img1.alyoy.in(malware hosted with United States Missoula Sharktech Internet Services)

DNS Lookup
Host Name IP Address
img1.alyoy.in 70.39.100.4
70.39.100.4 70.39.100.4
0 127.0.0.1
UDP Connections
Remote IP Address: 127.0.0.1 Port: 1037
Send Datagram: 113 packet(s) of size 1
Recv Datagram: 113 packet(s) of size 1
Download URLs
http://70.39.100.4/img/img.txt (img1.alyoy.in)
http://70.39.100.4/img/YdtaOeu0lfMm1.exe (img1.alyoy.in)

Outgoing connection to remote server: img1.alyoy.in TCP port 61688
Outgoing connection to remote server: img1.alyoy.in TCP port 16767

Registry Changes by all processes
Create or Open
Changes HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “BFV3smx4pnp” = rundll32.exe “C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll”, Launch
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “CEV3sos” = C:WINDOWSsystem32CEV3zxc.exe
HKEY_LOCAL_MACHINESOFTWAREClassesIEHlprObj.IEHlprObj.1 “” = IEHlprObj Class
HKEY_LOCAL_MACHINESOFTWAREClassesIEHlprObj.IEHlprObj.1CLSID “” = {94AC7942-7BE1-4FB9-A7CA-67CD88362758}
HKEY_LOCAL_MACHINESOFTWAREClassesIEHlprObj.IEHlprObj “” = IEHlprObj Class
HKEY_LOCAL_MACHINESOFTWAREClassesIEHlprObj.IEHlprObjCurVer “” = IEHlprObj.IEHlprObj.1
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{94AC7942-7BE1-4FB9-A7CA-67CD88362758} “” = IEHlprObj Class
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{94AC7942-7BE1-4FB9-A7CA-67CD88362758}ProgID “” = IEHlprObj.IEHlprObj.1
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{94AC7942-7BE1-4FB9-A7CA-67CD88362758}VersionIndependentProgID “” = IEHlprObj.IEHlprObj
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{94AC7942-7BE1-4FB9-A7CA-67CD88362758}InprocServer32 “” = C:WINDOWSsystem32CEV3szxc20.dll
HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{94AC7942-7BE1-4FB9-A7CA-67CD88362758}InprocServer32 “ThreadingModel” = Apartment
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0 “” = IEHelper 1.0 Type Library
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0FLAGS “” = 0
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0win32 “” = C:WINDOWSsystem32CEV3szxc20.dll
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0HELPDIR “” = C:WINDOWSsystem32
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758} “” = IIEHlprObj
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}ProxyStubClsid “” = {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}ProxyStubClsid32 “” = {00020424-0000-0000-C000-000000000046}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}TypeLib “” = {94AC7948-7BE1-4FB9-A7CA-67CD88362758}
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}TypeLib “Version” = 1.0
Reads HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsLanguage “InstallLanguage”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsLanguage “InstallLanguage”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionIMM “Ime File”
HKEY_CURRENT_USERSoftwareMicrosoftCTF “Disable Thread Input Manager”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “10”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlSecurityProviders “SecurityProviders”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsapsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachedigest.dll “TokenSize”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Name”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Comment”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Capabilities”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “RpcId”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “Type”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlLsaSspiCachemsnsspc.dll “TokenSize”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcSecurityService “DefaultAuthLevel”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsLanguage “InstallLanguage”
HKEY_LOCAL_MACHINESYSTEMWPAMediaCenter “Installed”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTFSystemShared “CUAS”
HKEY_CURRENT_USERKeyboard LayoutToggle “Language Hotkey”
HKEY_CURRENT_USERKeyboard LayoutToggle “Layout Hotkey”
HKEY_LOCAL_MACHINESOFTWAREMicrosoftCTF “EnableAnchorContext”
HKEY_LOCAL_MACHINESOFTWAREClasses.dll “”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsLanguage “InstallLanguage”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0 “”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0FLAGS “”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0win32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesTypeLib{94AC7948-7BE1-4FB9-A7CA-67CD88362758}1.0HELPDIR “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758} “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}ProxyStubClsid “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}ProxyStubClsid32 “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}TypeLib “”
HKEY_LOCAL_MACHINESOFTWAREClassesInterface{94AC7941-7BE1-4FB9-A7CA-67CD88362758}TypeLib “Version”
HKEY_LOCAL_MACHINESYSTEMControlSet001ControlNlsLanguage “InstallLanguage”

File Changes by all processes
New Files bqjl231j#O0!@#!@FU18CarararK
C:Dokumente und EinstellungenAdministratorMicrosoftsmax9e05.tmp

C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll
DeviceRasAcd
DeviceTcp
DeviceIp
DeviceIp
b123a123123
b12D312RM#@!#@!#!!!@#!@3123asddassdAasdaa######sFdasdsda123123
dasdas#@!#!@#!(H*&(Cd*dnghghnghn&sdhghnghn&sdfjhk87687
C:WINDOWSsystem32CEV3zxc.exe
C:WINDOWSsystem32CEV3szxc20.dll
C:WINDOWSsystem32CEV3szxc10.dll
dasdas#@!#!@#!@566565656565767687687
Opened Files C:WINDOWSsystem32kernel32.dll
C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
.PIPElsarpc
c:autoexec.bat
.PIPEROUTER
.Ip
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1
C:WINDOWSexplorer.exe
C:WINDOWSsystem32CEV3szxc20.dll
C:WINDOWSAppPatchsysmain.sdb
C:WINDOWSAppPatchsystest.sdb
DeviceNamedPipeShimViewer
C:WINDOWSsystem32
C:WINDOWSsystem32CEV3szxc20.dll
C:WINDOWSexplorer.exe
Deleted Files #@!123312#@!32131&((*)(*3122asdsdaa_)+_)_+)_+sdasdd23#@23123!Te12323211231233..#@!123123#@!
#@123123231!#!32dsaddasdasd..#@!#31_)+_)+_)+_)+#@!#232132312132312..#@!#32123123123123!@
$#121231j#O0!@#!@FU18CarararK#816asatllYFK
C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll
$#1123120y@1BNgMMB0yMBKJNjMR-0vnAK47MMM=e{}K&RC&&&^^^%%%%%R%8dz6868%%%3231#!@13212323#!@
$#112MBKJNjMR-0vnAK47MMM=e{}K&RC&&&^^^%%%%%R%8dz6868%%%@!~@13#@!!#2323231#!F@13212323#!@
fasfasfasf#!@#!@#!@fashqFHa(H*&(Cd*dnghghnghn&sd(Cd*dnghghnghn&atata$$$tfjklsdfjbffbbfklsdfsdf)()(&(*$%#!!@#
C:WINDOWSsystem32CEV3zxc.exe
C:WINDOWSsystem32CEV3szxc20.dll
C:WINDOWSsystem32CEV3szxc10.dll
fasfasfasf#!@#!@#!@fashqSCd###CCCCCCCDWPLygYRJD1TLTIAOSLAPF1fx$tfjklsdfjbffbbfklsdfsdf)()(&(*$%#!!@#
C:DOKUME~1ADMINI~1LOKALE~1TEMPOR~1Content.IE5OTWL3NW1YDTAOE~1.EXE
Chronological Order Delete File: #@!123312#@!32131&((*)(*3122asdsdaa_)+_)_+)_+sdasdd23#@23123!Te12323211231233..#@!123123#@!
Delete File: #@123123231!#!32dsaddasdasd..#@!#31_)+_)+_)+_)+#@!#232132312132312..#@!#32123123123123!@
Copy File: qjl231j#O0!@#!@FU18CarararKa to bqjl231j#O0!@#!@FU18CarararK
Delete File: $#121231j#O0!@#!@FU18CarararK#816asatllYFK
Get File Attributes: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll Flags: (SECURITY_ANONYMOUS)
Delete File: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll
Move File: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll to C:Dokumente und EinstellungenAdministratorMicrosoftsmax9e05.tmp
Move File: C:Dokumente und EinstellungenAdministratorMicrosoftsmax9e05.tmp to
Get File Attributes: C:Dokumente und Einstellungen Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministrator Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorMicrosoft Flags: (SECURITY_ANONYMOUS)
Create File: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll
Open File: C:WINDOWSsystem32kernel32.dll (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll (OPEN_EXISTING)
Set File Time: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32rundll32.exe
Find File: C:WINDOWSsystem32calc.exe
Get File Attributes: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll Flags: (SECURITY_ANONYMOUS)
Get File Attributes: C:Dokumente und EinstellungenAdministratorMicrosoftBFV3smx4pnp.dll.manifest Flags: (SECURITY_ANONYMOUS)
Create/Open File: DeviceRasAcd (OPEN_ALWAYS)
Open File: .PIPElsarpc (OPEN_EXISTING)
Get File Attributes: c:autoexec.bat Flags: (SECURITY_ANONYMOUS)
Open File: c:autoexec.bat (OPEN_EXISTING)
Find File: C:Dokumente und EinstellungenAll UsersAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Find File: C:WINDOWSsystem32Ras*.pbk
Find File: C:Dokumente und EinstellungenAdministratorAnwendungsdatenMicrosoftNetworkConnectionsPbk*.pbk
Open File: .PIPEROUTER (OPEN_EXISTING)
Create/Open File: DeviceTcp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Create/Open File: DeviceIp (OPEN_ALWAYS)
Open File: .Ip (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1 ()
Find File: C:Dokumente und EinstellungenAdministratorLokale EinstellungenTemporary Internet FilesContent.IE5OTWL3NW1YdtaOeu0lfMm1[1].exe
Copy File: a10y@1BNgMMBNNMcMBKJNjMR-0vnAK47MMM=e{}K&RC&&&^^^%%%%%R%8dz6868%%%#!fgfg@ to b123a123123
Delete File: $#1123120y@1BNgMMB0yMBKJNjMR-0vnAK47MMM=e{}K&RC&&&^^^%%%%%R%8dz6868%%%3231#!@13212323#!@
Delete File: $#112MBKJNjMR-0vnAK47MMM=e{}K&RC&&&^^^%%%%%R%8dz6868%%%@!~@13#@!!#2323231#!F@13212323#!@
Copy File: a1MBKJNjMR-0vnAK47MMM=e{}K&RC&&&^^^%%%%%R%8dz6868%%%#!@ to b12D312RM#@!#@!#!!!@#!@3123asddassdAasdaa######sFdasdsda123123
Copy File: #@!#(#hbfnr7BgagSYaefkLj to dasdas#@!#!@#!(H*&(Cd*dnghghnghn&sdhghnghn&sdfjhk87687
Delete File: fasfasfasf#!@#!@#!@fashqFHa(H*&(Cd*dnghghnghn&sd(Cd*dnghghnghn&atata$$$tfjklsdfjbffbbfklsdfsdf)()(&(*$%#!!@#
Open File: C:WINDOWSexplorer.exe (OPEN_EXISTING)
Delete File: C:WINDOWSsystem32CEV3zxc.exe
Set File Attributes: C:WINDOWSsystem32CEV3zxc.exe Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Copy File: C:DOKUME~1ADMINI~1LOKALE~1TEMPOR~1Content.IE5OTWL3NW1YDTAOE~1.EXE to C:WINDOWSsystem32CEV3zxc.exe
Set File Attributes: C:WINDOWSsystem32CEV3zxc.exe Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Set File Attributes: C:WINDOWSsystem32CEV3szxc20.dll Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32CEV3szxc20.dll
Create File: C:WINDOWSsystem32CEV3szxc20.dll
Open File: C:WINDOWSsystem32CEV3szxc20.dll (OPEN_EXISTING)
Set File Time: C:WINDOWSsystem32CEV3szxc20.dll
Open File: C:WINDOWSAppPatchsysmain.sdb (OPEN_EXISTING)
Open File: C:WINDOWSAppPatchsystest.sdb (OPEN_EXISTING)
Open File: DeviceNamedPipeShimViewer (OPEN_EXISTING)
Open File: C:WINDOWSsystem32 ()
Find File: C:WINDOWSsystem32regsvr32.exe
Set File Attributes: C:WINDOWSsystem32CEV3szxc10.dll Flags: (FILE_ATTRIBUTE_NORMAL SECURITY_ANONYMOUS)
Delete File: C:WINDOWSsystem32CEV3szxc10.dll
Create File: C:WINDOWSsystem32CEV3szxc10.dll
Set File Attributes: C:WINDOWSsystem32CEV3szxc10.dll Flags: (FILE_ATTRIBUTE_HIDDEN FILE_ATTRIBUTE_READONLY FILE_ATTRIBUTE_SYSTEM SECURITY_ANONYMOUS)
Open File: C:WINDOWSsystem32CEV3szxc20.dll (OPEN_EXISTING)
Copy File: #@!#(#!@(#k!(@&(*&(*q&###CCCCCCCDWPLGgxaeygYRJD1TcMXTSPLTIAOSLAfxCd*dnghghnghnghnghnfsjhkfjhksdfjhksdfjhk to dasdas#@!#!@#!@566565656565767687687
Delete File: fasfasfasf#!@#!@#!@fashqSCd###CCCCCCCDWPLygYRJD1TLTIAOSLAPF1fx$tfjklsdfjbffbbfklsdfsdf)()(&(*$%#!!@#
Open File: C:WINDOWSexplorer.exe (OPEN_EXISTING)
Delete File: C:DOKUME~1ADMINI~1LOKALE~1TEMPOR~1Content.IE5OTWL3NW1YDTAOE~1.EXE

infos about hoster:
http://whois.domaintools.com/70.39.100.4

Categories: Uncategorized