1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd

Analysis

max time kernel
147s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2022 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
Size

1.3MB
MD5

86bb153af8f8a4214e4492b072d4b78e
SHA1

dad286dfe8daf8e0827ef4fdd51e841d65a9e1ad
SHA256

1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd
SHA512

9166a1a8a3b4b552ba2197411d39ad56bce95373230f340584d3e96fbc67502521a33e1df07a8b83da7bc2565f6fc0512b2ca45c76f99f09774e167b7c37008d
SSDEEP

12288:xCTPgrnZiJiAaMVkUet7EwBI+APutDrVkP+xnXOBI+AM0:xCTPMAzVkUetVI5ut/VkP+x6IS0

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ulccejvaj = "iyscigtfr.exe"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Drops desktop.ini file(s) 48 IoCs

description	ioc	Process
File opened for modification	\??\q:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\s:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\s:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\j:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\p:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\n:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\o:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\r:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\u:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\m:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\g:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\h:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\i:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\v:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\w:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\x:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\c:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\e:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\k:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\n:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\v:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\z:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	C:\Documents and Settings\Admin\Application Data\Mr_CF\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\i:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\x:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\z:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\j:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\t:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\w:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\y:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\o:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\q:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\f:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\g:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\k:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\l:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\u:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\y:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\e:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\f:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\l:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\m:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\p:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\r:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\t:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\c:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\h:\Desktop.ini	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\l:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\n:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\q:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\t:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\x:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\s:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\u:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\f:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\h:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\j:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\m:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\o:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\w:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\z:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\g:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\i:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\k:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\r:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\v:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\e:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened (read-only)	\??\p:	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Drops autorun.inf file 1 TTPs 47 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\f:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\n:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\q:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\r:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\s:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\t:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\u:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\c:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\z:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\k:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\o:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\o:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\q:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\v:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\v:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\y:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\j:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\z:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\h:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\l:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\m:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\y:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\h:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\f:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\g:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\g:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\i:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\i:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\j:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\l:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\e:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\x:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\t:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\c:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\k:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\u:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\w:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	C:\Documents and Settings\Admin\Application Data\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\x:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\w:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\m:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\p:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	\??\r:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\e:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\p:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\s:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	\??\n:\Autorun.inf	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File created	C:\Windows\SysWOW64\iyscigtfr.exe	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
File opened for modification	C:\Windows\SysWOW64\iyscigtfr.exe	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Negeri Serumpun Sebalai .pif .bat .com .scr .exe	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1060	3892	WerFault.exe	81

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "MR_COO~1.SCR"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "JPEG Image"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "JPEG Image"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\ = "Princess Document"	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
3892	1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe

C:\Users\Admin\AppData\Local\Temp\1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe
"C:\Users\Admin\AppData\Local\Temp\1dca957138b5d01c64c16309648a349c901fb0a5fe56f75a4fc833c8c11a6efd.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3892
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 868
  2⤵
  - Program crash
  PID:1060