Home » Virus List
Worm.Generic
Risk Level 1
 
File Size : 65536 KB
File Type : Portable Executable file
File Name

a1d5e8db334375fa0dd1aea09452c3d0.exe

MD5

a1d5e8db334375fa0dd1aea09452c3d0

SHA1

1587d3806759655e6c8c6b53ac93253647af56f4

SHA256

6568e6cf3fb587a3e7e6d9a66615f51cf9fd5a6376ee1cd1fa

General information:

* File name: C:\Users\vmware\Desktop\malware\a1d5e8db334375fa0dd1aea09452c3d0.exe

Changes to registry :

* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Modifies value "ExceptionRecord=050000C00000000000000000000000000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
old value "ExceptionRecord=050000C000000000000000002F12F1000200000000000000000000003F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000E991F2000000000048734000"
* Creates value "StoreLocation=C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1d5e8db334375fa_3ddda9313d3cd25fc8eb5bcd56fb369ce83a2d_cab_1114ae0b" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0061003100640035006500380064006200330033003400330037003500660061005F00330064006400640061003900330031003300640033006300640032003500660063003800650062003500620063006400350036006600620033003600390063006500380033006100320064005F006300610062005F00310031003100340061006500300062000000

Changes to filesystem:

* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1d5e8db334375fa_3ddda9313d3cd25fc8eb5bcd56fb369ce83a2d_cab_1114ae0b\Report.wer
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1d5e8db334375fa_3ddda9313d3cd25fc8eb5bcd56fb369ce83a2d_cab_1114ae0b\WERA67D.tmp.appcompat.txt
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1d5e8db334375fa_3ddda9313d3cd25fc8eb5bcd56fb369ce83a2d_cab_1114ae0b\WERA777.tmp.WERInternalMetadata.xml
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1d5e8db334375fa_3ddda9313d3cd25fc8eb5bcd56fb369ce83a2d_cab_1114ae0b\WERA814.tmp.hdmp
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a1d5e8db334375fa_3ddda9313d3cd25fc8eb5bcd56fb369ce83a2d_cab_1114ae0b\WERABBD.tmp.mdmp
* Creates file C:\Users\vmware\AppData\Local\CrashDumps\a1d5e8db334375fa0dd1aea09452c3d0.exe.4944.dmp

Network services:

* Queries DNS "www.noray.com.mx".
* Queries DNS "delamo.ir".
* Queries DNS "nazeranyekta.com".
* Queries DNS "www.nazeranyekta.irlogos.gif".
* Queries DNS "netshoporizona.com.br".
* Queries DNS "www.mylatestcreation.com".
* Queries DNS "www.servetreklam.com".
* Queries DNS "nasr-mobtakeran.com".
* Queries DNS "netshivhumbetraders.co.za".
* Queries DNS "www.parsianparto.com".
* Queries DNS "noralvasanchez.com".
* Queries DNS "sevgikresi.net".
* Queries DNS "nlcfoundation.org".
* Queries DNS "natufarma.net".

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 4944 -s 100, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess4944".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\3e52cfcb-21a2-11e6-8143-000c29f0d582".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.

Additional Information:

How To Remove a1d5e8db334375fa0dd1aea09452c3d0.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where a1d5e8db334375fa0dd1aea09452c3d0.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top