Remote Host Port Number
relax.helldark.biz 3211
00000000 | 5041 5353 2056 6972 7573 0D0A 4E49 434B | PASS Virus..NICK
00000010 | 2056 6972 5573 2D63 6776 656F 6A61 730D | VirUs-cgveojas.
00000020 | 0A55 5345 5220 5669 7255 7320 2222 2022 | .USER VirUs “” “
00000030 | 6A63 7222 203A 2003 322C 3102 0334 4961 | jcr” : .2,1..4Ia
00000040 | 4D20 0337 4D41 4420 0337 534F 2046 5543 | M .7MAD .7SO FUC
00000050 | 4B20 4F46 462E 0D0A | K OFF…
Registry Modifications
* The following Registry Key was created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{63MAD6M8-1MAD-81AD-JIM6-32OP5G1234521}
* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{63MAD6M8-1MAD-81AD-JIM6-32OP5G1234521}]
+ StubPath = “c:jimcarryjIm.exe”
so that jIm.exe runs every time Windows starts
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
l1a4x1z7e7t9.exe %Temp%l1a4x1z7e7t9.exe 61 440 bytes
eqxste.exe %Temp%eqxste.exe 24 576 bytes
Resolved : [relax.helldark.biz] To [64.120.20.133]
Resolved : [relax.helldark.biz] To [64.120.20.130]
Resolved : [relax.helldark.biz] To [64.120.20.131]
Resolved : [relax.helldark.biz] To [64.120.20.132]
Resolved : [relax.helldark.biz] To [64.120.20.134]