Malware Analysis Report

2025-08-10 23:23

Sample ID 241117-kl8x4awckd
Target 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe
SHA256 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5
Tags
discovery evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5

Threat Level: Known bad

The file 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Executes dropped EXE

Modifies system executable filetype association

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 08:42

Reported

2024-11-17 08:44

Platform

win7-20241010-en

Max time kernel

118s

Max time network

19s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\M: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\T: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\S: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\U: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\Y: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\I: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\K: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\O: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\Q: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\L: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\N: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\X: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\Z: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\P: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\R: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\V: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\W: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\B: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\E: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\H: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened (read-only) \??\J: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File created \??\c:\windows\SysWOW64\Desktop.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File created \??\c:\windows\SysWOW64\maxtrox.txt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
File created \??\c:\windows\SysWOW64\Windows 3D.scr C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Windows Defender\MSASCui.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpenc.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Journal\PDIALOG.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Sidebar\sidebar.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7z.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Defender\MpCmdRun.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zG.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wab.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe
PID 2236 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe

"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe

"c:\Documents and Settings\Admin\Application Data\Microsoft\scaa.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N

Network

N/A

Files

\Users\Admin\AppData\Roaming\Microsoft\scaa.exe

MD5 5567f115cf53f9f180a000676b23deb1
SHA1 d5dca6370eccd30fa9f4170b4ac678cef174e449
SHA256 b412f6aa47934aa162ebcc8e3a7569631734d90c15a8fea853af01120b16fff4
SHA512 ab53cdb2d5d01552e8c1e123e7904d98552daa27b4f6d36861df292e577ad57249e9df675e00261246fd2ded3afad0d7b4126a68b35711081d5db0434e35347d

\??\c:\windows\SysWOW64\maxtrox.txt

MD5 24865ca220aa1936cbac0a57685217c5
SHA1 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512 c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

C:\Windows\SysWOW64\Windows 3D.scr

MD5 d7997f49f670d876e06d9b9b2e47b4b9
SHA1 bda4eadba89c0cd4b43e2c42772a58db8178076b
SHA256 3b01786c8166dc1e0596ea6a67e2367906eda66a8cb283de68d7a3f8b6fabd8e
SHA512 0e62b520084398a8fed73d6334689a48100d623f03c14356c06aaa76a0c9f815165cfc0007cedf57ec155c245320d78d6e720ffaf1a6ac0955152e5f7d6fd001

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-17 08:42

Reported

2024-11-17 08:44

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"

Signatures

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\J: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\N: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\O: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\Q: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\U: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\X: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\B: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\Y: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\P: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\Z: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\E: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\M: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\R: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\S: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\T: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\L: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\I: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\K: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\V: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\W: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened (read-only) \??\H: \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\windows\SysWOW64\CommandPrompt.Sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File created \??\c:\windows\SysWOW64\maxtrox.txt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
File created \??\c:\windows\SysWOW64\Windows 3D.scr C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
File opened for modification \??\c:\windows\SysWOW64\maxtrox.txt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\windows\SysWOW64\Windows 3D.scr \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File created \??\c:\windows\SysWOW64\Desktop.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\plugin-container.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmlaunch.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnetwk.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmprph.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zG.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\firefox.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\pingsender.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpshare.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iexplore.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Mail\wabmig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7z.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ieinstal.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpconfig.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\private_browsing.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\updater.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpnscfg.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\crashreporter.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmplayer.exe \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic" \??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe

"C:\Users\Admin\AppData\Local\Temp\36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N.exe"

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe

"c:\Documents and Settings\Admin\Application Data\Microsoft\vcw.exe" 36a76cdee0883cbf8968d10559196ceb6d0e9ac02c78cccc1d36aa8a891dcaa5N

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\vcw.exe

MD5 5567f115cf53f9f180a000676b23deb1
SHA1 d5dca6370eccd30fa9f4170b4ac678cef174e449
SHA256 b412f6aa47934aa162ebcc8e3a7569631734d90c15a8fea853af01120b16fff4
SHA512 ab53cdb2d5d01552e8c1e123e7904d98552daa27b4f6d36861df292e577ad57249e9df675e00261246fd2ded3afad0d7b4126a68b35711081d5db0434e35347d

\??\c:\windows\SysWOW64\maxtrox.txt

MD5 24865ca220aa1936cbac0a57685217c5
SHA1 37f687cafe79e91eae6cbdffbf2f7ad3975f5e83
SHA256 841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743
SHA512 c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

\??\c:\windows\SysWOW64\Windows 3D.scr

MD5 d7997f49f670d876e06d9b9b2e47b4b9
SHA1 bda4eadba89c0cd4b43e2c42772a58db8178076b
SHA256 3b01786c8166dc1e0596ea6a67e2367906eda66a8cb283de68d7a3f8b6fabd8e
SHA512 0e62b520084398a8fed73d6334689a48100d623f03c14356c06aaa76a0c9f815165cfc0007cedf57ec155c245320d78d6e720ffaf1a6ac0955152e5f7d6fd001