Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 47616 KB
File Type : Portable Executable file
File Name

35068387a587d8b58f8d0a1620e63eb0.exe

MD5

35068387a587d8b58f8d0a1620e63eb0

SHA1

a3634f7507c3331f8cdadd1212eac336983eee6e

SHA256

251cd7726e9161d7b2967b9d7c5595a6f5ae2f1985ba9b7a06

General information:

* File name: C:\Users\vmware\Desktop\malware\35068387a587d8b58f8d0a1620e63eb0.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates value "ExceptionRecord=050000C000000000000000002C234000020000000000000000C0E6773F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
* Creates value "StoreLocation=C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0033003500300036003800330038003700610035003800370064003800620035005F00370062003900380064006600620061006400360063006400630039006200640065006100340064003300620030003600300066003000630064006100360039003200340036006200610031005F006300610062005F00300066003700610037006200310063000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d830145d-1c80-11e6-b8aa-806e6f6e6963}
old value empty
* Creates value "StoreLocation=C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0033003500300036003800330038003700610035003800370064003800620035005F00370062003900380064006600620061006400360063006400630039006200640065006100340064003300620030003600300066003000630064006100360039003200340036006200610031005F006300610062005F00300066003700610037006200310063000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c\Report.wer
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c\WER73FB.tmp.appcompat.txt
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c\WER74E6.tmp.WERInternalMetadata.xml
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c\WER7564.tmp.hdmp
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_35068387a587d8b5_7b98dfbad6cdc9bdea4d3b060f0cda69246ba1_cab_0f7a7b1c\WER78CE.tmp.mdmp
* Creates file C:\Users\vmware\AppData\Local\CrashDumps\35068387a587d8b58f8d0a1620e63eb0.exe.2936.dmp

Network services:

* No changes

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 2936 -s 96, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess2936".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\19c3e928-2bc7-11e6-9ca0-000c29164906".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.

Additional Information:

How To Remove 35068387a587d8b58f8d0a1620e63eb0.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where 35068387a587d8b58f8d0a1620e63eb0.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top