testusa.helohmar.com(malware hosted with United States Woodstock Fdcservers.net)

DNS Lookup
Host Name IP Address
testusa.helohmar.com 76.73.36.42
api.ipinfodb.com 67.212.74.82
www.craigslist.org 208.82.236.208
geo.craigslist.org 208.82.236.208
Download URLs
http://67.212.74.82/v2/ip_query.php?key=4f7c7d0d524a3e9445217575619159f874a734aa16e97b87fc505f49de8e31a1&output=xml (api.ipinfodb.com)
http://208.82.236.208/ (www.craigslist.org)
http://208.82.236.208/ (www.craigslist.org)

Outgoing connection to remote server: testusa.helohmar.com port 8800
Outgoing connection to remote server: testusa.helohmar.com port 8800
Outgoing connection to remote server: testusa.helohmar.com TCP port 8800
Outgoing connection to remote server: api.ipinfodb.com TCP port 80
Outgoing connection to remote server: www.craigslist.org TCP port 80
Outgoing connection to remote server: www.craigslist.org TCP port 80

Registry Changes by all processes
Create or Open
Changes HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon “Taskman” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = explorer.exe,C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “Tji771” = C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Reads HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”

File Changes by all processes
New Files C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455Desktop.ini
DeviceRasAcd
Opened Files
Deleted Files C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Chronological Order Set File Attributes: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Set File Attributes: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455 Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Copy File: c:uk.exe to C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe
Create File: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455Desktop.ini
Set File Attributes: C:RECYCLERS-1-5-21-0243556031-888888379-781863308-1455fddg.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)

infos about hoster here:
http://whois.domaintools.com/76.73.36.42 United States Woodstock Fdcservers.net
http://whois.domaintools.com/208.82.236.208 United States San Francisco Craigslist Inc
http://whois.domaintools.com/67.212.74.82 Canada Laval Netelligent Hosting Services Inc