Remote Host Port Number
188.72.203.181 8888 ircd here
64.62.181.43 80
91.212.226.7 443
NICK {NEW}[2]5]6]6]
USER 0556 “” “lol” :0556
JOIN ##bX1##
PRIVMSG ##bX1## :
09File downloaded and executed.
PONG :irc.BallistiX.org
* The data identified by the following URL was then requested from the remote web server:
o http://ballistix3.fileave.com/11229_83ddca90650ee2987c709282220538c0.exe
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ winlogon = “%AppData%winlogin.exe”
so that winlogin.exe runs every time Windows starts
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionInternet Settings]
+ ProxyEnable = 0x00000000
* The following Registry Values were modified:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates�048F8D37B153F6EA2798C323EF4F318A5624A9E]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates�0EA522C8A9C06AA3ECCE0B4FA6CDC21D92E8099]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates�483ED3399AC3608058722EDBC5E4600E3BEF9D7]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates�49811056AFE9FD0F5BE01685AACE6A5D1C4454C]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates�B77BEBBCB7AA24705DECC0FBD6A02FC7ABD9B52]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates1331F48A5DA8E01DAACA1BB0C17044ACFEF755BB]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates1F55E8839BAC30728BE7108EDE7B0BB0D3298224]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates209900B63D955728140CD13622D8C687A4EB0085]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates216B2A29E62A00CE820146D8244141B92511B279]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates23E594945195F2414803B4D564D2A3A3F5D88B8C]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates24A40A1F573643A67F0A4B0749F6A22BF28ABB6B]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates24BA6D6C8A5B5837A48DB5FAE919EA675C94D217]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates273EE12457FDC4F90C55E82B56167F62F532E547]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates284F55C41A1A7A3F8328D4C262FB376ED6096F24]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates2F173F7DE99667AFA57AF80AA2D1B12FAC830338]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates36863563FD5128C7BEA6F005CFE9B43668086CCE]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates394FF6850B06BE52E51856CC10E180E882B385CC]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates3F85F2BB4A62B0B58BE1614ABB0D4631B4BEF8BA]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4072BA31FEC351438480F62E6CB95508461EAB2F]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates40E78C1D523D1CD9954FAC1A1AB3BD3CBAA15BFC]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates43DDB1FFF3B49B73831407F6BC8B975023D07C50]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates43F9B110D5BAFD48225231B0D0082B372FEF9A54]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4463C531D7CCC1006794612BB656D3BF8257846F]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates47AFB915CDA26D82467B97FA42914468726138DD]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4B421F7515F6AE8A6ECEF97F6982A400A4D9224E]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4BA7B9DDD68788E12FF852E1A024204BF286A8F6]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4C95A9902ABE0777CED18D6ACCC3372D2748381E]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4EF2E6670AC9B5091FE06BE0E5483EAAD6BA32D9]
+ Blob =
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesAuthRootCertificates4EFCED9C6BDD0C985CA3C7D253063C5BE6FC620C]
+ Blob =
o [HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders]
+ Cookies =
+ Cache =
+ History =
Other details
* The following ports were open in the system:
Port Protocol Process
1052 TCP winlogin.exe (%AppData%winlogin.exe)
1053 UDP winlogin.exe (%AppData%winlogin.exe)
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
winlogin.exe %AppData%winlogin.exe 53 248 bytes
* The following modules were loaded into the address space of other process(es):
Module Name Module Filename Address Space Details
2.tmp %Temp%2.tmp Process name: spoolsv.exe
Process filename: %System%spoolsv.exe
Address space: 0xEB0000 – 0xEC9000
8.tmp %Temp%8.tmp Process name: spoolsv.exe
Process filename: %System%spoolsv.exe
Address space: 0xF50000 – 0xF69000
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%google_cache2658.tmp 9 bytes MD5: 0x6C936CB4A4B7F5803BD2E3DEACC3C2FE
SHA-1: 0x561782F6CC10BA3E5AFEAED752F95E589C813891
2 %AppData%winlogin.exe
[file and pathname of the sample #1] 61 053 bytes MD5: 0x89CD5B8702BDE9F6107B8FC6C60AED5A
SHA-1: 0x45563B1A7BB82222D07A908098A0BC72CA3CF946
3 %Temp%3.tmp
%Temp%A.tmp 80 896 bytes MD5: 0x83DDCA90650EE2987C709282220538C0
SHA-1: 0xBCDA83A68DC6B4C3D496965D96FDD9FC62DE4F8C
4 %Windir%Temp5.tmp
%Windir%TempB.tmp 80 896 bytes MD5: 0x9CA49EFBBA539560C529AC3C52FB8BA8
SHA-1: 0xE3BD55BE4EDB4E0602B9639D5882E38B09B20DB9
5 %Windir%Temp6.tmp
%Windir%TempC.tmp 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709