Panel here :
http://213.155.20.163/new/auth.php
DNS Lookup
Host Name IP Address
213.155.20.163 213.155.20.163
Data posted to URLs
http://213.155.20.163/new/stat.php (213.155.20.163)
http://213.155.20.163/new/stat.php (213.155.20.163)
Outgoing connection to remote server: 213.155.20.163 TCP port 80
Outgoing connection to remote server: 213.155.20.163 TCP port 80
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “ImagePath” = c:windowssystem32mssrv32.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “DisplayName” = Microsoft security update service
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “Description” = This service downloading and installing Windows security updates
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “ObjectName” = LocalSystem
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “Start” = [REG_DWORD, value: 00000002]
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “ErrorControl” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESYSTEMControlSet001Servicesmsupdate “Type” = [REG_DWORD, value: 00000010]
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesAFDParameters “DisableRawSecurity” = [REG_DWORD, value: 00000001]
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files c:windowssystem32mssrv32.exe
DeviceTcp
DeviceIp
DeviceIp
Opened Files .PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
c:windowssystem32mssrv32.exe
.PIPEROUTER
c:autoexec.bat
.Ip
Deleted Files c:_bot.exe
Chronological Order Open File: .PIPElsarpc (OPEN_EXISTING)
Copy File: c:_bot.exe to c:windowssystem32mssrv32.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32svchost.exe
Open File: .PIPElsarpc (OPEN_EXISTING)
Delete File: c:_bot.exe
Open File: c:windowssystem32mssrv32.exe (OPEN_EXISTING)
Open File: .PIPEROUTER (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
infos about hosting:
http://whois.domaintools.com/213.155.20.163