ns2.mm1-shop.net

# Winsock Section…

* Unknown Connections
o Host By Name:
+ Requested Host: ns2.mm1-shop.net
+ Resulting Address: 46.3.96.231
o Connection Established: 0
o Socket: 0

* UDP connections_listening
o Transport Protocol: TCP
o Local Port: 47154
o Connection Established: 0
o Socket: 1296

* Outgoing Connections
o Transport Protocol: TCP
o Remote Address: 87.118.112.244
o Remote Port: 53
o Connection Established: 0
o Socket: 1340

# Registry Section…

* Created Keys
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesVFILT
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesccEvtMgr
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesccPwdSvc
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesccPxySvc
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNISUM
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSymEvent
o Key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSYMTDI

* Open Keys
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
o Key: HKEY_LOCAL_MACHINESoftwareMicrosoftRpcSecurityService
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11

* Set Value
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: DllName
o Data: [REG_EXPAND_SZ, value: pmod11.dll]
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: Startup
o Data: pmod11
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: Impersonate
o Data: [REG_DWORD, value: 00000001]
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: Asynchronous
o Data: [REG_DWORD, value: 00000001]
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: MaxWait
o Data: [REG_DWORD, value: 00000001]
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: j3mod
o Data: [REG_BINARY, size: 12 bytes]
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
o Value: C:11507289.exe
o Data: C:11507289.exe:*:Enabled:11507289

* Query Value
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService
o Value: DefaultAuthLevel
o Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifypmod11
o Value: j3mod

* Delete Value
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesVFILT
o Value: Start
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesccEvtMgr
o Value: Start
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesccPwdSvc
o Value: Start
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesccPxySvc
o Value: Start
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesNISUM
o Value: Start
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSymEvent
o Value: Start
o Key: HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSYMTDI
o Value: Start

# File System Changes…

* Open File:
o File: .PIPElsarpc
o File Type: namedpipe
o Creation/Distribution: OPEN_EXISTING
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: SECURITY_ANONYMOUS
o Quantity: 2
* Create Open File
o File: DeviceRasAcd
o File Type: file
o Source File Hash: hash_error
o Creation/Distribution: OPEN_ALWAYS
o Desired Access: FILE_ANY_ACCESS FILE_READ_ACCESS FILE_READ_DATA FILE_LIST_DIRECTORY FILE_WRITE_ACCESS FILE_WRITE_DATA FILE_ADD_FILE
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS
* Create File
o File: pmod11.dll
o File Type: file
o Source File Hash: hash_error
o Creation/Distribution: CREATE_ALWAYS
o Desired Access: FILE_ANY_ACCESS
o Share Access: FILE_SHARE_READ FILE_SHARE_WRITE
o Flags: FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS