Home » Virus List
Trojan.Agent
Risk Level 1
 
File Size : 168959 KB
File Type : Portable Executable file
File Name

NOTEPAD.EXE

MD5

38607321b0795734ba1a6af9906113a0

SHA1

c03f919e5fbe426e570fa97b1ce8086104a2a42c

SHA256

9700ea36f3e15aa4a535d5161a7b0ac2ac21a15522a1f4f6ee

General information:

* File name: C:\Users\vmware\Desktop\malware\38607321b0795734ba1a6af9906113a0.exe

Changes to registry :

* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates value "ExceptionRecord=050000C000000000000000006FB5807C02000000000000006FB5807C3F0001000000000000000000000000000000000000000000000000007F02000000000000FFFF0000000000000000000000000000" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
* Creates value "StoreLocation=C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0033003800360030003700330032003100620030003700390035003700330034005F006400310038003800310065006200380031003700370066003500640034006300610031003500380039006600320066003600640032003200390038003600640033006500380065003800610065005F006300610062005F00300065003400340062006200650033000000
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{d830145d-1c80-11e6-b8aa-806e6f6e6963}
old value empty
* Creates value "StoreLocation=C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3" in key HKEY_CURRENT_USER\software\Microsoft\Windows\Windows Error Reporting\Debug
binary data=43003A005C00500072006F006700720061006D0044006100740061005C004D006900630072006F0073006F00660074005C00570069006E0064006F00770073005C005700450052005C005200650070006F0072007400510075006500750065005C00410070007000430072006100730068005F0033003800360030003700330032003100620030003700390035003700330034005F006400310038003800310065006200380031003700370066003500640034006300610031003500380039006600320066003600640032003200390038003600640033006500380065003800610065005F006300610062005F00300065003400340062006200650033000000
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3\Report.wer
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3\WERB271.tmp.appcompat.txt
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3\WERB35C.tmp.WERInternalMetadata.xml
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3\WERB418.tmp.hdmp
* Creates file C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_38607321b0795734_d1881eb8177f5d4ca1589f2f6d22986d3e8e8ae_cab_0e44bbe3\WERB928.tmp.mdmp
* Creates file C:\Users\vmware\AppData\Local\CrashDumps\38607321b0795734ba1a6af9906113a0.exe.1660.dmp

Network services:

* No changes

Process/window/string information:

* Checks for debuggers.
* Creates process "C:\Windows\system32\WerFault.exe, C:\Windows\system32\WerFault.exe -u -p 1660 -s 176, C:\Windows\system32".
* Injects code into process "C:\Windows\System32\WerFault.exe".
* Enumerates running processes.
* Creates a mutex "Local\WERReportingForProcess1660".
* Enables privilege SeDebugPrivilege.
* Creates a mutex "Global\2b91092b-2bc3-11e6-9ca0-000c29164906".
* Enables privilege SeShutdownPrivilege.
* Enables process privileges.

Additional Information:

How To Remove NOTEPAD.EXE

1.Download Antivirus for Computer
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where NOTEPAD.EXE located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top