Remote Host Port Number
46.4.176.187 6669
JOIN ##ReliviuM InVaLiDDD
PONG :BoTNeT.GoV
Other details
* The following port was open in the system:
Port Protocol Process
1052 TCP [file and pathname of the sample #1]
Registry Modifications
* The following Registry Keys were created:
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorer
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceSetup
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoaddows
o HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit
o HKEY_LOCAL_MACHINESOFTWARESoftware
o HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoft
o HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindows NT
o HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindows NTCurrentVersion
o HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindows NTCurrentVersionWindows
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices
o HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce
o HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload
* The newly created Registry Values are:
o [[pathname with a string SHARE]SharedTaskScheduler]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciesExplorerRun]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceSetup]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServicesOnce]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoaddows]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_LOCAL_MACHINESOFTWARESoftwareMicrosoftWindows NTCurrentVersionWindows]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServices]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunServicesOnce]
+ svchost.exe = “%AppData%svchost.ex”
o [HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWindowsload]
+ svchost.exe = “%AppData%svchost.ex”
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
[filename of the sample #1] [file and pathname of the sample #1] 69,632 bytes
svchost.exe %AppData%svchost.exe 69,632 bytes
File System Modifications
* The following file was created in the system:
# Filename(s) File Size File Hash Alias
1 %AppData%svchost.exe
[file and pathname of the sample #1] 41,079 bytes MD5: 0xF3CFAA2DF0E9DA00963C472434799573
SHA-1: 0x6CC5E2A71D619E0C3C9EE554FD2B0AAB962F252E Trojan:Win32/Malex.gen!E [Microsoft]
infos about hosting:
http://whois.domaintools.com/46.4.176.187