A few weeks ago I came across a sample that was reading from and writing a significant amount of data to the registry. Initially, it was thought that the file may be a binary, but after some analysis it was determined that the file is a configuration file for Zeus. Within this blog post we take a look at our analysis of the data I/O in the registry.
more here............http://vrt-blog.snort.org/2014/09/malware-using-registry-to-store-zeus.html
more here............http://vrt-blog.snort.org/2014/09/malware-using-registry-to-store-zeus.html