wannacry | 144c2e379f3876600e29384f71cbf9edb53ac3e45dee369b1f99e78476986254

Analysis

max time kernel
117s
max time network
107s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yfga_game.exe
Size

10.7MB
MD5

1864d9c2373236602ff186c28889d8f5
SHA1

28d619fb21f1ed64cc054ba81793aba9e3743487
SHA256

144c2e379f3876600e29384f71cbf9edb53ac3e45dee369b1f99e78476986254
SHA512

fdca345551700fbe893df0f6451995d70ce105ca2659a3da6ce355fb5c1b1c65cbbb1a0b04424d677444e6db8d58e3fa2d8d5db39ac64a1d4e308e49510865f8
SSDEEP

196608:ZO81jWusNrPGC0ePjqHbUjHicQskqPe1Cxcxk3ZAEUadzR8yc4ghrk:88tWhTr0eqgDiDjqG1Fxk3mEUadzRURi

Score

10^/10

wannacry aspackv2 defense_evasion discovery evasion execution exploit impact persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables Task Manager via registry modification
evasion
Possible privilege escalation attempt 5 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

2860 takeown.exe
2744 icacls.exe
2716 takeown.exe
2936 icacls.exe
2776 icacls.exe

pid	process
2860	takeown.exe
2744	icacls.exe
2716	takeown.exe
2936	icacls.exe
2776	icacls.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\screenscrew.exe	aspack_v212_v242

Drops startup file 2 IoCs

Processes:

wannacryptor.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6410.tmp	wannacryptor.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6415.tmp	wannacryptor.exe

Executes dropped EXE 16 IoCs

Processes:

screenscrew.exewalliant.exejokewarehydra.exewalliant.tmpwin7recovery.exeWbVhxCIDDK.exewalliant.exeuseroverflow.exeprogramoverflow.exewannacryptor.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]@[email protected]

pid	process
2816	screenscrew.exe
2152	walliant.exe
2752	jokewarehydra.exe
1468	walliant.tmp
956	win7recovery.exe
1792	WbVhxCIDDK.exe
2080	walliant.exe
2964	useroverflow.exe
376	programoverflow.exe
2468	wannacryptor.exe
1772	taskdl.exe
776	@[email protected]
408	@[email protected]
2788	taskhsvc.exe
2968	@[email protected]
2452	@[email protected]

Loads dropped DLL 46 IoCs

Processes:

cmd.execmd.exewalliant.exewin7recovery.exewalliant.tmpwalliant.exewannacryptor.execscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2300	cmd.exe
2300	cmd.exe
2300	cmd.exe
2420	cmd.exe
2152	walliant.exe
2300	cmd.exe
2300	cmd.exe
956	win7recovery.exe
956	win7recovery.exe
1468	walliant.tmp
1468	walliant.tmp
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2080	walliant.exe
2300	cmd.exe
2300	cmd.exe
2300	cmd.exe
2468	wannacryptor.exe
2468	wannacryptor.exe
2756	cscript.exe
2468	wannacryptor.exe
2468	wannacryptor.exe
684	cmd.exe
776	@[email protected]
776	@[email protected]
2788	taskhsvc.exe
2788	taskhsvc.exe
2788	taskhsvc.exe
2788	taskhsvc.exe
2788	taskhsvc.exe
2788	taskhsvc.exe
2468	wannacryptor.exe
2468	wannacryptor.exe

Modifies file permissions 1 TTPs 5 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exeicacls.exe

pid process

2860 takeown.exe
2744 icacls.exe
2716 takeown.exe
2936 icacls.exe
2776 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2860	takeown.exe
2744	icacls.exe
2716	takeown.exe
2936	icacls.exe
2776	icacls.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/956-295-0x0000000000600000-0x0000000000678000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

win7recovery.exewalliant.tmpreg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\WbVhxCIDDK = "C:\\ProgramData\\WbVhxCIDDK.exe"	win7recovery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\Walliant = "C:\\Users\\Admin\\AppData\\Local\\Programs\\Walliant\\walliant.exe"	walliant.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\loxtqdbrvjwnha527 = "\"C:\\Users\\Admin\\Desktop\\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

wannacryptor.exe@[email protected]reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wannacryptor.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Control Panel\Desktop\WallPaper = "C:\\Windows\\System32\\FeatureToastBulldogImg.png"	reg.exe

Drops file in Windows directory 3 IoCs

Processes:

xcopy.exemspaint.exeexplorer.exe

description	ioc	process
File created	C:\Windows\Boot\Fonts\segoe_slboot.ttf	xcopy.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\twunk_16.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Delays execution with timeout.exe 7 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid process

1748 timeout.exe
1076 timeout.exe
2372 timeout.exe
688 timeout.exe
684 timeout.exe
1492 timeout.exe
2936 timeout.exe
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

xcopy.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier xcopy.exe
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

1224 vssadmin.exe
Kills process with taskkill 8 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2384 taskkill.exe
1680 taskkill.exe
892 taskkill.exe
1032 taskkill.exe
1700 taskkill.exe
296 taskkill.exe
832 taskkill.exe
1496 taskkill.exe

pid	process
1748	timeout.exe
1076	timeout.exe
2372	timeout.exe
688	timeout.exe
684	timeout.exe
1492	timeout.exe
2936	timeout.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	xcopy.exe

pid	process
1224	vssadmin.exe

pid	process
2384	taskkill.exe
1680	taskkill.exe
892	taskkill.exe
1032	taskkill.exe
1700	taskkill.exe
296	taskkill.exe
832	taskkill.exe
1496	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exewin7recovery.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Download	win7recovery.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	win7recovery.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exeexplorer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\IconSize = "48"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\Mode = "6"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 5200310000000000e558806b100057696e646f7773003c0008000400efbeee3a851ae558806b2a0000008a020000000001000000000000000000000000000000570069006e0064006f0077007300000016000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{C4D98F09-6124-4FE0-9942-826416082DA9}\LogicalViewMode = "2"	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2296 reg.exe

pid	process
2296	reg.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

walliant.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	walliant.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	walliant.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	walliant.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2692 regedit.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
2692	regedit.exe

description	flow	ioc
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

win7recovery.exeWbVhxCIDDK.exewalliant.tmp

pid	process
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
1468	walliant.tmp
1468	walliant.tmp
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe
1792	WbVhxCIDDK.exe
1792	WbVhxCIDDK.exe
956	win7recovery.exe
956	win7recovery.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

explorer.exeexplorer.exe

pid process

2668 explorer.exe
2604 explorer.exe

pid	process
2668	explorer.exe
2604	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exeshutdown.exetaskkill.exeshutdown.exetaskkill.exewalliant.exetaskkill.exetaskkill.exetaskkill.exeshutdown.exevssvc.exeWMIC.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	296	taskkill.exe
Token: SeShutdownPrivilege	2172	shutdown.exe
Token: SeRemoteShutdownPrivilege	2172	shutdown.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeShutdownPrivilege	300	shutdown.exe
Token: SeRemoteShutdownPrivilege	300	shutdown.exe
Token: SeDebugPrivilege	1496	taskkill.exe
Token: SeDebugPrivilege	2080	walliant.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	892	taskkill.exe
Token: SeShutdownPrivilege	2288	shutdown.exe
Token: SeRemoteShutdownPrivilege	2288	shutdown.exe
Token: SeBackupPrivilege	2012	vssvc.exe
Token: SeRestorePrivilege	2012	vssvc.exe
Token: SeAuditPrivilege	2012	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe
Token: 35	1704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1704	WMIC.exe
Token: SeSecurityPrivilege	1704	WMIC.exe
Token: SeTakeOwnershipPrivilege	1704	WMIC.exe
Token: SeLoadDriverPrivilege	1704	WMIC.exe
Token: SeSystemProfilePrivilege	1704	WMIC.exe
Token: SeSystemtimePrivilege	1704	WMIC.exe
Token: SeProfSingleProcessPrivilege	1704	WMIC.exe
Token: SeIncBasePriorityPrivilege	1704	WMIC.exe
Token: SeCreatePagefilePrivilege	1704	WMIC.exe
Token: SeBackupPrivilege	1704	WMIC.exe
Token: SeRestorePrivilege	1704	WMIC.exe
Token: SeShutdownPrivilege	1704	WMIC.exe
Token: SeDebugPrivilege	1704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1704	WMIC.exe
Token: SeRemoteShutdownPrivilege	1704	WMIC.exe
Token: SeUndockPrivilege	1704	WMIC.exe
Token: SeManageVolumePrivilege	1704	WMIC.exe
Token: 33	1704	WMIC.exe
Token: 34	1704	WMIC.exe
Token: 35	1704	WMIC.exe
Token: SeShutdownPrivilege	2604	explorer.exe
Token: SeShutdownPrivilege	2604	explorer.exe
Token: SeShutdownPrivilege	2604	explorer.exe
Token: SeShutdownPrivilege	2604	explorer.exe
Token: SeShutdownPrivilege	2604	explorer.exe
Token: SeShutdownPrivilege	2604	explorer.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

jokewarehydra.exewalliant.tmpwin7recovery.exeexplorer.exe

pid	process
2752	jokewarehydra.exe
1468	walliant.tmp
2752	jokewarehydra.exe
956	win7recovery.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
956	win7recovery.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

explorer.exe

pid	process
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe
2604	explorer.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

mspaint.exe@[email protected]@[email protected]explorer.exe@[email protected]explorer.exe@[email protected]

pid	process
2480	mspaint.exe
2480	mspaint.exe
2480	mspaint.exe
2480	mspaint.exe
776	@[email protected]
776	@[email protected]
408	@[email protected]
408	@[email protected]
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2668	explorer.exe
2968	@[email protected]
2968	@[email protected]
2604	explorer.exe
2604	explorer.exe
2452	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

yfga_game.execmd.execmd.exewalliant.exe

description	pid	process	target process
PID 2180 wrote to memory of 2300	2180	yfga_game.exe	cmd.exe
PID 2180 wrote to memory of 2300	2180	yfga_game.exe	cmd.exe
PID 2180 wrote to memory of 2300	2180	yfga_game.exe	cmd.exe
PID 2180 wrote to memory of 2300	2180	yfga_game.exe	cmd.exe
PID 2300 wrote to memory of 2816	2300	cmd.exe	screenscrew.exe
PID 2300 wrote to memory of 2816	2300	cmd.exe	screenscrew.exe
PID 2300 wrote to memory of 2816	2300	cmd.exe	screenscrew.exe
PID 2300 wrote to memory of 2816	2300	cmd.exe	screenscrew.exe
PID 2300 wrote to memory of 2860	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2860	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2860	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2860	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2744	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2744	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2744	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2744	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2420	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2420	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2420	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2420	2300	cmd.exe	cmd.exe
PID 2300 wrote to memory of 2716	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2716	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2716	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2716	2300	cmd.exe	takeown.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2152	2300	cmd.exe	walliant.exe
PID 2300 wrote to memory of 2936	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2936	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2936	2300	cmd.exe	icacls.exe
PID 2300 wrote to memory of 2936	2300	cmd.exe	icacls.exe
PID 2420 wrote to memory of 2752	2420	cmd.exe	jokewarehydra.exe
PID 2420 wrote to memory of 2752	2420	cmd.exe	jokewarehydra.exe
PID 2420 wrote to memory of 2752	2420	cmd.exe	jokewarehydra.exe
PID 2420 wrote to memory of 2752	2420	cmd.exe	jokewarehydra.exe
PID 2300 wrote to memory of 2900	2300	cmd.exe	xcopy.exe
PID 2300 wrote to memory of 2900	2300	cmd.exe	xcopy.exe
PID 2300 wrote to memory of 2900	2300	cmd.exe	xcopy.exe
PID 2300 wrote to memory of 2900	2300	cmd.exe	xcopy.exe
PID 2420 wrote to memory of 3012	2420	cmd.exe	WScript.exe
PID 2420 wrote to memory of 3012	2420	cmd.exe	WScript.exe
PID 2420 wrote to memory of 3012	2420	cmd.exe	WScript.exe
PID 2420 wrote to memory of 3012	2420	cmd.exe	WScript.exe
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2152 wrote to memory of 1468	2152	walliant.exe	walliant.tmp
PID 2300 wrote to memory of 1880	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 1880	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 1880	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 1880	2300	cmd.exe	reg.exe
PID 2300 wrote to memory of 1032	2300	cmd.exe	taskkill.exe
PID 2300 wrote to memory of 1032	2300	cmd.exe	taskkill.exe
PID 2300 wrote to memory of 1032	2300	cmd.exe	taskkill.exe
PID 2300 wrote to memory of 1032	2300	cmd.exe	taskkill.exe
PID 2300 wrote to memory of 1700	2300	cmd.exe	taskkill.exe
PID 2300 wrote to memory of 1700	2300	cmd.exe	taskkill.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

win7recovery.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	win7recovery.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	win7recovery.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2844 attrib.exe
2596 attrib.exe

pid	process
2844	attrib.exe
2596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\yfga_game.exe
"C:\Users\Admin\AppData\Local\Temp\yfga_game.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\YFGA.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\screenscrew.exe
screenscrew.exe
3⤵
- Executes dropped EXE
PID:2816

C:\Windows\SysWOW64\takeown.exe
takeown C:\Windows\System32\logonui.exe Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2860

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\System32\logonui.exe Grant:\Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K hydra.cmd
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\jokewarehydra.exe
jokewarehydra.exe
4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2752

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\annoy3.vbs"
4⤵
PID:3012

C:\Windows\SysWOW64\takeown.exe
takeown C:\Windows\Boot\Fonts\* Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2716

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\walliant.exe
walliant.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\is-PD6HO.tmp\walliant.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PD6HO.tmp\walliant.tmp" /SL5="$3020E,4511977,830464,C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\walliant.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1468

C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe
"C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\icacls.exe
icacls C:\Windows\Boot\Fonts\* Grant:\Admin
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2936

C:\Windows\SysWOW64\xcopy.exe
xcopy C:\Windows\Fonts\seguisym.ttf C:\Windows\Boot\Fonts\segoe_slboot.ttf /y
3⤵
- Drops file in Windows directory
- Enumerates system info in registry
PID:2900

C:\Windows\SysWOW64\reg.exe
reg import reg.reg
3⤵
- Sets desktop wallpaper using registry
PID:1880

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im fontdrvhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im TextInputhost.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:1748

C:\Windows\SysWOW64\shutdown.exe
shutdown /r /t 30000 /c "HAHA I HACKED YOU AYFGA ROCKS YOU"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K spam.bat "forkbomb" /min
3⤵
PID:2192

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\annoy.vbs"
4⤵
PID:1768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\SysWOW64\timeout.exe
timeout 5
3⤵
- Delays execution with timeout.exe
PID:1076

C:\Windows\SysWOW64\shutdown.exe
shutdown /a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Windows\SysWOW64\timeout.exe
timeout 2
3⤵
- Delays execution with timeout.exe
PID:2372

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\win7recovery.exe
win7recovery.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- System policy modification
PID:956

C:\ProgramData\WbVhxCIDDK.exe
"C:\ProgramData\WbVhxCIDDK.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\timeout.exe
timeout 12
3⤵
- Delays execution with timeout.exe
PID:688

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:684

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im explorer.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im taskmgr.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im WScript.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\shutdown.exe
shutdown /a
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\useroverflow.exe
useroverflow.exe
3⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\programoverflow.exe
programoverflow.exe
3⤵
- Executes dropped EXE
PID:376

C:\Windows\SysWOW64\notepad.exe
notepad.exe
3⤵
PID:1600

C:\Windows\SysWOW64\regedit.exe
regedit.exe
3⤵
- Runs regedit.exe
PID:2692

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\SysWOW64\charmap.exe
charmap.exe
3⤵
PID:3068

C:\Windows\SysWOW64\timeout.exe
timeout 21
3⤵
- Delays execution with timeout.exe
PID:1492

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
PID:1796

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\wannacryptor.exe
wannacryptor.exe
3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Sets desktop wallpaper using registry
PID:2468

C:\Windows\SysWOW64\attrib.exe
attrib +h .
4⤵
- Views/modifies file attributes
PID:2844

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2776

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\taskdl.exe
taskdl.exe
4⤵
- Executes dropped EXE
PID:1772

C:\Windows\SysWOW64\cmd.exe
cmd /c 88591721032684.bat
4⤵
PID:2920

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
5⤵
- Loads dropped DLL
PID:2756

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
4⤵
- Views/modifies file attributes
PID:2596

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\@[email protected]
@[email protected] co
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:776

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
4⤵
- Loads dropped DLL
PID:684

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\@[email protected]
@[email protected] vs
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:408

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
6⤵
PID:840

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
7⤵
- Interacts with shadow copies
PID:1224

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "loxtqdbrvjwnha527" /t REG_SZ /d "\"C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\tasksche.exe\"" /f
4⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "loxtqdbrvjwnha527" /t REG_SZ /d "\"C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\tasksche.exe\"" /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:2296

C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\@[email protected]
@[email protected]
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\SysWOW64\timeout.exe
timeout 72
3⤵
- Delays execution with timeout.exe
PID:2936

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -Embedding
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

Filesize
681B

MD5
d3195201cf95a81365fee344b145a753

SHA1
c90ac45af41cb163d3d256a2ff90428c308a0311

SHA256
35d2625dc46f7546314c8db095685d2a4cf53794378fc789c11f06e0c898b6bc

SHA512
5fea23a4f909b43025914b9e785bf546dcb65812b25367e29ff3f1ff74d868a4295481764c61a99247d512346fad7ab2126a13c813e5a902794e6fe0683a1986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d05486accf7dc2e1594a8ae6b0a8f46e

SHA1
816d599e9d4953007a700e012159c2f23341fa15

SHA256
82d4a319f4a2089cbba74e8aa8fa3bf06ac0e39347b44cd4f25cdf1adaec66a9

SHA512
0735cb57cb00ebda2687810b4785335ee8d2a7b94d28718d631e2ccc178d22473e8e39d5f0b9650ac8006f195971a6dedcca4b4175021aaf221d07347badc5dc

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\sdk.dll

Filesize
11.3MB

MD5
fddc7534f3281feb4419da7404d89b4c

SHA1
19bdefc2c9e0abd03fe5ee4fad9c813a837f844f

SHA256
f13da9813fa11b81ee4180794cbad2b280422716a080bf4c0791996be7f7908e

SHA512
c5428179dc222366234125bd78f63a9350c9329e4d46646bb3361de143974d261bd7a8df6155bc7ef46ad3725302837f4769a26459b8b4b5b5304a810303b1ea

Download Submit
C:\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe.config

Filesize
1KB

MD5
b492287271363085810ef581a1be0fa3

SHA1
4b27b7d87e2fdbdda530afcda73784877cc1a691

SHA256
a5fcca5b80f200e9a3ff358d9cac56a0ffabb6f26d97da7f850de14f0fb2709e

SHA512
859fa454d8a72771038dc2ff9e7ec3905f83a6a828cc4fc78107b309bdcd45724c749357011af978163f93e7096eb9e9419e3258ea9bd6b652154fe6dd01d036

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe_Flash_Player.exe

Filesize
114B

MD5
d725d85cc5f30c0f695b03a9e7d0c4c0

SHA1
131b68adcddb7ff3b3ce9c34c5277eb5d673f610

SHA256
4d4588c42fa8df0ea45ad48aca4511bb4286f0deaa41fdf188c3b7ab9e1b698a

SHA512
01f270a15aa10e60e14ac140ccb54e38cf8e57833ef1c0db7d36688a93ecdc0a59ecf9ead9366a5920faac7e28a2e0ee03759eb0fa92d455abc72f406fe8775b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE967.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\88591721032684.bat

Filesize
412B

MD5
1408557031e348d2c9ee3697baa11aea

SHA1
6d13f3850f063182d21b8615771ae7d65fc5d36c

SHA256
e5fcc094696cd1ca12c8ee858a48206c6ff56451e7aff21aea47da29e7af47d7

SHA512
93fb80231aece547e7b69d6eda063a3d7cc49ed91082dec941c59990d47e1c85b68159c887a99eb369c3774db088dc0a10cacfd322b821acb7f0511a76678ba4

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\YFGA.bat

Filesize
1KB

MD5
f873c699ec012043f77d010d1afdf4d3

SHA1
0bb939611a1f8ea947b36c3fd7fa24c28b945194

SHA256
5a27f0b4f20f2f25b188bfdd5d12e92a72fa33235036d32b5b6097ac362d21b7

SHA512
4029adcd513a20c106418c0a25277be965661c26839bc2b20d4c2274f0044b84dc40dea94f1a5a24cb1c416ff379e82223a767fbe163d304e4c8196b33d680e0

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\annoy.vbs

Filesize
50B

MD5
3167d161336cbd296dc579d2295b0f22

SHA1
53253e5841e6a7a7a1b8bd08378af0a96b2f9a98

SHA256
307879bf0d9bec07bab240b5010434801fbee520c99c5a617e8ac630f42dde80

SHA512
62af8fa0c9a30ec6aa9b552fcac1879af1f00f5ceb48a77718b2a8e042e3524e2cd299f26fcde31ad8abf2dcb94d15cf45ecbce0bd5f9f93f44aca6327aa53ea

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\annoy2.vbs

Filesize
44B

MD5
9a2ccbd3e2f1a2382fed7674c28dd086

SHA1
b466bdd2079575c938de65285f02739143ecb170

SHA256
4519cd5997afce27129ef943f121972f7b0b34aa018e4dd408892fc5c39bb59e

SHA512
8929493211c17a8e99b908a8305dbebe2d96e1b54426e89ddba84c2010a86d7f6d0983080f29fa1ab7a0687d536c0546278b9fffe4560d84e4012f243f344d78

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\annoy3.vbs

Filesize
56B

MD5
19cf22e8d63e787913b6617542211e19

SHA1
8c3d2f43025e5c4ef70e0c4d1f36692361f51b1f

SHA256
dbec312d736f8a56f94ace99986d95d4355ef644a2fd908da1ff4c8b0a003979

SHA512
8b9d192dd7f175e63aebcdfc8426876fa8bf3ae00d3cf10bb8fcf0d0c262b906de28784f5b97141f656e87bb548d343b8d5a127c06ecb407289e91f3fc199608

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\hydra.cmd

Filesize
47B

MD5
5e578014c7017a85ca32f0b7e5d7df7f

SHA1
c88d8e7179fcc070d4419be9f4d8647354c2f6ed

SHA256
a964a717e3c47cb7d274e98928ca1271377d0d76a8908448e1b70e63af4082ad

SHA512
7eb206b0cbc2a9b744246d8a83b2fccc70204c6e777b0fcbb838e63d477fe047d8827f3c0de823d55b9ab5cba2ab572ff3f543f76a3451fa81b31584cc767106

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\jokewarehydra.exe

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\programoverflow.exe

Filesize
566KB

MD5
c4aab3b24b159148d6d47a9e5897e593

SHA1
7061c2e85de9f3fd51cccdecb8965f1e710d1fe5

SHA256
03a4d3563a7519542c662b5fd5d61215f3d76a3902717efe11230292ea4bbafc

SHA512
9bc522ff0d598a1f1425a09a2794584c4991a99bc382b0ee9135311950cdbf2f5331ae041a4b01052735b5fae3a2763ea1b5c01ce679b07fba73c6f75cb4c252

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\reg.reg

Filesize
25KB

MD5
aebe09cd7095ec201dc8acc350443242

SHA1
df7337e051bd02e1fdd4005b63ed45b8ca3d9726

SHA256
405d47dca73a5d6180db42e90c35931047c666ed1f1d6fab5ead6110c2356cc7

SHA512
ffc658faf04fee47c1284d439a4c5b3931d2f9bcac9b40e36f59ad0ed4917f0252e639284f817ca84a6da57552f8e0fdf96936987c3f5cf689a537e42b47288d

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\screenscrew.exe

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\spam.bat

Filesize
158B

MD5
4af4ab45205580fecf659dd857522f6b

SHA1
78ec5ff7647ca56d8c8d72b4da551efa86e53675

SHA256
b997f3a0d79493418f3e9da03dd95aea6b45b8a8c454e8e7d1f06de3ad3e1111

SHA512
f77c7b4d034def85c363805fe625aefb4e461770418f9015d4d5241fb8d09707b9918d54e9b2cc35d06008097174cdda0bee9702466fe7e097014794fe4d77cb

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\walliant.exe

Filesize
5.0MB

MD5
929335d847f8265c0a8648dd6d593605

SHA1
0ff9acf1293ed8b313628269791d09e6413fca56

SHA256
6613acb18cb8bf501fba619f04f8298e5e633cb220c450212bbc9dd2bef9538d

SHA512
7c9a4d1bec430503cc355dc76955d341e001b06196d4b508cc35d64feb2e8ba30e824e7c3a11c27135d7d99801f45f62a5b558563b4c78f89f5d156a929063fd

Download Submit
C:\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\wannacryptor.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\AsyncBridge.Net35.dll

Filesize
23KB

MD5
35cbdbe6987b9951d3467dda2f318f3c

SHA1
c0c7bc36c2fb710938f7666858324b141bc5ff22

SHA256
e4915f18fd6713ee84f27a06ed1f6f555cdbebe1522792cf4b4961664550cf83

SHA512
e1f456f0b4db885f8475d2837f32f31c09f4b303c118f59be4786cf4303a31a2d3004656a3fcfbbf354326ed404afcb4d60966bca04a5e5de8fb8feaf581bce7

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\Countly.dll

Filesize
114KB

MD5
bf6a0f5d2d5f54ceb5b899a2172a335b

SHA1
e8992a9d4aeb39647b262d36c1e28ac14702c83e

SHA256
32ef07a1a2954a40436d625814d0ce0e04f4a45e711beebc7e159d4c1b2556b6

SHA512
49a093345160b645209f4fc806ae67a55ff35e50f54c9fa7ec49d153743e448db9c2fafae61659165d0082fabc473c3e7d47573a481161ddb4c9b5fdd079fc90

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\Newtonsoft.Json.dll

Filesize
495KB

MD5
283544d7f0173e6b5bfbfbc23d1c2fb0

SHA1
3e33b2ef50dac60b7411a84779d61bdb0ed9d673

SHA256
9165e595b3a0de91ac91a38e742597e12ebb2a5a8fa53058d964a06ceaef7735

SHA512
150b45cd43dc5cf191c85524c15dea09fbb48766ad802851270eaacfd73f3d097fef8dcf0ea042184220e7bc71413677d88a206d8bbe60374986e4789054040b

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\SharpRaven.dll

Filesize
72KB

MD5
c1a31ab7394444fd8aa2e8fe3c7c5094

SHA1
649a0915f4e063314e3f04d284fea8656f6eb62b

SHA256
64b7231eda298844697d38dd3539bd97fe995d88ae0c5e0c09d63a908f7336c4

SHA512
3514a69552dd1e1b63a235d7e3a1e982a72a9741ade4a931fc8d8e61f402228ad3243be9321d87fdefdfe137fc357925a931966266ec58c19296adb210be9b0e

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\System.Threading.dll

Filesize
378KB

MD5
f5ee17938d7c545bf62ad955803661c7

SHA1
dd0647d250539f1ec580737de102e2515558f422

SHA256
8a791af9e3861e231662b657098a823b21a084cbb6a4901d6ccf363405849a78

SHA512
669a89ad811cda4f3ff4aa318aa03e26e4cb41ea22bc321bad02a671273d867cbd223a64bb30da592a5484a9f1cec77c96f5bf63b1fe586b6d3688b8c9da530c

Download Submit
\Users\Admin\AppData\Local\Programs\Walliant\walliant.exe

Filesize
257KB

MD5
60d3737a1f84758238483d865a3056dc

SHA1
17b13048c1db4e56120fed53abc4056ecb4c56ed

SHA256
3436c29dec2c7f633f4766acaf334f6c395d70ea6180c0ea7c1610591d5d89b9

SHA512
d34f42b59349f3be1ac39a57207f616a44f56a6c74157be8116fff5df75275928065065a89f10bd79849e58b14d1e5e0ea156be5996ff8ca4f5d854e107c96fe

Download Submit
\Users\Admin\AppData\Local\Temp\is-PD6HO.tmp\walliant.tmp

Filesize
2.5MB

MD5
62e5dbc52010c304c82ada0ac564eff9

SHA1
d911cb02fdaf79e7c35b863699d21ee7a0514116

SHA256
bd54ad7a25594dc823572d9b23a3490ff6b8b1742a75e368d110421ab08909b2

SHA512
b5d863ea38816c18f7778ef12ea4168ceb0dae67704c0d1d4a60b0237ca6e758c1dfc5c28d4fc9679b0159de25e56d5dfff8addacd7a9c52572674d90c424946

Download Submit
\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\useroverflow.exe

Filesize
578KB

MD5
533d78fdd538bbeee31fb0b72a8cfb7c

SHA1
cb0e46804e784525f5bece40d51772bbdd9a5dc4

SHA256
b7a4fcc7f474c091edc09349af5e53915d23f14071d78a3026c92c49d2467989

SHA512
85e393cbdd2b20da8892173c7951ddf8e75dbfa29cf81fa725a2da56e606b848ea8a6636528d4fe26eca5e6b251406ec870242fe0d44e7863bf22c739d7759d5

Download Submit
\Users\Admin\Desktop\yfga_game_61122aff-4bca-4cf6-9e67-75dff366e467\win7recovery.exe

Filesize
467KB

MD5
ab65e866abc51f841465d19aba35fb14

SHA1
ec79f1f511a199291b0893bc866a788ceac19f6e

SHA256
2ac0ca4ffda10b1861dd4ae0c2f0131a6400214cb4f5fa33951f3062b784a755

SHA512
2474905f174635b236e5f6e8f8c497e44435c94edd02ec47d3440c9a216f6840d040e6acc5fe2ec301ada80467f6cf55225d6361c1e7c6c6c7edccb9e7b5a35e

Download Submit
memory/376-315-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/376-306-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/956-295-0x0000000000600000-0x0000000000678000-memory.dmp

Filesize
480KB

Download
memory/956-97-0x0000000000600000-0x0000000000678000-memory.dmp

Filesize
480KB

Download
memory/1468-252-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/1468-189-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/1468-92-0x0000000000400000-0x000000000068E000-memory.dmp

Filesize
2.6MB

Download
memory/2080-294-0x000000006CC30000-0x000000006D72A000-memory.dmp

Filesize
11.0MB

Download
memory/2152-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2152-253-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2152-91-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2180-2-0x0000000000370000-0x0000000000394000-memory.dmp

Filesize
144KB

Download
memory/2180-0-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2180-3-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-1-0x0000000000100000-0x000000000018C000-memory.dmp

Filesize
560KB

Download
memory/2180-133-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2180-190-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2180-1332-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2300-1246-0x0000000002740000-0x0000000002989000-memory.dmp

Filesize
2.3MB

Download
memory/2300-303-0x0000000002740000-0x0000000002990000-memory.dmp

Filesize
2.3MB

Download
memory/2300-305-0x0000000002740000-0x0000000002989000-memory.dmp

Filesize
2.3MB

Download
memory/2300-1239-0x0000000002740000-0x0000000002990000-memory.dmp

Filesize
2.3MB

Download
memory/2468-388-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2668-395-0x0000000003B10000-0x0000000003B20000-memory.dmp

Filesize
64KB

Download
memory/2752-57-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/2788-1299-0x000000006F710000-0x000000006F792000-memory.dmp

Filesize
520KB

Download
memory/2788-1312-0x0000000073890000-0x00000000738AC000-memory.dmp

Filesize
112KB

Download
memory/2788-1347-0x000000006EE50000-0x000000006F06C000-memory.dmp

Filesize
2.1MB

Download
memory/2788-1323-0x0000000000F10000-0x000000000120E000-memory.dmp

Filesize
3.0MB

Download
memory/2788-1315-0x000000006EDC0000-0x000000006EE42000-memory.dmp

Filesize
520KB

Download
memory/2788-1311-0x000000006F710000-0x000000006F792000-memory.dmp

Filesize
520KB

Download
memory/2788-1343-0x0000000000F10000-0x000000000120E000-memory.dmp

Filesize
3.0MB

Download
memory/2788-1313-0x000000006F2D0000-0x000000006F347000-memory.dmp

Filesize
476KB

Download
memory/2788-1327-0x000000006EE50000-0x000000006F06C000-memory.dmp

Filesize
2.1MB

Download
memory/2788-1302-0x00000000737F0000-0x0000000073812000-memory.dmp

Filesize
136KB

Download
memory/2788-1303-0x0000000000F10000-0x000000000120E000-memory.dmp

Filesize
3.0MB

Download
memory/2788-1301-0x000000006EDC0000-0x000000006EE42000-memory.dmp

Filesize
520KB

Download
memory/2788-1300-0x000000006EE50000-0x000000006F06C000-memory.dmp

Filesize
2.1MB

Download
memory/2788-1314-0x000000006EE50000-0x000000006F06C000-memory.dmp

Filesize
2.1MB

Download
memory/2788-1310-0x0000000000F10000-0x000000000120E000-memory.dmp

Filesize
3.0MB

Download
memory/2788-1316-0x00000000737F0000-0x0000000073812000-memory.dmp

Filesize
136KB

Download
memory/2816-293-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2816-1308-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-90-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-313-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-1319-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-324-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-187-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-1334-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2816-29-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2816-504-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2964-304-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download
memory/2964-317-0x0000000000400000-0x0000000000650000-memory.dmp

Filesize
2.3MB

Download