irandy.info

Remote Host Port Number
irandy.info 8160

NICK {USA-XP}481463
USER yjmpomf * 0 :COMPUTERNAME

* The following ports were open in the system:

Port Protocol Process
1033 TCP svhost.exe (%Windir%svhost.exe)
1034 TCP svhost.exe (%Windir%svhost.exe)

* The following Host Name was requested from a host database:
o irandy.info

Other details

* To mark the presence in the system, the following Mutex objects were created:
o IgKS2jQ9H3EPFo4r
o lk9f6u6873jlids

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 %Windir%svhost.exe
[file and pathname of the sample #1] 193 536 bytes MD5: 0xDA91D98380728186CA4CD69CF08A0E14
SHA-1: 0x7844EC8E665512EBE49E5651DDA1B8E605473E45

Memory Modifications

* There were new processes created in the system:

Process Name Process Filename Main Module Size
svhost.exe %Windir%svhost.exe 311 296 bytes
[filename of the sample #1] [file and pathname of the sample #1] 208 896 bytes

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ MSN = “%Windir%svhost.exe”

so that svhost.exe runs every time Windows starts

Categories: Uncategorized
Previous post