SIRC.NeT

Remote Host Port Number
217.23.13.241 45351

NICK {USA}{XP}{00}822528
USER 0038 “” “lol” :0038
JOIN #RogUe#
PONG :SIRC.NeT

Other details

* The following port was open in the system:

Port Protocol Process
1051 TCP svchosts.exe (%AppData%svchosts.exe)

Registry Modifications

* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun

* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center]
+ UACDisableNotify = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem]
+ EnableLUA = 0x00000000
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ Microsoft Corp = “%AppData%svchosts.exe”

so that svchosts.exe runs every time Windows starts
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Microsoft Corp = “%AppData%svchosts.exe”

so that svchosts.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ winlogon = “%AppData%rssms32.exe”
+ Microsoft Corp = “%AppData%svchosts.exe”

so that rssms32.exe runs every time Windows starts
so that svchosts.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
svchosts.exe %AppData%svchosts.exe 45 056 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 %AppData%rssms32.exe
%AppData%svchosts.exe
[file and pathname of the sample #1] 65 536 bytes MD5: 0x54A98A6D61C58D85C7F4B0C022224797
SHA-1: 0xE05959824503F6943EB6C409075ECC2AF2A970CF