Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 59415 KB
File Type : Portable Executable file
File Name

a1cf4ebbe8e7a47599403ab640caffc0.exe

MD5

a1cf4ebbe8e7a47599403ab640caffc0

SHA1

b8ec06885b19598b0571fd713cde9a8abc00ccaf

SHA256

03eb3935d78fead135dcb32c41bbe54fe1f407e1e931b6a8e5

General information:

* File name: C:\Users\vmware\Desktop\malware\a1cf4ebbe8e7a47599403ab640caffc0.exe

Changes to registry :

* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Modifies value "ExceptionRecord=050000C00000000000000000000000000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C000000000000000002F12F1000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000E991F2000000000048734000"
* Creates value "StoreLocation=C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1cf4ebbe8e7a475_15a8607f4f5e1af5d09ac9ffe6d810fae85dfa35_cab_03f37771" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0061003100630066003400650062006200650038006500370061003400370035005F0031003500610038003600300037006600340066003500650031006100660035006400300039006100630039006600660065003600640038003100300066006100650038003500640066006100330035005F006300610062005F00300033006600330037003700370031000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps

Changes to filesystem:

* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1cf4ebbe8e7a475_15a8607f4f5e1af5d09ac9ffe6d810fae85dfa35_cab_03f37771\Report.wer
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1cf4ebbe8e7a475_15a8607f4f5e1af5d09ac9ffe6d810fae85dfa35_cab_03f37771\WER6D82.tmp.appcompat.txt
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1cf4ebbe8e7a475_15a8607f4f5e1af5d09ac9ffe6d810fae85dfa35_cab_03f37771\WER6ECB.tmp.WERInternalMetadata.xml
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1cf4ebbe8e7a475_15a8607f4f5e1af5d09ac9ffe6d810fae85dfa35_cab_03f37771\WER6F58.tmp.hdmp
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1cf4ebbe8e7a475_15a8607f4f5e1af5d09ac9ffe6d810fae85dfa35_cab_03f37771\WER74C5.tmp.mdmp
* Creates file C:\Users\vmware\AppData\Local\CrashDumps\a1cf4ebbe8e7a47599403ab640caffc0.exe.4884.dmp

Network services:

no change

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 4884 -s 116, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess4884".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\f3eebe32-219b-11e6-8143-000c29f0d582".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.

Additional Information:

How To Remove a1cf4ebbe8e7a47599403ab640caffc0.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where a1cf4ebbe8e7a47599403ab640caffc0.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top