medogrgr.no-ip.biz(bifrose hecker from Saudi Arabia Riyadh)

DNS Lookup
Host Name IP Address
medogrgr.no-ip.biz 188.49.5.146

Outgoing connection to remote server: medogrgr.no-ip.biz TCP port 81

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{9D71D88C-C598-4935-C5D1-43AA4DB90836} “stubpath” = [REG_EXPAND_SZ, value: C:WINDOWSBifrostserver.exe s]
HKEY_LOCAL_MACHINESOFTWAREBifrost “nck” = [REG_BINARY, size: 16 bytes]
HKEY_CURRENT_USERSoftwareBifrost “klg” = [REG_BINARY, size: 1 bytes]
Reads HKEY_LOCAL_MACHINESOFTWAREMicrosoftAdvanced INF Setup “AdvpackLogFile”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal Server “TSAppCompat”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlTerminal Server “TSUserEnabled”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “LeakTrack”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{22d6f312-b0f6-11d0-94ab-0080c74c7e95} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components>{26923b43-4d38-484f-9b9e-de460746276c} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{10072CEC-8CC1-11D1-986E-00A0C955B42F} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{22d6f312-b0f6-11d0-94ab-0080c74c7e95} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{283807B5-2C60-11D0-A31D-00AA00B92C03} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{2C7339CF-2B09-4501-B3F3-F3508C9228ED} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{36f8ec70-c29a-11d1-b5c7-0000f8051515} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{3af36230-a269-11d1-b5bf-0000f8051515} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{3bf42070-b3b1-11d1-b5c5-0000f8051515} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{4278c270-a269-11d1-b5bf-0000f8051515} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{44BBA840-CC51-11CF-AAFA-00AA00B6015C} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{44BBA842-CC51-11CF-AAFA-00AA00B6015B} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{44BBA848-CC51-11CF-AAFA-00AA00B6015C} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{44BBA855-CC51-11CF-AAFA-00AA00B6015F} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{45ea75a0-a269-11d1-b5bf-0000f8051515} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{4f216970-c90c-11d1-b5c7-0000f8051515} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{4f645220-306d-11d2-995d-00c04f98bbc9} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{5056b317-8d4c-43ee-8543-b9d1e234b8f4} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{5945c046-1e7d-11d1-bc44-00c04fd912be} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{5A8D6EE0-3E18-11D0-821E-444553540000} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{5fd399c0-a70a-11d1-9948-00c04f98bbc9} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{630b1da0-b465-11d1-9948-00c04f98bbc9} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{6BF52A52-394A-11d3-B153-00C04F79FAA6} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{6fab99d0-bab8-11d1-994a-00c04f98bbc9} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{7790769C-0471-11d2-AF11-00C04FA35D02} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{8937FCB2-2FC6-4FC3-9FB5-DE2C92DB9C38} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{89820200-ECBD-11cf-8B85-00AA005B4340} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{89820200-ECBD-11cf-8B85-00AA005B4383} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{89B4C1CD-B018-4511-B0A1-5476DBF70820} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{9381D8F2-0288-11D0-9501-00AA00B911A5} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{C9E9A340-D1F1-11D0-821E-444553540600} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{CC2A9BA0-3BDD-11D0-821E-444553540000} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{CDD7975E-60F8-41d5-8149-19E51D6F71D0} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{D27CDB6E-AE6D-11cf-96B8-444553540000} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{de5aed00-a4bf-11d1-9948-00c04f98bbc9} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{E92B03AB-B707-11d2-9CBD-0000F87A369E} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components{EF289A85-8E57-408d-BE47-73B55609861A} “stubpath”
HKEY_LOCAL_MACHINESOFTWAREBifrost “nck”
HKEY_CURRENT_USERSoftwareBifrost “plg1”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet Settings “EnableAutodial”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
Enums HKEY_LOCAL_MACHINESOFTWAREMicrosoftActive SetupInstalled Components
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlMediaResourcesmsvideo

File Changes by all processes
New Files C:WINDOWSBifrostserver.exe
DeviceRasAcd
Opened Files c:room.exe
c:room.exe
C:WINDOWSsystem32kernel32.dll
C:WINDOWSsystem32ntdll.dll
.PIPElsarpc
C:WINDOWSsystem32Advapi32.dll
C:WINDOWSsystem32avicap32.dll
Deleted Files C:WINDOWSBifrostserver.exe
Chronological Order Get File Attributes: c:room.exe Flags: (SECURITY_ANONYMOUS)
Open File: c:room.exe (OPEN_EXISTING)
Get File Attributes: C:WINDOWS Flags: (SECURITY_ANONYMOUS)
Open File: c:room.exe (OPEN_EXISTING)
Open File: C:WINDOWSsystem32kernel32.dll (OPEN_EXISTING)
Open File: C:WINDOWSsystem32ntdll.dll (OPEN_EXISTING)
Open File: .PIPElsarpc (OPEN_EXISTING)
Open File: C:WINDOWSsystem32Advapi32.dll (OPEN_EXISTING)
Set File Attributes: C:WINDOWSBifrostserver.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:WINDOWSBifrostserver.exe
Copy File: c:room.exe to C:WINDOWSBifrostserver.exe
Set File Attributes: C:WINDOWSBifrostserver.exe Flags: (FILE_ATTRIBUTE_HIDDEN SECURITY_ANONYMOUS)
Set File Attributes: Flags: (FILE_ATTRIBUTE_HIDDEN SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSBifrostlogg.dat Flags: (FILE_ATTRIBUTE_HIDDEN SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSBifrost Flags: (FILE_ATTRIBUTE_HIDDEN SECURITY_ANONYMOUS)
Get File Attributes: C:WINDOWSexplorer.exe Flags: (SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32avicap32.dll (OPEN_EXISTING)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

More about the camel fucker here:
http://whois.domaintools.com/188.49.5.146