95.211.84.164

Remote Host Port Number
95.211.84.164 6567 PASS pr1v4d0onl1n3r

MODE [SI|USA|00|P|44222] -ix
JOIN #update1# c1rc0s0leil
PONG Coupe.Network
NICK [SI|USA|00|P|44222]
USER XP-2179 * 0 :COMPUTERNAME

* The following port was open in the system:

Port Protocol Process
1055 TCP Sontiwin.exe (%Windir%Sontiwin.exe)

Registry Modifications

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Ci Servs = “Sontiwin.exe”

so that Sontiwin.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Ci Servs = “Sontiwin.exe”

so that Sontiwin.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
Sontiwin.exe %Windir%sontiwin.exe 352 256 bytes

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%Sontiwin.exe
[file and pathname of the sample #1] 243 215 bytes MD5: 0x71ADEFFDD0481F952DD3771D0365F738
SHA-1: 0x4E296F2AE1A1C6F46637C430537D87042C18DE63 packed with PE_Patch [Kaspersky Lab]
2 %System%EQUIS66.dll 983 552 bytes MD5: 0x888190E31455FAD793312F8D087146EB
SHA-1: 0x775191D293016D9541DDD6AEF5AC94AB3776849A (not available)