Remote Host Port Number
217.23.8.169 6667
USER {New}{UserName|v3}866 {New}{UserName|v3}866 * :{New}{UserName|v3}866
NICK {New}{UserName|v3}866
PRIVMSG #b0tz :
5 >
* The following port was open in the system:
Port Protocol Process
1054 TCP [file and pathname of the sample #1]
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “%UserProfile%svchost.exe”
so that svchost.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad]
+ Windows Services = “%UserProfile%svchost.exe”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “%UserProfile%svchost.exe”
so that svchost.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] N/A
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %UserProfile%cfg.ini 28 bytes MD5: 0x0A0FDF2359C0071FE188C1A524840CE4
SHA-1: 0xFCE8C7DB65048E56B50C6A354C991D9B90403FFB
2 %UserProfile%svchost.exe
[file and pathname of the sample #1] 78 848 bytes MD5: 0x94347F0EC168FB1C0508215D03AE3721
SHA-1: 0x262B132873DCFEACBB57C80CE5AFDBB8C5F9F038