usb.123back.com – Inside Your Botnet

sb.123back.com 89.46.101.186

* C&C Server: 89.46.101.186:7000
* Server Password:
* Username: bwkpfn
* Nickname: rykrcm
* Channel: #n8# (Password: trb123trb)
* Channeltopic: :

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{2891BC5C0-4FCB-11cF-AAX5-81EX1F635612} “StubPath” = c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe
c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe
DeviceRasAcd
Opened Files .PIPElsarpc
Deleted Files c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe
Chronological Order Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Set File Attributes: c:RECYCLER Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create File: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013Desktop.ini
Set File Attributes: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe
Copy File: c:us9.exe to c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe
Create/Open File: c:RECYCLERS-1-5-21-1482476501-1644491937-682003330-1013is32.exe (OPEN_ALWAYS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)