Remote Host Port Number
88.255.120.175 7075
MODE [USA|XP|324449] -ix
JOIN #heur heur
NICK [USA|XP|324449]
USER rcccgtw * 0 :COMPUTERNAME
PASS heur
* The following port was open in the system:
Port Protocol Process
1053 TCP csrs.exe (%Windir%csrs.exe)
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “csrs.exe”
so that csrs.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Services = “csrs.exe”
so that csrs.exe runs every time Windows starts
Memory Modifications
* There was a new process created in the system:
Process Name Process Filename Main Module Size
csrs.exe %Windir%csrs.exe 331 776 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash
1 %Windir%csrs.exe
[file and pathname of the sample #1] 111 751 bytes MD5: 0x525DF71F3E5B3EF6762E35BA38B50797
SHA-1: 0xBAF487E6EC56F8C1B4E8DC8BF5ACB4355EB5DF95