minerva.cdmon.org

minerva.cdmon.org 184.106.215.31

C&C Server: 184.106.215.31:6667
Server Password:
Username: DELL-D3E62F7E26
Nickname: {XPDEU503896}
Channel: ##key## (Password: moneylover)
Channeltopic: :

Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Update” = C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Services” = service.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Windows Update” = C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{420B2830-E718-11CF-893D-00A0C9054228}1.0 “win32”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{420B2830-E718-11CF-893D-00A0C9054228}1.0 “win32”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files c:minerva.exe
DeviceTcp
DeviceIp
DeviceIp
C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
Opened Files C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSsystem32scrrun.dll
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
C:WINDOWSRegistrationR000000000007.clb
C:WINDOWSsystem32scrrun.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:DOKUME~1ADMINI~1LOKALE~1Temp
.Ip
Deleted Files
Chronological Order Create/Open File: c:minerva.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:WINDOWSsystem32scrrun.dll (OPEN_EXISTING)
Get File Attributes: c:minerva.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:minerva.exe
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe Flags: (SECURITY_ANONYMOUS)
Copy File: c:minerva.exe to C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
Set File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Find File: C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
Create/Open File: C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe (OPEN_ALWAYS)
Get File Attributes: C:WINDOWSRegistration Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSRegistrationR000000000007.clb (OPEN_EXISTING)
Open File: C:WINDOWSsystem32scrrun.dll (OPEN_EXISTING)
Get File Attributes: C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe Flags: (SECURITY_ANONYMOUS)
Find File: C:DOKUME~1ADMINI~1LOKALE~1Tempservice.exe
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:DOKUME~1ADMINI~1LOKALE~1Temp ()
Get File Attributes: C:WINDOWSsystem32.HLP Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSHelp.HLP Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

Categories: Uncategorized
Previous post
Next post