92.241.164.197

Remote Host Port Number
92.241.164.197 8877

NICK ENGLISH|COMPUTERNAME|241
NICK ENGLISH|COMPUTERNAME|162
USER ENGLISH|COMPUTERNAME|162 0 * :Hoooooly 67893
PONG 781430258
JOIN #free
USER ENGLISH|COMPUTERNAME|241 0 * :Hoooooly 88723
PONG 653356001
PING primax.besecure.biz

Other details

The following ports were open in the system:
Port Protocol Process
1052 TCP reg32.exe (%System%reg32.exe)
1053 TCP reg32.exe (%System%reg32.exe)
1054 TCP reg32.exe (%System%reg32.exe

Registry Modifications

The following Registry Keys were created:
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000
HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000Control
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLay
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLaySecurity
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLayEnum
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000Control
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLay
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLaySecurity
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLayEnum
The newly created Registry Values are:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
Windows Security Layer = “%System%reg32.exe”

so that reg32.exe runs every time Windows starts
[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000Control]
*NewlyCreated* = 0x00000000
ActiveService = “SecuLay”
[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY000]
Service = “SecuLay”
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = “LegacyDriver”
ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
DeviceDesc = “Security Layer”
[HKEY_LOCAL_MACHINESYSTEMControlSet001EnumRootLEGACY_SECULAY]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLayEnum]
0 = “RootLEGACY_SECULAY000”
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLaySecurity]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSecuLay]
Type = 0x00000001
Start = 0x00000004
ErrorControl = 0x00000000
ImagePath = “%System%driversSecuLay.sys”
DisplayName = “Security Layer”
DeleteFlag = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000Control]
*NewlyCreated* = 0x00000000
ActiveService = “SecuLay”
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY000]
Service = “SecuLay”
Legacy = 0x00000001
ConfigFlags = 0x00000000
Class = “LegacyDriver”
ClassGUID = “{8ECC055D-047F-11D1-A537-0000F8753ED1}”
DeviceDesc = “Security Layer”
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_SECULAY]
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLayEnum]
0 = “RootLEGACY_SECULAY000”
Count = 0x00000001
NextInstance = 0x00000001
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLaySecurity]
Security = 01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 0
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSecuLay]
Type = 0x00000001
Start = 0x00000004
ErrorControl = 0x00000000
ImagePath = “%System%driversSecuLay.sys”
DisplayName = “Security Layer”
DeleteFlag = 0x00000001
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
Windows Sicherheitscenter = “%System%reg32.exe”

so that reg32.exe runs every time Windows starts
The following Registry Value was modified:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
Userinit =

Memory Modifications

There was a new kernel-mode driver installed in the system:
Driver Name Driver Filename
SecuLay.sys %System%driversseculay.sys

Categories: Uncategorized