webpro569.redirectme.net

DNS Lookup
Host Name IP Address
webpro569.redirectme.net 46.4.245.19

C&C Server: 46.4.245.19:6667
Server Password:
Username: 0127
Nickname: {N}|DEU|XP|DELL-D3E62F7E26|970986
Channel: #webpro (Password: SRR569)
Channeltopic: :oppp pecie of candy

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Update Sched” = c:BotCrypted.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Update Sched” = c:BotCrypted.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “Windows Update Sched” = c:BotCrypted.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “InstallRoot”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “CLRLoadLogDir”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “OnlyUseLatestCLR”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “GCStressStart”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “GCStressStartAtJit”
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework “DisableConfigCache”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “CacheLocation”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “DownloadCacheQuotaInKB”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “EnableLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “LoggingLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “ForceLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “LogFailures”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “LogResourceBinds”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “UseLegacyIdentityFormat”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusion “DisableMSIPeek”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32 “LatestIndex”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32index39 “NIUsageMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32index39 “ILUsageMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a91 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL7950e2c56caaf4531 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionPublisherPolicyDefault “Latest”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionPublisherPolicyDefault “index1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionPublisherPolicyDefault “LegacyPolicyTimeStamp”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e32 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILc991064b94a1613 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL6dc7d4c0c6e51992 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3ced59c5731552299 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32ILf6e8397746fdbb814 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2b1a4e41d99584f35 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL24bf93f6497ba02516 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL4f99a7c914e3164a40 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI30bc7c4f1d4982328 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL424bd4d855c8d3736 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL19ab8d575922aa8b7 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL3f50fe4f68d6da4e8 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “Microsoft.VisualBasic,8.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Xml,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Configuration,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Web,2.0.0.0,,b03f5f7f11d50a3a,x86”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Management,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Runtime.Remoting,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Deployment,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Drawing,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Windows.Forms,2.0.0.0,,b77a5c561934e089,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db67485 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL475dce4052a70309f “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL2dd6ac5065313f894 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “Modules”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “SIG”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32IL41c04c7e32fcddb010 “LastModTime”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “DisplayName”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “ConfigMask”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “ConfigString”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “MVID”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “EvalationData”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “Status”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “ILDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “NIDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI3cca06a031de29a46 “MissingDependencies”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Runtime.Serialization.Formatters.Soap,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “Accessibility,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionGACChangeNotificationDefault “System.Security,2.0.0.0,,b03f5f7f11d50a3a,MSIL”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsa “FIPSAlgorithmPolicy”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptographyDefaultsProvider TypesType 001 “Name”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoReport”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ShowUI”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “AllOrNone”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeMicrosoftApps”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeWindowsApps”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “DoTextLog”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeKernelFaults”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “IncludeShutdownErrs”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “NumberOfFaultPipes”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “NumberOfHangPipes”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “MaxUserQueueSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftPCHealthErrorReporting “ForceQueueMode”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkSecurityPolicyExtensionsNamedPermissionSets
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkSecurityPolicyExtensionsNamedPermissionSetsInternet
HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkSecurityPolicyExtensionsNamedPermissionSetsLocalIntranet
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI181938c63c74e9a9
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI1c22df2f52628d2e
HKEY_LOCAL_MACHINESOFTWAREMicrosoftFusionNativeImagesIndexv2.0.50727_32NI61e7e66669db6748

File Changes by all processes
New Files C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemptmpG843.tmp
C:Programmewinlogon.exe
DeviceRasAcd
C:DOKUME~1ADMINI~1LOKALE~1Tempgoogle_cacheNulMUTEdshawnexd.tmp
Opened Files c:BotCrypted.exe.config
c:BotCrypted.exe
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch
C:WINDOWSassemblyNativeImages_v2.0.50727_32index39.dat
C:WINDOWSassemblypubpol1.dat
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config
C:WINDOWSsystem32l_intl.nls
C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sorttbls.nlp
C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sortkey.nlp
Deleted Files C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch.456.757875
C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch.456.757875
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch.456.758109
Chronological Order Get File Attributes: C:WINDOWSsystem32mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: c:BotCrypted.exe.config (OPEN_EXISTING)
Open File: c:BotCrypted.exe (OPEN_EXISTING)
Find File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727mscorwks.dll
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config (OPEN_EXISTING)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727fusion.localgac Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config (OPEN_EXISTING)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch (OPEN_EXISTING)
Open File: C:WINDOWSassemblyNativeImages_v2.0.50727_32index39.dat (OPEN_EXISTING)
Find File: C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089mscorlib.INI
Get File Attributes: c:BotCrypted.exe.config Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:BotCrypted.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:BotCrypted.INI
Open File: C:WINDOWSassemblypubpol1.dat (OPEN_EXISTING)
Get File Attributes: C:WINDOWSassemblyGACPublisherPolicy.tme Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configmachine.config (OPEN_EXISTING)
Find File: C:WINDOWSassemblyGAC_MSILMicrosoft.VisualBasic8.0.0.0__b03f5f7f11d50a3aMicrosoft.VisualBasic.INI
Find File: C:WINDOWSassemblyGAC_MSILSystem2.0.0.0__b77a5c561934e089System.INI
Find File: C:WINDOWSassemblyGAC_MSILSystem.Windows.Forms2.0.0.0__b77a5c561934e089System.Windows.Forms.INI
Find File: C:WINDOWSassemblyGAC_MSILSystem.Drawing2.0.0.0__b03f5f7f11d50a3aSystem.Drawing.INI
Get File Attributes: C:WINDOWSGlobalizationde-de.nlp Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32l_intl.nls (OPEN_EXISTING)
Open File: C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sorttbls.nlp (OPEN_EXISTING)
Open File: C:WINDOWSassemblyGAC_32mscorlib2.0.0.0__b77a5c561934e089sortkey.nlp (OPEN_EXISTING)
Get File Attributes: c:de-DEoŪá8Wï4T.resources.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:de-DEoŪá8Wï4T.resourcesoŪá8Wï4T.resources.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:de-DEoŪá8Wï4T.resources.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:de-DEoŪá8Wï4T.resourcesoŪá8Wï4T.resources.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSGlobalizationde.nlp Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:deoŪá8Wï4T.resources.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:deoŪá8Wï4T.resourcesoŪá8Wï4T.resources.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:deoŪá8Wï4T.resources.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: c:deoŪá8Wï4T.resourcesoŪá8Wï4T.resources.exe Flags: (SECURITY_ANONYMOUS)
Move File: c:BotCrypted.exe to C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemptmpG843.tmp
Delete File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configsecurity.config.cch.456.757875
Delete File: C:WINDOWSMicrosoft.NETFrameworkv2.0.50727configenterprisesec.config.cch.456.757875
Delete File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCLR Security Configv2.0.50727.42security.config.cch.456.758109
Get File Attributes: C:Programmewinlogon.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:BotCrypted.exe to C:Programmewinlogon.exe
Set File Attributes: C:Programmewinlogon.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempgoogle_cacheNulMUTEdshawnexd.tmp Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1Tempgoogle_cacheNulMUTEdshawnexd.tmp

Categories: Uncategorized