n3w.metraiciono.com

By Pig, May 24, 2010

n3w.metraiciono.com 74.82.57.113

* C&C Server: 74.82.57.113:6567 PASS pr1v4d0onl1n3r
* Server Password:
* Username: XP-5152
* Nickname: [SI|DEU|00|P|69152]
* Channel: #salvando# (Password: c1rc0s0leil)
* Channeltopic: :-

MODE [SI|USA|00|P|84975] -ix
JOIN #n3wb0t# c1rc0s0leil
PRIVMSG #n3wb0t# :[Dl]: File download: 104.1KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_06333.exe @ 104.1KB/sec.
QUIT [Update]: Updating to new bin.
NICK [SI|USA|00|P|37304]
USER XP-5387 * 0 :COMPUTERNAME
MODE [SI|USA|00|P|37304] -ix
JOIN #salvando# c1rc0s0leil
NICK [SI|USA|00|P|84975]
USER XP-3912 * 0 :COMPUTERNAME

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Ci Servs” = SysTuwin.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “Ci Servs” = SysTuwin.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:canal1.exe” = c:canal1.exe:*:Enabled:Ci Servs
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “Guid” = 8aefce96-4618-42ff-a057-3536aa78233e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetsh “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetsh “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetsh “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetshNapmontr “Guid” = 710adbf0-ce88-40b4-a50d-231ada6593f0
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetshNapmontr “BitNames” = NAP_TRACE_BASE NAP_TRACE_NETSH
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagent “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagent “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagent “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagenttraceIdentifier “Guid” = b0278a28-76f1-4e15-b1df-14b209a12613
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagenttraceIdentifier “BitNames” = Error Unusual Info Debug
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{420B2830-E718-11CF-893D-00A0C9054228}1.0 “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “DisplayHeapPerfObject”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ProcessNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ThreadNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf2”
HKEY_PERFORMANCE_DATA “230 784”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “CurrentBuildNumber”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Repository Directory”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentLocalConfig “Enable Tracing”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentLocalConfig “Tracing Level”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentLocalConfig “PlumbIpsecPolicy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ProcessID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnablePrivateObjectHeap”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ContextLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ObjectLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “IdentifierLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “SysTuwin.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{420B2830-E718-11CF-893D-00A0C9054228}1.0 “win32”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “DisplayHeapPerfObject”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ProcessNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ThreadNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf2”
HKEY_PERFORMANCE_DATA “230 784”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicyAppPatch
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicy
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicyAppPatch
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicy

File Changes by all processes
New Files c:canal1.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceGpc
DeviceTcp6
C:WINDOWSSysTuwin.exe
C:WINDOWSSysTuwin.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceGpc
DeviceTcp6
DeviceRasAcd
Opened Files C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSsystem32scrrun.dll
.Ip
c:canal1.exe.config
c:canal1.exe
.PIPEEVENTLOG
.PIPEROUTER
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWS
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
SysTuwin.exe
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSsystem32scrrun.dll
.Ip
C:WINDOWSSysTuwin.exe.config
C:WINDOWSSysTuwin.exe
.PIPEEVENTLOG
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
Deleted Files
Chronological Order Create/Open File: c:canal1.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:WINDOWSsystem32scrrun.dll (OPEN_EXISTING)
Get File Attributes: c:canal1.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:canal1.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: c:canal1.exe.config (OPEN_EXISTING)
Open File: c:canal1.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Create/Open File: DeviceGpc (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Open File: .PIPEEVENTLOG (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Get File Attributes: C:WINDOWSSysTuwin.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:canal1.exe to C:WINDOWSSysTuwin.exe
Set File Attributes: C:WINDOWSSysTuwin.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32netsh.exe
Open File: C:WINDOWS ()
Find File: C:WINDOWSSysTuwin.exe
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: SysTuwin.exe (OPEN_EXISTING)
Create/Open File: C:WINDOWSSysTuwin.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:WINDOWSsystem32scrrun.dll (OPEN_EXISTING)
Get File Attributes: C:WINDOWSSysTuwin.exe Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSSysTuwin.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSSysTuwin.exe.config (OPEN_EXISTING)
Open File: C:WINDOWSSysTuwin.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Create/Open File: DeviceGpc (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Open File: .PIPEEVENTLOG (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk

Categories: Uncategorized
Previous post
Next post