qia.9966.org 218.10.18.77
Outgoing connection to remote server: qia.9966.org TCP port 8000
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesfyddos_svcname “Description” = fyddos services descrption
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:WINDOWSsystem32svchest.exe” = C:WINDOWSsystem32svchest.exe:*:Enabled:Microsoft (R) Internetal IExplore
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “SystemType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
Enums HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo
File Changes by all processes
New Files C:WINDOWSsystem32svchest.exe
C:WINDOWSTEMPsgqhp.dll
DeviceRasAcd
nul
Opened Files C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
Deleted Files c:amund031e99c6e2537049314d74ec7747ec7.exe
c:AMUND0~1.EXE
Chronological Order Copy File: c:amund031e99c6e2537049314d74ec7747ec7.exe to C:WINDOWSsystem32svchest.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32cmd.exe
Create File: C:WINDOWSTEMPsgqhp.dll
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Create File: nul
Get File Attributes: c:AMUND0~1.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Find File: c:AMUND0~1.EXE
Delete File: c:amund031e99c6e2537049314d74ec7747ec7.exe
Delete File: c:AMUND0~1.EXE