Remote Host Port Number 51987

USER rA rA rA rA
NICK [rA|USA|XP|26962]
JOIN #Scope# nokey
PRIVMSG #Scope# :
4New bot for Scope
PING :IRC.Secret.GoV

Other details

* The following port was open in the system:

Port Protocol Process
1054 TCP lsass.exe (%AppData%lsass.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Internet = “1”
+ Windows Defender = “%AppData%lsass.exe”

so that lsass.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
lsass.exe %AppData%lsass.exe 81 920 bytes

File System Modifications

* The following file was created in the system:

# Filename(s) File Size File Hash
1 %AppData%lsass.exe
[file and pathname of the sample #1] 229 376 bytes MD5: 0xDE38916F4C53FBF8DA955365A055B567
SHA-1: 0xEDBA150081E36A5986BABB9792928162A675DAD8

Categories: Uncategorized