MicrosoftUpdate.yi.org 217.52.31.124
* C&C Server: 217.52.31.124:6667
* Server Password:
* Username: mfpaqe
* Nickname: srbmrc
* Channel: #cC-Team (Password: x0r)
* Channeltopic:
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{08B0d5C0-4FCB-11CF-AcX5-01401C608592} “StubPath” = c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCryptography “MachineGuid”
HKEY_CURRENT_USERSoftwareMicrosoftVisual Basic6.0 “AllowUnsafeObjectPassing”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files c:Update.exe
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoft
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCrypto
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSA
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-5006ad18a64f9c40a36e38b79aa7f592c9a_4753af40-18d9-4cbf-965d-fc294223cd81
c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493Desktop.ini
c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
DeviceRasAcd
Opened Files .PIPElsarpc
c:autoexec.bat
C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-5006ad18a64f9c40a36e38b79aa7f592c9a_4753af40-18d9-4cbf-965d-fc294223cd81
.PIPElsarpc
Deleted Files c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
Chronological Order Create/Open File: c:Update.exe (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoft
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCrypto
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSA
Create File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-500
Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-5006ad18a64f9c40a36e38b79aa7f592c9a_4753af40-18d9-4cbf-965d-fc294223cd81 (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-5006ad18a64f9c40a36e38b79aa7f592c9a_*
Create/Open File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftCryptoRSAS-1-5-21-583907252-1708537768-842925246-5006ad18a64f9c40a36e38b79aa7f592c9a_4753af40-18d9-4cbf-965d-fc294223cd81 (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: c:System Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493Desktop.ini
Set File Attributes: c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
Copy File: c:Update.exe to c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe
Create/Open File: c:SystemS-9-2-31-1362473401-1511494837-8365036723-1493autorun.exe (OPEN_ALWAYS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)