Technical Information
- [<HKLM>\SYSTEM\ControlSet001\Services\SENS] 'Start' = '00000002'
- 'C:\953cbae5ee158237df1f6c01b22a\update\update.exe' /passive /norestart
- '%TEMP%\7ZipSfx.000\Windows-KB909520-v1.000-x86-ENU.exe' /passive /norestart
- '<SYSTEM32>\cmd.exe' /S /D /c" ver "
- '<SYSTEM32>\findstr.exe' /i "5\.1\."
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\7ZipSfx.000\x32.bat" "
- '<SYSTEM32>\msiexec.exe' /i PKCS11WrapperSetup.msi /quiet /norestart
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SYSTEM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SAM
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SOFTWARE
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_.DEFAULT
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_MACHINE_SECURITY
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.BTR
- %WINDIR%\basecsp.cat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\$WinMgmt.CFG
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\ComDb.Dat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\domain.txt
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
- %WINDIR%\$NtUninstallbasecsp$\spuninst\spuninst.exe
- %WINDIR%\$NtUninstallbasecsp$\spuninst\spuninst.inf
- %WINDIR%\$NtUninstallbasecsp$\spuninst\updspapi.dll
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-2052111302-484763869-725345543-1003
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\INDEX.MAP
- %WINDIR%\security\res2.log
- %WINDIR%\security\res1.log
- %WINDIR%\security\edbtmp.log
- <SYSTEM32>\SETA.tmp
- %WINDIR%\SECB.tmp
- %WINDIR%\security\logs\update.log
- %WINDIR%\security\Database\update.sdb
- %WINDIR%\security\edb.chk
- %WINDIR%\security\edb.log
- %WINDIR%\security\tmp.edb
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING2.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.DATA
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING1.MAP
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\MAPPING.VER
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\basecsp.cat
- C:\System Volume Information\_restore{E7F0F64C-F7E5-4319-8757-E9A20C1C4E14}\RP16\snapshot\Repository\FS\OBJECTS.MAP
- <SYSTEM32>\SET9.tmp
- <SYSTEM32>\SET8.tmp
- <SYSTEM32>\SET6.tmp
- <SYSTEM32>\SET7.tmp
- C:\953cbae5ee158237df1f6c01b22a\axaltocm.dll
- C:\953cbae5ee158237df1f6c01b22a\basecsp.dll
- C:\953cbae5ee158237df1f6c01b22a\empty.cat
- <SYSTEM32>\PKCS11Wrapper.dll
- %WINDIR%\Installer\288e1.msi
- C:\953cbae5ee158237df1f6c01b22a\pintool.exe
- C:\953cbae5ee158237df1f6c01b22a\spuninst.exe
- C:\953cbae5ee158237df1f6c01b22a\spmsg.dll
- C:\953cbae5ee158237df1f6c01b22a\bcsprsrc.dll
- C:\953cbae5ee158237df1f6c01b22a\ifxcardm.dll
- %TEMP%\7ZipSfx.000\Komponente32.exe
- %TEMP%\7ZipSfx.000\Komponente64.exe
- %TEMP%\7ZipSfx.000\x64.bat
- %TEMP%\7ZipSfx.000\PKCS11WrapperSetup.msi
- %TEMP%\7ZipSfx.000\x32.bat
- %WINDIR%\Installer\MSI1.tmp
- C:\Config.Msi\288e0.rbs
- %WINDIR%\Installer\288df.ipi
- %TEMP%\7ZipSfx.000\Windows-KB909520-v1.000-x86-ENU.exe
- %WINDIR%\Installer\288dd.msi
- C:\953cbae5ee158237df1f6c01b22a\spupdsvc.exe
- %WINDIR%\inf\oem3.inf
- %WINDIR%\inf\oem3.PNF
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- C:\953cbae5ee158237df1f6c01b22a\$shtdwn$.req
- %WINDIR%\basecsp.log
- %WINDIR%\$NtUninstallbasecsp$\reg00006
- %WINDIR%\$NtUninstallbasecsp$\spuninst\spuninst.txt
- %WINDIR%\$NtUninstallbasecsp$\reg00005
- %WINDIR%\$NtUninstallbasecsp$\reg00003
- %WINDIR%\$NtUninstallbasecsp$\reg00004
- C:\953cbae5ee158237df1f6c01b22a\update\update.exe
- C:\953cbae5ee158237df1f6c01b22a\update\update_srv2k3.inf
- C:\953cbae5ee158237df1f6c01b22a\update\updspapi.dll
- C:\953cbae5ee158237df1f6c01b22a\update\basecsp.cat
- C:\953cbae5ee158237df1f6c01b22a\update\spcustom.dll
- C:\953cbae5ee158237df1f6c01b22a\update\eula.txt
- C:\953cbae5ee158237df1f6c01b22a\update\update.ver
- C:\953cbae5ee158237df1f6c01b22a\update\updatebr.inf
- C:\953cbae5ee158237df1f6c01b22a\update\update_win2k.inf
- C:\953cbae5ee158237df1f6c01b22a\update\update_winxp.inf
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\basecsp.cat
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- %WINDIR%\SECB.tmp
- %WINDIR%\imsins.BAK
- %WINDIR%\inf\oem3.inf
- <SYSTEM32>\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
- %WINDIR%\inf\oem3.PNF
- C:\Config.Msi\288e0.rbs
- %WINDIR%\Installer\MSI1.tmp
- %WINDIR%\Installer\288dd.msi
- %WINDIR%\_000006_.tmp.dll
- %WINDIR%\Installer\288df.ipi
- from <SYSTEM32>\SET9.tmp to <SYSTEM32>\ifxcardm.dll
- from <SYSTEM32>\SETA.tmp to <SYSTEM32>\pintool.exe
- from %WINDIR%\security\edbtmp.log to %WINDIR%\security\edb.log
- from <SYSTEM32>\SET8.tmp to <SYSTEM32>\bcsprsrc.dll
- from %WINDIR%\basecsp.cat to %WINDIR%\_000006_.tmp.dll
- from <SYSTEM32>\SET6.tmp to <SYSTEM32>\axaltocm.dll
- from <SYSTEM32>\SET7.tmp to <SYSTEM32>\basecsp.dll
- %WINDIR%\security\edbtmp.log
- ClassName: 'STUFF-BOOT' WindowName: ''