Analysis Overview
SHA256
36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5
Threat Level: Known bad
The file 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Executes dropped EXE
Modifies system executable filetype association
Loads dropped DLL
Adds Run key to start application
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 08:42
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 08:42
Reported
2024-11-17 08:44
Platform
win7-20241010-en
Max time kernel
118s
Max time network
19s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\windows\SysWOW64\maxtrox.txt | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\Windows 3D.scr | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File created | \??\c:\windows\SysWOW64\Desktop.sysm | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File created | \??\c:\windows\SysWOW64\CommandPrompt.Sysm | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File created | \??\c:\windows\SysWOW64\maxtrox.txt | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| File created | \??\c:\windows\SysWOW64\Windows 3D.scr | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files\Windows Defender\MSASCui.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ieinstal.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iexplore.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\crashreporter.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\WMPDMC.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpenc.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpshare.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ielowutil.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\updater.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Journal\PDIALOG.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Sidebar\sidebar.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7z.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Defender\MpCmdRun.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\private_browsing.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpconfig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnetwk.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zG.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\firefox.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\plugin-container.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Mail\wabmig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmlaunch.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmplayer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmprph.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\Uninstall.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iediagcmd.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\pingsender.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zFM.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Mail\wab.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnscfg.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Modifies registry class
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N
Network
Files
\Users\Admin\AppData\Roaming\Microsoft\scaa.exe
| MD5 | 5567f115cf53f9f180a000676b23deb1 |
| SHA1 | d5dca6370eccd30fa9f4170b4ac678cef174e449 |
| SHA256 | b412f6aa47934aa162ebcc8e3a7569631734d90c15a8fea853af01120b16fff4 |
| SHA512 | ab53cdb2d5d01552e8c1e123e7904d98552daa27b4f6d36861df292e577ad57249e9df675e00261246fd2ded3afad0d7b4126a68b35711081d5db0434e35347d |
\??\c:\windows\SysWOW64\maxtrox.txt
| MD5 | 24865ca220aa1936cbac0a57685217c5 |
| SHA1 | 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83 |
| SHA256 | 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743 |
| SHA512 | c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062 |
C:\Windows\SysWOW64\Windows 3D.scr
| MD5 | d7997f49f670d876e06d9b9b2e47b4b9 |
| SHA1 | bda4eadba89c0cd4b43e2c42772a58db8178076b |
| SHA256 | 3b01786c8166dc1e0596ea6a67e2367906eda66a8cb283de68d7a3f8b6fabd8e |
| SHA512 | 0e62b520084398a8fed73d6334689a48100d623f03c14356c06aaa76a0c9f815165cfc0007cedf57ec155c245320d78d6e720ffaf1a6ac0955152e5f7d6fd001 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 08:42
Reported
2024-11-17 08:44
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
95s
Command Line
Signatures
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | \??\c:\windows\SysWOW64\CommandPrompt.Sysm | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File created | \??\c:\windows\SysWOW64\maxtrox.txt | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| File created | \??\c:\windows\SysWOW64\Windows 3D.scr | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\maxtrox.txt | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\windows\SysWOW64\Windows 3D.scr | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File created | \??\c:\windows\SysWOW64\Desktop.sysm | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | \??\c:\Program Files\7-Zip\7zFM.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\plugin-container.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmlaunch.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\setup_wm.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnetwk.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmprph.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7zG.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\Uninstall.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\firefox.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\pingsender.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpshare.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iexplore.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Mail\wabmig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\7-Zip\7z.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ieinstal.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\ielowutil.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpconfig.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\private_browsing.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Internet Explorer\iediagcmd.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\updater.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmpnscfg.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Mozilla Firefox\crashreporter.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
| File opened for modification | \??\c:\Program Files\Windows Media Player\wmplayer.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Modifies registry class
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | N/A |
| N/A | N/A | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe |
| PID 1680 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe |
| PID 1680 wrote to memory of 2652 | N/A | C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe | \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\vcw.exe
| MD5 | 5567f115cf53f9f180a000676b23deb1 |
| SHA1 | d5dca6370eccd30fa9f4170b4ac678cef174e449 |
| SHA256 | b412f6aa47934aa162ebcc8e3a7569631734d90c15a8fea853af01120b16fff4 |
| SHA512 | ab53cdb2d5d01552e8c1e123e7904d98552daa27b4f6d36861df292e577ad57249e9df675e00261246fd2ded3afad0d7b4126a68b35711081d5db0434e35347d |
\??\c:\windows\SysWOW64\maxtrox.txt
| MD5 | 24865ca220aa1936cbac0a57685217c5 |
| SHA1 | 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83 |
| SHA256 | 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743 |
| SHA512 | c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062 |
\??\c:\windows\SysWOW64\Windows 3D.scr
| MD5 | d7997f49f670d876e06d9b9b2e47b4b9 |
| SHA1 | bda4eadba89c0cd4b43e2c42772a58db8178076b |
| SHA256 | 3b01786c8166dc1e0596ea6a67e2367906eda66a8cb283de68d7a3f8b6fabd8e |
| SHA512 | 0e62b520084398a8fed73d6334689a48100d623f03c14356c06aaa76a0c9f815165cfc0007cedf57ec155c245320d78d6e720ffaf1a6ac0955152e5f7d6fd001 |