2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524

General

Target

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
Size

510KB
MD5

6f502f1cc527cbc62411532220e1ce86
SHA1

58c1b175ef0f758bcf26dd6d36a5597d0289fd10
SHA256

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524
SHA512

cccf8a62f96bd36fb9ed7b1f3f4b7d73b6dd2ffe1f1c9a6495830cc1f067c39afa603edad0a7cd6034ba6a1d344ff233b86950bdd02c1a258cf05f6fa688d1f1
SSDEEP

12288:xCTPgrnZiJiAaMVkUet7EwBI+APu2DrVkP+xnXOBI+AM0bUjr:xCTPMAzVkUetVI5u2/VkP+x6IS0b+r

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\skbxfsaznp = "xlwuksooax.exe"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Drops desktop.ini file(s) 48 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
File opened for modification	\??\k:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\t:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\w:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\y:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\c:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\i:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\w:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\y:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\z:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\e:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\s:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\v:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\r:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\t:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\j:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\k:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\q:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\p:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\x:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\h:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\j:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\l:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\m:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\n:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\e:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\f:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\g:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\o:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\q:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\c:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\r:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\z:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\p:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\s:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\u:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\l:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\m:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\n:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\i:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\o:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\u:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\v:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\x:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\f:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\g:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\h:\Desktop.ini	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
File opened (read-only)	\??\e:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\j:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\k:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\m:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\n:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\u:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\z:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\g:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\i:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\q:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\t:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\w:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\x:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\y:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\h:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\l:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\p:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\s:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\v:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\f:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\o:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened (read-only)	\??\r:	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Drops autorun.inf file 1 TTPs 47 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
File created	\??\u:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\w:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\x:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\c:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\i:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\o:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\p:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\p:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\q:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\s:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\t:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\e:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\g:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\h:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\l:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\t:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\j:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	C:\Documents and Settings\Admin\Application Data\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\e:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\f:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\h:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\i:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\l:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\m:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\v:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\n:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\q:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\r:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\s:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\r:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\v:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\x:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\z:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\c:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\k:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\n:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\o:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\w:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\y:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\z:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\f:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\g:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\m:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\u:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	\??\j:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\k:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	\??\y:\Autorun.inf	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Drops file in System32 directory 3 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msvbvm60.dll	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File created	C:\Windows\SysWOW64\xlwuksooax.exe	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
File opened for modification	C:\Windows\SysWOW64\xlwuksooax.exe	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Drops file in Windows directory 1 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
File created	C:\Windows\Negeri Serumpun Sebalai .pif .bat .com .scr .exe	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1684 748 WerFault.exe 2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

pid	pid_target	process	target process
1684	748	WerFault.exe	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Modifies Control Panel 3 IoCs

evasion

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Modifies registry class 3 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

pid	process
748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

pid process

748 2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe

description	pid	process	target process
PID 748 wrote to memory of 1684	748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe	WerFault.exe
PID 748 wrote to memory of 1684	748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe	WerFault.exe
PID 748 wrote to memory of 1684	748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe	WerFault.exe
PID 748 wrote to memory of 1684	748	2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe
"C:\Users\Admin\AppData\Local\Temp\2f283fb253cc63f74a71f71367084dbb35015193fecfc112725ea5529b434524.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:748