doko.no-ip.org 72.20.1.26
Opened listening TCP connection on port: 13156
* C&C Server: 72.20.1.26:6667
* Server Password:
* Username: ilkxj
* Nickname: [nLh-VNC]wkceru
* Channel: ##!seuz!## (Password: hackmx)
* Channeltopic: :+scan 60 1 189.x.x.x 3 1 200.x.x.x
Outgoing connection to remote server: 200.133.0.250 TCP port 5900
Outgoing connection to remote server: 200.216.191.20 TCP port 5900
Outgoing connection to remote server: 200.179.4.166 TCP port 5900
Outgoing connection to remote server: 200.133.188.100 TCP port 5900
Outgoing connection to remote server: 200.202.44.43 TCP port 5900
Outgoing connection to remote server: 200.86.195.20 TCP port 5900
Outgoing connection to remote server: 200.125.27.7 TCP port 5900
Outgoing connection to remote server: 200.183.74.168 TCP port 5900
Outgoing connection to remote server: 200.46.33.175 TCP port 5900
Outgoing connection to remote server: 200.126.67.185 TCP port 5900
Outgoing connection to remote server: 200.67.72.88 TCP port 5900
Outgoing connection to remote server: 200.208.61.116 TCP port 5900
Outgoing connection to remote server: 200.72.45.216 TCP port 5900
Outgoing connection to remote server: 200.132.245.210 TCP port 5900
Outgoing connection to remote server: 200.165.211.139 TCP port 5900
Outgoing connection to remote server: 200.170.92.6 TCP port 5900
Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun “Windows Update” = C:ProgrammeGemeinsame DateienSystemuptime.exe
HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList “C:ProgrammeGemeinsame DateienSystemuptime.exe” = C:ProgrammeGemeinsame DateienSystemuptime.exe:*:Enabled:Windows Update
Reads HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
File Changes by all processes
New Files C:ProgrammeGemeinsame DateienSystemuptime.exe
C:ProgrammeGemeinsame DateienSystemuptime.exe
DeviceRasAcd
Opened Files c:AVGFullAnti.exe
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:ProgrammeGemeinsame DateienSystem
C:ProgrammeGemeinsame DateienSystemuptime.exe
.PIPElsarpc
Deleted Files
Chronological Order Set File Attributes: C:ProgrammeGemeinsame DateienSystem Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: c:AVGFullAnti.exe (OPEN_EXISTING)
Create File: C:ProgrammeGemeinsame DateienSystemuptime.exe
Set File Attributes: C:ProgrammeGemeinsame DateienSystemuptime.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:ProgrammeGemeinsame DateienSystem ()
Find File: C:ProgrammeGemeinsame DateienSystemuptime.exe
Set File Attributes: C:ProgrammeGemeinsame DateienSystem Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:ProgrammeGemeinsame DateienSystemuptime.exe (OPEN_EXISTING)
Create File: C:ProgrammeGemeinsame DateienSystemuptime.exe
Set File Attributes: C:ProgrammeGemeinsame DateienSystemuptime.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)