06-2013_14-12-04 193KB A 6/16/2013 2:12:05 PM
C:\Documents and Settings\All Users\Application Data\ukl\encryptedlogs\XPMUser\log.ukl 2KB A 6/16/2013 2:12:34 PM
C:\Documents and Settings\All Users\Application Data\ukl\ukl.cfg 1KB A 6/16/2013 2:12:59 PM
C:\Documents and Settings\All Users\Application Data\uklpr 1KB D
C:\Documents and Settings\All Users\Application Data\uklpr\appface.dll 726KB A 6/3/2013 5:41:50 AM 3, 9, 5, 3
C:\Documents and Settings\All Users\Application Data\uklpr\kmn2.dll 905KB A 6/3/2013 5:39:26 AM
C:\Documents and Settings\All Users\Application Data\uklpr\KRyLack_Software_Website.url 1KB A 8/18/2006 11:26:52 AM
C:\Documents and Settings\All Users\Application Data\uklpr\LICENSE.txt 4KB A 4/11/2013 3:25:58 PM
C:\Documents and Settings\All Users\Application Data\uklpr\ui.urf 32KB A 8/15/2008 12:55:58 AM
C:\Documents and Settings\All Users\Application Data\uklpr\Ultimate_Keylogger_Website.url 1KB A 7/21/2008 3:11:22 AM
C:\Documents and Settings\All Users\Application Data\uklpr\unukl.exe 81KB A 6/16/2013 2:11:07 PM
C:\Documents and Settings\All Users\Application Data\uklpr\Valla.dll 87KB A 1/17/2009 6:35:16 PM
C:\Documents and Settings\All Users\Application Data\uklpr\wmsvr.chm 75KB A 6/3/2013 5:37:24 AM
C:\Documents and Settings\All Users\Application Data\uklpr\wmsvr.exe 2,875KB A 6/3/2013 5:37:54 AM
Added to registry:
HKEY_CLASSES_ROOT\.key
HKEY_CLASSES_ROOT\.key @ "regfile"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{BA40EA3F-CB42-D425-3C46-BE89B4AAED3D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run ukl "C:\Documents and Settings\All Users\Application Data\uklpr\wmsvr.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\ukl
HKEY_LOCAL_MACHINE\SOFTWARE\ukl\Install
HKEY_LOCAL_MACHINE\SOFTWARE\ukl\Install UninstStr "C:\Documents and Settings\All Users\Application Data\uklpr\unukl.exe /S _?=C:\Documents and Settings\All Users\Application Data\uklpr"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.key @ "regfile"
Process Explorer wmsvr.exe handle view
Process: wmsvr.exe Pid: 2004Type Name
Desktop \Default
Directory \KnownDlls
Directory \Windows
Directory \BaseNamedObjects
Event \BaseNamedObjects\WinMMConsoleAudioEvent
Event \BaseNamedObjects\crypt32LogoffEvent
File C:\Documents and Settings\All Users\Application Data\uklpr
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6002.22791_x-ww_c8dff154
File C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202
File \Device\KsecDD
File \Device\WMIDataDevice
File \Device\WMIDataDevice
File C:\Documents and Settings\XPMUser\Local Settings\Temp\~DF9F10.tmp
File \Device\Mailslot\vmcape\{82EE79AF-B6E3-40db-9569-3496A68920F5}
Key HKLM
Key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Key HKCU
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5
Key HKCU\Software\Classes
Key HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
Key HKCU\Software\Classes\CLSID
KeyedEvent \KernelObjects\CritSecOutOfMemoryEvent
Mutant \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Mutant \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Mutant \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Mutant \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Mutant \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Mutant \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-2476373585-4095225231-1238649996-1003MUTEX.DefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Mutant \BaseNamedObjects\ShimCacheMutex
Mutant \BaseNamedObjects\KLUKMainRnnng
Mutant \BaseNamedObjects\MSCTF.Shared.MUTEX.AAK
Process wmsvr.exe(2004)
Section \BaseNamedObjects\DfSharedHeap1449F0D
Section \BaseNamedObjects\DFMap0-21274389
Section \BaseNamedObjects\DfRoot001449F0D
Section \BaseNamedObjects\CiceroSharedMemDefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Section \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-2476373585-4095225231-1238649996-1003SFM.DefaultS-1-5-21-2476373585-4095225231-1238649996-1003
Section \BaseNamedObjects\ShimSharedMemory
Section \BaseNamedObjects\MSCTF.Shared.SFM.AAK
Semaphore \BaseNamedObjects\shell.{A48F1A32-A340-11D1-BC6B-00A0C90312E1}
Semaphore \BaseNamedObjects\OleDfRoot001449F0D
Semaphore \BaseNamedObjects\shell.{210A4BA0-3AEA-1069-A2D9-08002B30309D}
Thread wmsvr.exe(2004): 3072
Thread wmsvr.exe(2004): 3072
Thread wmsvr.exe(2004): 3464
WindowStation \Windows\WindowStations\WinSta0
WindowStation \Windows\WindowStations\WinSta0
Process Explorer file view
Process: wmsvr.exe Pid: 2004Name Description Company Name Version
~DF9F10.tmp
advapi32.dll Advanced Windows 32 Base API Microsoft Corporation 5.1.2600.5755
appface.dll AppFace User Interface Development Kits Matinsoft Inc. 3.9.5.3
asycfilt.dll Microsoft Corporation 5.1.2600.5949
comctl32.dll User Experience Controls Library Microsoft Corporation 6.0.2900.6028
comdlg32.dll Common Dialogs DLL Microsoft Corporation 6.0.2900.5512
crypt32.dll Crypto API32 Microsoft Corporation 5.131.2600.6369
ctype.nls
FileMonitor32.dll
gdi32.dll GDI Client DLL Microsoft Corporation 5.1.2600.5698
GdiPlus.dll Microsoft GDI+ Microsoft Corporation 5.2.6002.22791
imm32.dll Windows XP IMM32 API Client DLL Microsoft Corporation 5.1.2600.5512
kernel32.dll Windows NT BASE API Client DLL Microsoft Corporation 5.1.2600.6293
kmn2.dll
locale.nls
msasn1.dll ASN.1 Runtime APIs Microsoft Corporation 5.1.2600.5875
MSCTF.dll MSCTF Server DLL Microsoft Corporation 5.1.2600.5512
MSCTFIME.IME Microsoft Text Frame Work Service IME Microsoft Corporation 5.1.2600.5512
msimg32.dll GDIEXT Client DLL Microsoft Corporation 5.1.2600.5512
msvcrt.dll Windows NT CRT DLL Microsoft Corporation 7.0.2600.5512
netapi32.dll Net Win32 API DLL Microsoft Corporation 5.1.2600.6260
ntdll.dll NT Layer DLL Microsoft Corporation 5.1.2600.6055
ole32.dll Microsoft OLE for Windows Microsoft Corporation 5.1.2600.6168
oleacc.dll Active Accessibility Core Component Microsoft Corporation 7.0.2600.6153
oleaccrc.dll Active Accessibility Resource DLL Microsoft Corporation 7.0.2600.6153
oleaut32.dll Microsoft Corporation 5.1.2600.6341
oledlg.dll Microsoft Windows(TM) OLE 2.0 User Interface Support Microsoft Corporation 5.1.2600.5512
olepro32.dll Microsoft Corporation 5.1.2600.5512
psapi.dll Process Status Helper Microsoft Corporation 5.1.2600.5512
rdpsnd.dll Terminal Server MultiMedia Driver Microsoft Corporation 5.1.2600.5512
rpcrt4.dll Remote Procedure Call Runtime Microsoft Corporation 5.1.2600.6022
secur32.dll Security Support Provider Interface Microsoft Corporation 5.1.2600.5834
shell32.dll Windows Shell Common Dll Microsoft Corporation 6.0.2900.6242
shlwapi.dll Shell Light-weight Utility Library Microsoft Corporation 6.0.2900.5912
sortkey.nls
sorttbls.nls
unicode.nls
user32.dll Windows XP USER API Client DLL Microsoft Corporation 5.1.2600.5512
uxtheme.dll Microsoft UxTheme Library Microsoft Corporation 6.0.2900.5512
Valla.dll Valla DLL Edition VM Components 1.0.0.1
version.dll Version Checking and File Installation Libraries Microsoft Corporation 5.1.2600.5512
winmm.dll MCI API DLL Microsoft Corporation 5.1.2600.6160
winspool.drv Windows Spooler Driver Microsoft Corporation 5.1.2600.5512
winsta.dll Winstation Library Microsoft Corporation 5.1.2600.5512
wmsvr.exe
ws2_32.dll Windows Socket 2.0 32-Bit DLL Microsoft Corporation 5.1.2600.5512
ws2help.dll Windows Socket 2.0 Helper for Windows NT Microsoft Corporation 5.1.2600.5512
wsock32.dll Windows Socket 32-Bit DLL Microsoft Corporation 5.1.2600.5512
