Resolved : [login.ipwhois.co.uk] To [195.3.145.182]
NICK {XPUSA528985}
USER COMPUTERNAME * 0 :COMPUTERNAME
* To mark the presence in the system, the following Mutex object was created:
o adsaxf
* The following port was open in the system:
Port Protocol Process
1034 TCP servicese.exe (%Temp%servicese.exe)
* The following Host Name was requested from a host database:
o login.ipwhois.co.uk
Registry Modifications
* The newly created Registry Values are:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Windows Servicese = “servicese.exe”
so that servicese.exe runs every time Windows starts
o [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]
+ Windows Update = “%Temp%service2.exe”
Memory Modifications
* There were new processes created in the system:
Process Name Process Filename Main Module Size
servicese.exe %Temp%servicese.exe 331 776 bytes
[filename of the sample #1] [file and pathname of the sample #1] 45 056 bytes
File System Modifications
* The following files were created in the system:
# Filename(s) File Size File Hash
1 %AppData%MicrosoftCryptoRSAS-1-5-21-606747145-764733703-839522115-1003ee3e6eb837f922f2d39af5d53b80094b_a7bcc1a4-f7a4-4502-8650-8579e607f7f7 60 bytes MD5: 0x86066899A8FF8812436FC8B90FD1A503
SHA-1: 0x59C8E6EB261C1569269B41E25FD5F5FF80735EEF
2 %Temp%servicese.exe
[file and pathname of the sample #1] 120 173 bytes MD5: 0x050626B12DA8CF1CA93BBF300A9DD49E
SHA-1: 0xD0DB409BEC0D3B40FE8FA361FECDFEFF864714C6