codienviet.com
codienviet.com 74.50.13.8
irc.abjects.net 74.3.165.66
Download URLs
http://74.50.13.8/bot/data.php (codienviet.com)
Outgoing connection to remote server: codienviet.com TCP port 80
C&C Server: 74.3.165.66:6667
Server Password:
Username: XYZ-AEMPILWXUC
Nickname: XYZ-AEMPILWXUC
Channel: #xyz (Password: 3939)
Channeltopic: :_CHAR(0x02)__CHAR(0x03)_0,8|_CHAR(0x03)_7,8|_CHAR(0x03)_8,7|_CHAR(0x03)_4,7|_CHAR(0x03)_7,4|_CHAR(0x03)_5,4|_CHAR(0x03)_4,5|_CHAR(0x03)_1,5|_CHAR(0x03)_5,1| _CHAR(0x03)_9,1Welcome to mylove channel #XYZ…. enjoy and fun….. keep your smile…._CHAR(0x03)_5,1 |_CHAR(0x03)_1,5|_CHAR(0x03)_4,5|_CHAR(0x03)_5,4|_CHAR(0x03)_7,4|_CHAR(0x03)_4,7|_CHAR(0x03)_8,7|_CHAR(0x0F)_
Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwarePoliciesMicrosoftInternet ExplorerControl Panel “Homepage” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableTaskMgr” = [REG_DWORD, value: 00000000]
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem “DisableRegistryTools” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “DisableTaskMgr” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem “DisableRegistryTools” = [REG_DWORD, value: 00000000]
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain “Start Page” = http://autokiemthe.com
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Updates” = C:WINDOWSsystem32svihost.exe
HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerMain “Start Page” = http://autogamepro.com
Reads HKEY_CURRENT_USERControl PanelMouse “SwapMouseButtons”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “dunghoitaisao”
File Changes by all processes
New Files C:WINDOWSsystem32svihost.exe
DeviceTcp
DeviceIp
DeviceIp
DeviceRasAcd
DeviceTcp6
C:WINDOWSsystem32check.txt
Opened Files c:svihost.exe
.PIPElsarpc
C:svihost.exe
c:autoexec.bat
.PIPEROUTER
.Ip
C:WINDOWSsystem32check.txt
Deleted Files
Chronological Order Open File: c:svihost.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:svihost.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWSsystem32update.exe Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32update.exe
Get File Attributes: c:svihost.exe Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSsystem32svihost.exe Flags: (SECURITY_ANONYMOUS)
Find File: c:svihost.exe
Find File: C:WINDOWSsystem32svihost.exe
Copy File: c:svihost.exe to C:WINDOWSsystem32svihost.exe
Get File Attributes: svihost.exe Flags: (SECURITY_ANONYMOUS)
Find File: svihost.exe
Set File Attributes: svihost.exe Flags: (FILE_ATTRIBUTE_ARCHIVE FILE_ATTRIBUTE_COMPRESSED FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_SYSTEM FILE_ATTRIBUTE_COMPRESSED SECURITY_ANONYMOUS)
Get File Attributes: C:Documents and SettingsAdministratorCookies*.txt Flags: (SECURITY_ANONYMOUS)
Find File: C:Documents and SettingsAdministratorCookies*.txt
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Create/Open File: DeviceTcp6 (OPEN_ALWAYS)
Create File: C:WINDOWSsystem32check.txt
Open File: C:WINDOWSsystem32check.txt (OPEN_EXISTING)
Get File Attributes: C:WINDOWSserver.txt Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSserver.txt
Get File Attributes: C:WINDOWSsystem32server.txt Flags: (SECURITY_ANONYMOUS)
Find File: C:WINDOWSsystem32server.txt