k2r.th3kings.net 208.96.62.2
* C&C Server: 208.96.62.2:27034
* Server Password:
* Username: XP-2677
* Nickname: [00|DEU|401746]
* Channel: #!!kk!!# (Password: aaaaaaa)
* Channeltopic: :.msn.msg Is this your Pictur? http://larvax.com/fotos.exe?=
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce “wextract_cleanup0” = rundll32.exe C:WINDOWSsystem32advpack.dll,DelNodeRunDLL32 “C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Java Update” = buthass.exe.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSession Manager “PendingFileRenameOperations”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce “wextract_cleanup0”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftAdvanced INF Setup “AdvpackLogFile”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPTMP4351$.TMP
C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
DeviceTcp
DeviceIp
DeviceIp
C:WINDOWSbuthass.exe.exe
C:WINDOWSbuthass.exe.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
Opened Files .PIPElsarpc
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWS
.Ip
Deleted Files C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
Chronological Order Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPTMP4351$.TMP
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe Flags: (SECURITY_ANONYMOUS)
Create File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
Set File Time: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe Flags: (FILE_ATTRIBUTE_ARCHIVE SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
Find File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP*
Create/Open File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe (OPEN_ALWAYS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMP ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:WINDOWSbuthass.exe.exe Flags: (SECURITY_ANONYMOUS)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1TempIXP000.TMPfotos.exe to C:WINDOWSbuthass.exe.exe
Set File Attributes: C:WINDOWSbuthass.exe.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWS ()
Find File: C:WINDOWSbuthass.exe.exe
Create/Open File: C:WINDOWSbuthass.exe.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)