pimp.foilball.info 78.129.228.56
Resolved: [pimp.foilball.info] To [78.129.228.56]
C&C Server: 78.129.228.56:65267
Server Password:
Username: ylbcherw
Nickname: DEU|00|XP|SP3|7410895
Channel: #NzM# (Password: screwu)
Channeltopic: :.root.start sym 100 5 0 -a -r
Now talking in #NzM#
Topic On: [ #NzM# ] [ .root.start dcom135 200 0 0 59.x.x.x -a -r -s ]
Topic By: [ weeble ]
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesNetBTParameters “TransportBindName” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswuauserv “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswscsvc “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM” = N
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableRemoteConnect” = N
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa “restrictanonymous” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProvidersSCHANNELProtocolsPCT1.0Server “Enabled” = [REG_BINARY, size: 1 bytes]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerParameters “AutoShareWks” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerParameters “AutoShareServer” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “NameServer” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “ForwardBroadcasts” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “IPEnableRouter” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “Domain” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SearchList” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “UseDomainNameDevolution” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableICMPRedirect” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DeadGWDetectDefault” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DontAddDefaultGatewayDefault” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableSecurityFilters” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “AllowUnqualifiedQuery” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “PrioritizeRecordData” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TCP1320Opts” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “KeepAliveTime” = [REG_DWORD, value: 00023280]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “BcastQueryTimeout” = [REG_DWORD, value: 000002EE]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “BcastNameQueryCount” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “CacheTimeout” = [REG_DWORD, value: 0000EA60]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “Size/Small/Medium/Large” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “LargeBufferSize” = [REG_DWORD, value: 00001000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SynAckProtect” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “PerformRouterDiscovery” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnablePMTUBHDetect” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FastSendDatagramThreshold ” = [REG_DWORD, value: 00000400]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “StandardAddressLength ” = [REG_DWORD, value: 00000018]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultReceiveWindow ” = [REG_DWORD, value: 00004000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultSendWindow” = [REG_DWORD, value: 00004000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “BufferMultiplier” = [REG_DWORD, value: 00000200]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “PriorityBoost” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “IrpStackSize” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “IgnorePushBitOnReceives” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableAddressSharing” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “AllowUserRawAccess” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableRawSecurity” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DynamicBacklogGrowthDelta” = [REG_DWORD, value: 00000032]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FastCopyReceiveThreshold” = [REG_DWORD, value: 00000400]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “LargeBufferListDepth” = [REG_DWORD, value: 0000000A]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxActiveTransmitFileCount” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxFastTransmit” = [REG_DWORD, value: 00000040]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “OverheadChargeGranularity” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SmallBufferListDepth” = [REG_DWORD, value: 00000020]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SmallerBufferSize” = [REG_DWORD, value: 00000080]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TransmitWorker” = [REG_DWORD, value: 00000020]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DNSQueryTimeouts” = [REG_MULTI_SZ, value: “1”, size: 26 bytes]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultRegistrationTTL” = [REG_DWORD, value: 00000014]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableReplaceAddressesInConflicts” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableReverseAddressRegistrations” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “UpdateSecurityLevel ” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisjointNameSpace” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “QueryIpMatching” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “NoNameReleaseOnDemand” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableDeadGWDetect” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableFastRouteLookup” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxFreeTcbs” = [REG_DWORD, value: 000007D0]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxHashTableSize” = [REG_DWORD, value: 00000800]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SackOpts” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “Tcp1323Opts” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpMaxDupAcks” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpRecvSegmentSize” = [REG_DWORD, value: 00000585]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpSendSegmentSize” = [REG_DWORD, value: 00000585]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpWindowSize” = [REG_DWORD, value: 0007D200]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultTTL” = [REG_DWORD, value: 00000030]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpMaxHalfOpen” = [REG_DWORD, value: 0000004B]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpMaxHalfOpenRetried” = [REG_DWORD, value: 00000050]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpTimedWaitDelay” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxNormLookupMemory” = [REG_DWORD, value: 00030D40]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FFPControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FFPFastForwardingCacheSize” = [REG_DWORD, value: 00030D40]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxForwardBufferMemory” = [REG_DWORD, value: 00019DF7]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxFreeTWTcbs” = [REG_DWORD, value: 000007D0]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “GlobalMaxTcpWindowSize” = [REG_DWORD, value: 0007D200]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnablePMTUDiscovery” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “ForwardBufferMemory” = [REG_DWORD, value: 00019DF7]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “MaxConnectionsPer1_0Server” = [REG_DWORD, value: 00000050]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “MaxConnectionsPerServer” = [REG_DWORD, value: 00000050]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Nod32 Service” = nod64.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices “Nod32 Service” = nod64.exe
HKEY_CURRENT_USERSoftwareMicrosoftOLE “Nod32 Service” = nod64.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “” = :*:Enabled:Nod32 Service
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM” = N
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa “restrictanonymous” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesNetBTParameters “TransportBindName” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswuauserv “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001Serviceswscsvc “Start” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableDCOM” = N
HKEY_LOCAL_MACHINESOFTWAREMicrosoftOle “EnableRemoteConnect” = N
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa “restrictanonymous” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProvidersSCHANNELProtocolsPCT1.0Server “Enabled” = [REG_BINARY, size: 1 bytes]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerParameters “AutoShareWks” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesLanmanServerParameters “AutoShareServer” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “NameServer” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “ForwardBroadcasts” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “IPEnableRouter” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “Domain” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SearchList” =
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “UseDomainNameDevolution” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableICMPRedirect” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DeadGWDetectDefault” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DontAddDefaultGatewayDefault” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableSecurityFilters” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “AllowUnqualifiedQuery” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “PrioritizeRecordData” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TCP1320Opts” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “KeepAliveTime” = [REG_DWORD, value: 00023280]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “BcastQueryTimeout” = [REG_DWORD, value: 000002EE]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “BcastNameQueryCount” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “CacheTimeout” = [REG_DWORD, value: 0000EA60]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “Size/Small/Medium/Large” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “LargeBufferSize” = [REG_DWORD, value: 00001000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SynAckProtect” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “PerformRouterDiscovery” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnablePMTUBHDetect” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FastSendDatagramThreshold ” = [REG_DWORD, value: 00000400]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “StandardAddressLength ” = [REG_DWORD, value: 00000018]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultReceiveWindow ” = [REG_DWORD, value: 00004000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultSendWindow” = [REG_DWORD, value: 00004000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “BufferMultiplier” = [REG_DWORD, value: 00000200]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “PriorityBoost” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “IrpStackSize” = [REG_DWORD, value: 00000004]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “IgnorePushBitOnReceives” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableAddressSharing” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “AllowUserRawAccess” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableRawSecurity” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DynamicBacklogGrowthDelta” = [REG_DWORD, value: 00000032]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FastCopyReceiveThreshold” = [REG_DWORD, value: 00000400]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “LargeBufferListDepth” = [REG_DWORD, value: 0000000A]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxActiveTransmitFileCount” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxFastTransmit” = [REG_DWORD, value: 00000040]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “OverheadChargeGranularity” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SmallBufferListDepth” = [REG_DWORD, value: 00000020]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SmallerBufferSize” = [REG_DWORD, value: 00000080]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TransmitWorker” = [REG_DWORD, value: 00000020]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DNSQueryTimeouts” = [REG_MULTI_SZ, value: “1”, size: 26 bytes]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultRegistrationTTL” = [REG_DWORD, value: 00000014]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableReplaceAddressesInConflicts” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisableReverseAddressRegistrations” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “UpdateSecurityLevel ” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DisjointNameSpace” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “QueryIpMatching” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “NoNameReleaseOnDemand” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableDeadGWDetect” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnableFastRouteLookup” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxFreeTcbs” = [REG_DWORD, value: 000007D0]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxHashTableSize” = [REG_DWORD, value: 00000800]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “SackOpts” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “Tcp1323Opts” = [REG_DWORD, value: 00000003]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpMaxDupAcks” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpRecvSegmentSize” = [REG_DWORD, value: 00000585]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpSendSegmentSize” = [REG_DWORD, value: 00000585]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpWindowSize” = [REG_DWORD, value: 0007D200]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “DefaultTTL” = [REG_DWORD, value: 00000030]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpMaxHalfOpen” = [REG_DWORD, value: 0000004B]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpMaxHalfOpenRetried” = [REG_DWORD, value: 00000050]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “TcpTimedWaitDelay” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxNormLookupMemory” = [REG_DWORD, value: 00030D40]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FFPControlFlags” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “FFPFastForwardingCacheSize” = [REG_DWORD, value: 00030D40]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxForwardBufferMemory” = [REG_DWORD, value: 00019DF7]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “MaxFreeTWTcbs” = [REG_DWORD, value: 000007D0]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “GlobalMaxTcpWindowSize” = [REG_DWORD, value: 0007D200]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “EnablePMTUDiscovery” = [REG_DWORD, value: 00000001]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpipParameters “ForwardBufferMemory” = [REG_DWORD, value: 00019DF7]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “MaxConnectionsPer1_0Server” = [REG_DWORD, value: 00000050]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “MaxConnectionsPerServer” = [REG_DWORD, value: 00000050]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DisableUNCCheck”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “EnableExtensions”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DelayedExpansion”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “DefaultColor”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “CompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “PathCompletionChar”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCommand Processor “AutoRun”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DisableUNCCheck”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “EnableExtensions”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DelayedExpansion”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “DefaultColor”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “CompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “PathCompletionChar”
HKEY_CURRENT_USERSoftwareMicrosoftCommand Processor “AutoRun”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
File Changes by all processes
New Files c:a.bat
DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSsystem32nod64.exe
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
c:a.bat
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Opened Files .PhysicalDrive0
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
c:
.Ip
C:WINDOWSexplorer.exe
C:WINDOWSsystem32nod64.exe
C:WINDOWSsystem32
c:a.bat
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
.PhysicalDrive0
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
c:
.Ip
.PIPElsarpc
.PIPEsrvsvc
c:autoexec.bat
.PIPEROUTER
c:a.bat
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Deleted Files C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
c:a.bat
Chronological Order Open File: .PhysicalDrive0 (OPEN_EXISTING)
Create File: c:a.bat
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: c: ()
Find File: C:a.bat
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32nod64.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:nepenthesbcb907ea85adcb1baaff5a76c4361e88nod64.exe to C:WINDOWSsystem32nod64.exe
Open File: C:WINDOWSexplorer.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32nod64.exe (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32nod64.exe
Set File Attributes: C:WINDOWSsystem32nod64.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32nod64.exe
Get File Attributes: C: Flags: (SECURITY_ANONYMOUS)
Find File: C:
Find File: c:a.bat
Open File: c:a.bat (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Find File: c:Echo..*
Find File: c:Echo.
Find File: C:WINDOWSsystem32Echo..*
Find File: C:WINDOWSsystem32Echo.
Find File: C:WINDOWSEcho..*
Find File: C:WINDOWSEcho.
Find File: C:WINDOWSSystem32WbemEcho..*
Find File: C:WINDOWSSystem32WbemEcho.
Find File: C:ProgrammeIntelDMIXEcho..*
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg (OPEN_EXISTING)
Get File Attributes: Echo. Flags: (SECURITY_ANONYMOUS)
Find File: c:REGEDIT.*
Find File: c:REGEDIT
Find File: C:WINDOWSsystem32REGEDIT.*
Find File: C:WINDOWSsystem32REGEDIT
Find File: C:WINDOWSREGEDIT.*
Find File: C:WINDOWSregedit.COM
Find File: C:WINDOWSregedit.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSregedit.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp Flags: (SECURITY_ANONYMOUS)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg (OPEN_EXISTING)
Open File: .PhysicalDrive0 (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create File: c:a.bat
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: c: ()
Find File: C:a.bat
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: .PIPEsrvsvc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32 Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWS
Find File: C:WINDOWSsystem32
Find File: c:a.bat
Open File: c:a.bat (OPEN_EXISTING)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Find File: C:WINDOWSsystem32Echo..*
Find File: C:WINDOWSsystem32Echo.
Find File: C:WINDOWSEcho..*
Find File: C:WINDOWSEcho.
Find File: C:WINDOWSSystem32WbemEcho..*
Find File: C:WINDOWSSystem32WbemEcho.
Find File: C:ProgrammeIntelDMIXEcho..*
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg (OPEN_EXISTING)
Get File Attributes: Echo. Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32REGEDIT.*
Find File: C:WINDOWSsystem32REGEDIT
Find File: C:WINDOWSREGEDIT.*
Find File: C:WINDOWSregedit.COM
Find File: C:WINDOWSregedit.EXE
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSregedit.exe
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Temp Flags: (SECURITY_ANONYMOUS)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Delete File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg
Get File Attributes: c:a.bat Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c: Flags: (SECURITY_ANONYMOUS)
Delete File: c:a.bat
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp1.reg (OPEN_EXISTING)